Controlling VPN traffic
Ivanti Tunnel VPN on Android native and Android Enterprise devices is always on. App traffic is allowed or disallowed based on the allowed (whitelist) or disallowed (blacklist) list, and the routes the administrator sets up in the Ivanti Tunnel VPN configuration.
The following table compares the behavior between Ivanti Tunnel for Android versus Ivanti Tunnel for iOS.
|
Function |
Behavior on Android |
Behavior on iOS |
|
Activating Ivanti Tunnel |
When Ivanti Tunnel is first launched on Android native devices, device users must accept the Ivanti Tunnel VPN connection and allow access to the Tunnel certificate. This is not applicable to Android Enterprise and Samsung KNOX devices. |
If the Ivanti Tunnel VPN profile is installed on your device, the Ivanti Tunnel VPN connection is automatically turned on when you tap a supported managed app and the app attempts to connect to a backend resource. In rare cases, if the VPN connection is not turned on, you can manually turn on VPN in the Ivanti Tunnel app. Your IT administrator will tell you if you need to turn on VPN in the Tunnel app. |
|
Automatic Tunnel triggering |
By default, Ivanti Tunnel VPN is always on for Android native and Android Enterprise. User action is not required after the initial activation. If the user disables Tunnel, Tunnel is not triggered automatically. Users must re-enable Tunnel. In the Knox container, on-demand VPN is triggered by managed apps. |
Managed apps or Safari domains can automatically trigger a Tunnel VPN session. |
|
Allowing app traffic |
Admin must create an allowed list or create an exclusion list to allow or block app traffic. |
Admin must make apps managed and assign them Tunnel to enable traffic through Ivanti Tunnel. |
|
Domain name triggers |
Ivanti Tunnel VPN is always on. There is no triggering of VPN on Android devices. |
Safari can trigger Tunnel using domain names. |
|
Per-app allow/block list |
No per-app information is sent to Standalone Sentry. Sentry cannot enforce allow/block lists at a per-app level. |
Ivanti Tunnel sends per-app information to Sentry. Sentry can enforce blocking at a per-app level. |
|
Notifications |
Ivanti Tunnel can provide notifications to users for various events (connect/disconnect, allow/block). |
When the device is out of compliance, per-app Ivanti Tunnel VPN cannot provide notifications to the user if traffic is blocked. |
|
UDP support |
Standalone Sentry supports only limited types of UDP traffic,such as DNS traffic. Audio and video traffic through Standalone Sentry is not supported. Therefore, Ivanti recommends configuring SplitUDPPortList to manage UDP traffic. |
Standalone Sentry supports only limited types of UDP traffic,such as DNS traffic. Audio and video traffic through Standalone Sentry is not supported. Therefore, Ivanti recommends configuring SplitUDPPortList to manage UDP traffic. |
|
ICMP support |
ICMP is not supported. |
ICMP is not supported. |
|
IPv6 |
IPv6 is not supported. |
IPv6 is not supported. |