Configuration overview for Ivanti Tunnel for the Samsung Knox container (Ivanti EPMM)

Configuration for Ivanti Tunnel VPN is done in the Ivanti EPMM Admin Portal. Do the following to setup Ivanti Tunnel in the Samsung Knox container:

  1. Configuring an IP_ANY AppTunnel service on a Standalone Sentry.
  2. Creating Ivanti Tunnel VPN configuration for Samsung Knox Workspace (Ivanti EPMM).
  3. Distributing Ivanti Tunnel through Apps@Work.
  4. Configuring app VPN in the Samsung Knox container.

The VPN configuration for Ivanti Tunnel is done in two separate configurations in the Ivanti EPMM Admin Portal: the VPN configuration for Tunnel (Samsung Knox Workspace) and the Samsung KNOX Container configuration. The Ivanti Tunnel for Samsung Knox workspace VPN configuration sets the DNS and app behavior. The Samsung Knox container configuration determines whether the VPN configuration is applied per-app individually or to all apps in the container (per-container).

The VPN configuration also determines whether the connection is always-on or on-demand. With always-on VPN, Ivanti Tunnel is started when the Samsung Knox Workspace starts, and the connection stays on. Traffic from an app in the Knox Workspace can go through the Ivanti Tunnel VPN. With on-demand VPN, a Tunnel VPN connection is started when an app that uses Tunnel is launched, and the connection stays on till the last app that can use the Tunnel VPN is killed.

Ivanti Tunnel must be available in the Samsung Knox Workspace. Sometimes an app can be available in the Knox container as well as outside the container. Only the app in the Knox container can use Tunnel.

The following table describes Tunnel behavior depending on the combination of whether VPN is on-demand or always-on and if the VPN configuration is applied per-app or per-container.

Table 5.   Tunnel behavior

 

On-demand

Always-on

Per-container

Not a valid configuration for Samsung Knox.

This combination is configurable in Ivanti EPMM, however  Tunnel will not work. See Error messages for a per-container and on-demand Tunnel VPN setup.

Tunnel starts when the Samsung Knox Workspace container starts.

All apps in the container can use Tunnel VPN.

Per-app

Tunnel starts when an app that can use Tunnel is launched.

Tunnel stops when there are no apps running that can use Tunnel VPN.

The per-app list, which is the list of apps that can use Tunnel VPN, is set in the Knox container configuration.

Tunnel starts when the Samsung Knox Workspace container starts.

Only traffic from apps that are configured to use Tunnel are allowed through Tunnel.

Error messages for a per-container and on-demand Tunnel VPN setup

A per-container and on-demand combination VPN configuration is not supported. However, you can configure per-container and on-demand VPN in the Ivanti EPMM Admin Portal. After the device syncs with Ivanti EPMM, error messages are seen in Mobile@Work on the device and in the device profile in the Admin Portal.

Mobile@Work displays the error as seen in the following figure.

Figure 1. Device configuration status error

In the Admin Portal, in Devices & Users > Devices, the Configurations tab for a device displays a link to View Error for the Samsung Knox container configuration.

Figure 2. View configuration error in the Admin Portal