Before you configure Ivanti Tunnel for Samsung Knox

Before you configure Tunnel, ensure that you have met the requirements and have read the recommendations and limitations listed in this section.

Required components for Ivanti Tunnel for Samsung Knox

The following components are required for deploying Ivanti Tunnel for Samsung Knox:

  • Standalone Sentry with AppTunnel enabled.
  • Ivanti EPMM with the following:
    • Enabled for Samsung Knox. Ensure that the Samsung general policy is configured with the license for Samsung Knox.
    • Users have Samsung Knox-capable device.
  • Ivanti Tunnel for Android.
  • Android client: [email protected]

Ivanti Tunnel and [email protected] for Android are available from the Google Play store.

For supported versions see the Ivanti Tunnel for Android Release Notes for this release.

Requirements for Ivanti Tunnel for Samsung Knox

The following are required for deploying Ivanti Tunnel for Samsung Knox:

  • Set up Ivanti EPMM for Samsung Knox. For more information, see the “Samsung Knox support” section in the Ivanti EPMM Device Management Guide for Android.
  • Install Standalone Sentry. See the Standalone Sentry Installation Guide.
  • Set up Standalone Sentry for AppTunnel using identity certificates for device authentication.
    For information about setting up a Standalone Sentry for AppTunnel, see the “Working with Standalone Sentry for AppTunnel” section in the Sentry Guide for Ivanti EPMM.
  • Add the apps that will use the Ivanti Tunnel VPN to the app catalog on Ivanti EPMM and to the Samsung Knox container.
    For information about adding apps to the Ivanti EPMM app catalog see the “Adding Google Play apps for Android” and “Apps on Samsung Knox devices” sections in the Ivanti EPMM [email protected] Guide.

Recommendations for Ivanti Tunnel for Samsung Knox

Android 7 devices do not accept self-signed certificates. Therefore, Ivanti recommends that Standalone Sentry use a publicly trusted CA certificate.

Limitations for Ivanti Tunnel for Samsung Knox

The following are limitations of Ivanti Tunnel for Samsung Knox:

  • Front-end load balancer to Standalone Sentry is expected to work but has not been tested.
  • Performance depends on the applications using Standalone Sentry. As a best practice, monitor Standalone Sentry usage and deploy additional Sentry servers as needed for horizontal scaling.
  • The Certificate Enrollment created for Standalone Sentry setup for AppTunnel must use RSA key length 2048 due to a Knox limitation.
  • Routes configured in the Knox VPN configuration in Ivanti EPMM are ignored by Samsung Knox Workspace. Route lists are not supported in the Knox Workspace. All traffic from an app that uses Ivanti Tunnel VPN goes over Tunnel.
  • Server authentication through Standalone Sentry with Kerberos is not supported.
  • Standalone Sentry supports only limited types of UDP traffic,such as DNS traffic. Audio and video traffic through Standalone Sentry is not supported. Therefore, Ivanti recommends configuring SplitUDPPortList to manage UDP traffic.