Before you configure Ivanti Tunnel for Android Enterprise (Ivanti EPMM and Ivanti Neurons for MDM)

Before you configure Ivanti Tunnel, ensure that you have met the requirements and have read the recommendations and limitations listed in this section.

Required components for deploying Ivanti Tunnel for Android Enterprise

The following components are required for Ivanti Tunnel deployment on Android Enterprise devices:

  • Standalone Sentry with AppTunnel enabled or Access
  • UEM with the following:
    • UEM enabled for Android Enterprise
    • Users have Android Enterprise-capable device.
      UEM is Ivanti EPMM or Ivanti Neurons for MDM.
  • Client for Android Enterprise:
    • Ivanti EPMM: Mobile@Work
    • Ivanti Neurons for MDM: Go

Tunnel for Android Enterprise and Mobile@Work for Android are available from the Google Play store.

For supported versions see the Ivanti Tunnel for Android Release Notes for this release.

Requirements for deploying Ivanti Tunnel for Android Enterprise

The following are required for deploying Ivanti Tunnel for Android Enterprise:

  • Your Ivanti Neurons for MDM must be set up for Android Enterprise. For more information, see:
    • Ivanti EPMM: Ivanti EPMM Device Management Guide for Android and Android Enterprise.
    • Ivanti Neurons for MDM: Getting Started with Android for Work.
  • If your deployment uses Standalone Sentry:
    • You must have installed Standalone Sentry. See the Standalone Sentry Installation Guide.
    • Standalone Sentry must be set up for AppTunnel using Identity certificates for device authentication.

      For information about setting up a Standalone Sentry for AppTunnel, see:
      Standalone Sentry Guide for Ivanti EPMM and Standalone Sentry Guide for Ivanti Neurons for MDM.

  • If your deployment uses Access, ensure Access is set up.
    See the Access Guide for information on how to set up Access.
  • Ensure that the appropriate ports are open.
    See the Ivanti Tunnel for Android Release Notes.

Recommendations for deploying Ivanti Tunnel for Android Enterprise

The following are recommendations for deploying Ivanti Tunnel for Android Enterprise:

  • Ivanti recommends that Standalone Sentry use a publicly trusted CA certificate. Android version 7 through the latest versions as supported by Ivanti does not accept self-signed certificates.
  • If your deployment includes Android 5 and 6 devices, and if Standalone Sentry uses a self-signed certificate, see Using a Self-signed certificate with Standalone Sentry and Tunnel knowledge base article in the Support and Knowledge Base portal. The configuration sections describe the use of Ivanti EPMM UI. However for Ivanti Neurons for MDM as well, create a certificate setting and upload the Sentry server certificate to Ivanti Neurons for MDMand distribute the certificate setting to devices.
  • If access to the ActiveSync server is going through Standalone Sentry, configure Ivanti Tunnel so that email clients are excluded from being routed through Tunnel.

Limitations for Ivanti Tunnel for Android Enterprise

The following are limitations of Ivanti Tunnel for Android Enterprise:

  • Deployments that use a trusted front-end such as Apache/F5 to terminate SSL or the use of backend proxy from Standalone Sentry to upstream applications are not supported. (Cloud only)
  • Front-end load balancer to Standalone Sentry is expected to work but has not been tested.
  • Performance depends on the apps using Standalone Sentry. As a best practice, monitor Standalone Sentry usage and add more Standalone Sentry servers as needed for horizontal scaling.
  • Real-time audio/video apps may not work. UDP functionality and scale will vary depending on the app. Performance of real-time audio and video apps has not been tested.
  • Server authentication through Standalone Sentry with Kerberos is not supported.

Shared-kiosk mode

Ivanti Tunnel for Android supports shared-kiosk mode. Before you deploy Ivanti Tunnel, ensure that shared-kiosk mode is set up and deployed. After the UEM is set up for shared-kiosk mode, follow the configuration tasks for setting up Ivanti Tunnel for Android Enterprise.

For a better user experience, Ivanti recommends updating the UEM client version to Go 72 for Android or Mobile@Work 10.8.0.0 for Android through the most recently released version as supported by Ivanti.

To set up shared-kiosk mode:

  • For Ivanti EPMM, see "Android shared-Kiosk mode overview" in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.
  • For Ivanti Neurons for MDM, see "Setting up Kiosk Mode for Android" in the Ivanti Neurons for MDM Guide.