App traffic allowed through Ivanti Tunnel VPN (Android native and Android Enterprise)
When a Tunnel VPN session is created, the Ivanti Tunnel configuration is provided to the Android operating system. The Ivanti Tunnel configuration includes information such as allowed and disallowed apps, routes, and domain name servers. Android enforces access to Ivanti Tunnel, based on the provided configuration. The apps that use Ivanti Tunnel is determined by the allowed and disallowed configuration. You configure either an allowed list or a disallowed list.
- Allowed: Only the apps that are on the allowed list (whitelist) have access to Ivanti Tunnel. Traffic from all other apps is not allowed to go through Ivanti Tunnel and goes through the device network.
- Disallowed: All apps have access to Ivanti Tunnel, except the ones on the disallowed list (blacklist). Traffic from the disallowed list goes through the device network.
Ensure that you have configured either an allowed app list or a disallowed appllowed list is not configured, Ivanti recommends adding at least the following to a disallowed list to avoid OS traffic going through Ivanti Tunnel VPN:
[email protected] if your UEM is Ivanti EPMM (com.mobileiron)
MobileIron Go if your UEM is Ivanti Neurons for MDM (com.mobileiron.anyware.android)
Android play store (com.android.vending)
Google Play Service (com.google.android.gms)
Carrier Service (com.google.android.ims)
(For Samsung devices) Samsung Experience Service (com.samsung.android.mobileservice)"
In addition, the following also determine how an app uses Ivanti Tunnel:
- Tunnel routes and Ivanti Tunnel for Android
- DNS servers and Ivanti Tunnel for Android
- Always-on Tunnel VPN and Ivanti Tunnel for Android
- Connection recovery for Ivanti Tunnel for Android
During the creation of the VPN session, configured routes are set to the TUN interface. If the administrator did not configure any routes in Ivanti Tunnel configuration, Tunnel uses 0.0.0.0/0. The configured routes are used in the following ways:
- Only traffic from apps that can use Ivanti Tunnel goes through the configured routes.
- You cannot configure a different set of routes for different allowed apps.
- Traffic from non Android Enterprise apps or to disallowed Android Enterprise apps does not go through the routes configured for Ivanti Tunnel.
DNS requests coming from allowed apps are resolved by the domain name servers (DNS) configured for the VPN during the VPN creation session. These servers are different from the DNS for the original Wi-Fi or cellular connection.
In addition, the Ivanti Tunnel SplitDomain feature allows you to use two different domain name servers to resolve DNS requests, based on the requested domain. The two domain name servers typically are the DNS configured for the device network and the DNS configured for VPN.
On Android 5 and 6 devices, always-on is an Ivanti implementation. The feature is enabled by default. You can configure by using the key appRunningCheckIntervalSec, which configures the check interval.
On Android Enterprise devices running Android N (7.0) and through the most recently released version as supported by Ivanti, Google provides the always-on feature. You can configure the Google implementation of always-on VPN in the Android Enterprise (Android for Work) configuration in Ivanti EPMM and in the Always-on configuration in Ivanti Neurons for MDM.
If a connection fails, Ivanti Tunnel tries to reconnect periodically, by default. Ivanti Tunnel makes three quick attempts at one-second intervals, and then at one-minute intervals. Ivanti Tunnel attempts to reconnect when there is a network status change or there is a configuration change. Ivanti Tunnel will also attempt to reconnect if Standalone Sentry times out due to TCP idle time. If Ivanti Tunnel is idling, Standalone Sentry closes the TCP connection. In this case, Ivanti Tunnel will attempt to reconnect. The recommended idle timeout is one hour.
You can configure connection recovery using the following keys: quickRetryMaxAttempts, quickRetryIntervalSec, slowRetryIntervalSec.