Before you configure Ivanti Tunnel for Android native (Ivanti EPMM and Ivanti Neurons for MDM)

Before you configure Ivanti Tunnel for Android native, ensure that you have met the requirements and have read the recommendations and limitations listed in this section.

Required components for Ivanti Tunnel for Android native

The following components are required for Ivanti Tunnel deployment on Android native devices:

  • Standalone Sentry with AppTunnel enabled or Access.
  • Unified Endpoint Management (UEM) platform: Ivanti EPMM or Ivanti Neurons for MDM.
  • Client for Android:
    • Ivanti EPMM: Mobile@Work
    • Ivanti Neurons for MDM: Go

For supported versions see the Ivanti Tunnel for Android Release Notes for this release.

Requirements for Ivanti Tunnel for Android native

The following are requirements for deploying Ivanti Tunnel for Android native:

  • If your deployment uses Standalone Sentry:
    • You must have installed Standalone Sentry. See the Standalone Sentry Installation Guide.
    • To allow Android 7 devices to use Ivanti Tunnel, Standalone Sentry must use a publicly trusted CA certificate.
    • Standalone Sentry must be set up for AppTunnel using identity certificates for device authentication.
    • For information about setting up a Standalone Sentry for AppTunnel, see
      Sentry Guide for Ivanti EPMM
      and Sentry Guide for Ivanti Neurons for MDM.
  • If your deployment uses Access, ensure that Access is set up.
    See the Access Guide for information on how to set up Access.
  • Ensure that the appropriate ports are open.
    See the Ivanti Tunnel for Android Release Notes

Recommendations for Tunnel for Android native

The following are recommendations for deploying Ivanti Tunnel for Android native:

  • Ivanti recommends that Standalone Sentry use a publicly trusted CA certificate. Android version 7 through the latest versions as supported by Ivanti does not accept self-signed certificates.
  • If access to the ActiveSync server is going through Standalone Sentry, configure Tunnel so that email clients are excluded from being routed through Tunnel.

Limitations for Ivanti Tunnel for Android native

The following are limitations of Ivanti Tunnel for Android native:

  • Front-end load balancer to Standalone Sentry is expected to work but has not been tested.
  • Performance depends on the apps using Standalone Sentry. As a best practice, monitor Standalone Sentry usage and add more Standalone Sentry servers a
  • Server authentication through Standalone Sentry with Kerberos is not supported.
  • Standalone Sentry supports only limited types of UDP traffic,such as DNS traffic. Audio and video traffic through Standalone Sentry is not supported. Therefore, Ivanti recommends configuring SplitUDPPortList to manage UDP traffic.