Configuration tasks overview for Android Enterprise (Ivanti EPMM)

The following configuration tasks are required to set up app VPN with Ivanti Tunnel. These configuration tasks are performed in the Ivanti EPMM Admin Portal:

  1. Adding and configuring the Ivanti Tunnel for Android Enterprise (Ivanti EPMM)
  2. Creating an Always-On VPN configuration (Ivanti EPMM, optional)

Adding and configuring the Ivanti Tunnel for Android Enterprise (Ivanti EPMM)

Add the Ivanti Tunnel app to Ivanti EPMM from Google Play and configure it as follows to make it available to Android Enterprise devices.

Before you begin 

  • If you are configuring app VPN, you must have created an IP_ANY AppTunnel service in Standalone Sentry. For information on setting up an IP_ANYTunnel service see “Working with Standalone Sentry for AppTunnel” in the Standalone Sentry Guide for Ivanti EPMM.
  • If you are configuring Tunnel to support anti-phishing with MTD, you must have an MTD setup enabled for anti-phishing. See Support for anti-phishing with Mobile Threat Defense


  1. In the Ivanti EPMM Admin Portal, go to Apps > App Catalog.

  2. Click Add+.

  3. Click Google Play.

  4. Enter Tunnel for Application Name, and click Search.

  5. Select the line for Tunnel app.

  6. Click Next.

  7. Select “5.0” for Min. OS Version.

  8. Click Next.

  9. Select Install this app for enterprise.
    Additional fields are exposed.

  10. Select Silently Install.

  11. Select Enable Access only if you have an Access as a service deployment.
    Selecting this option enables authentication traffic through Access. The option is available only if Access as a service is set up with Ivanti EPMM.

  12. Scroll down to Configuration Choices.

  13. Do one of the following:

    • Select Use Tunnel for Anti-phishing only, to enable Tunnel VPN to analyze phishing URLs.

      Do not select this option if you have any restrictions configured. Selecting the option removes any configured restrictions and hides the Default Configuration for Tunnel section. To configure anti-phishing when you have an existing Tunnel deployment, add a new Tunnel configuration and select the option.


    • Expand Default Configuration for Tunnel to configure the restrictions for the app.

    Select either Use Tunnel for Anti-phishing only or configure the restrictions under Default Configuration for Tunnel. To deploy Tunnel for MTD and for Sentry or Access, create two separate configurations.

  14. Click Finish.

Next steps 

Go to Creating an Always-On VPN configuration (Ivanti EPMM, optional).

Adding multiple Ivanti Tunnel configurations

You can create multiple Ivanti Tunnel configurations and assign the configuration to a label. One reason you may need to create multiple Tunnel configurations is when you configure Tunnel to support anti-phishing with an MTD deployment as well as for deployment with Sentry or Access.

When you add Ivanti Tunnel for Android Enterprise to the App Catalog, a default Tunnel configuration for MTD is automatically available. The Ivanti Tunnel MTD configuration is pushed to devices when you select Use Tunnel for Anti-phishing only. However, selecting the option removes all other restrictions. Therefore, to also configure Ivanti Tunnel for Sentry or Access add a separate Tunnel configuration.

If you have an existing Ivanti Tunnel configuration to use with Sentry or Access, add a new Tunnel configuration for anti-phishing and vice versa.


  1. On Cloud, go to Apps > App Catalog.

  2. Highlight and click the Ivanti Tunnel app for Android Enterprise.

  3. On the App Configurations tab, for Managed Configuration for Android click + to add a new configuration.

  4. Select Use Tunnel for Anti-phishing only or configure restrictions in Managed Configurations.

  5. Select a distribution for the new configuration.

  6. Click Save.

Creating an Always-On VPN configuration (Ivanti EPMM, optional)

The Ivanti Tunnel app can be configured for Always-On VPN status for devices using Android 7 through the most recently released version as supported by Ivanti EPMM 9.3.

With Always-On VPN, the VPN connection is always on. Any app in the Android Enterprise container can go through the tunnel.

If a connection fails, Tunnel tries to reconnect periodically. Tunnel makes three quick attempts at one-second intervals, and then at one-minute intervals.

Ivanti Tunnel attempts to reconnect when there is a network status change or there is a configuration change. Tunnel will also attempt to reconnect if Standalone Sentry times out due to TCP idle time. If Tunnel is idling, Standalone Sentry closes the TCP connection. In this case, Tunnel will attempt to reconnect. The recommended idle timeout is one hour.


  1. Go to Policies & Configs > Configurations and click the Add New pull down menu.
  2. Select Android > Android Enterprise to display the New Andrew enterprise Setting screen.
  3. Select the Always-On VPN check box to display the App Identifier pull down menu.
    The pulldown menu lists only apps that are configured to be installed as Android Enterprise apps.
  4. Select a VPN app to apply the Always-On setting. Click Save.

In Device Details, the Android Enterprise setting displays as Partially Applied with an error message if the selected app is not installed on the device, the app is not a VPN app, or the VPN app does not support Always-on.