Multi-factor authentication and authorization for device users

Device users can use [email protected] only if the following are true:

  • The device and user are registered with Ivanti EPMM
  • Registering a device with Ivanti EPMM authenticates the device user.

  • The device is authorized to use [email protected]
  • Using the Admin Portal, you authorize a device to use [email protected] The labeling mechanism in Ivanti EPMM is used to indicate the devices that are authorized to use [email protected]

    If the device is not authorized to use [email protected], the device user cannot use it even for accessing public websites.

  • The device is in compliance with the security policy applied to the device.
  • Using the Admin Portal, you can set up security policies to block access to [email protected] if the device fails to meet conditions that you specify. When access is blocked, the device becomes unauthorized to use [email protected] Also, all AppTunnel access is blocked, which blocks access to enterprise websites.

    On iOS devices, be sure to require a device passcode on the security policy, since a device passcode enables iOS data encryption capabilities. [email protected] uses iOS data encryption capabilities to encrypt browser data.

  • Device users are logged in with their secure apps passcode.

  • [email protected] is an AppConnect app, and therefore, you can optionally require the device user to enter a secure apps passcode to use it. The device user uses a secure apps passcode to access all AppConnect apps.

    When device users first launch [email protected], they are prompted to create a secure apps passcode if they have not already created one to use on some other AppConnect app. On subsequent launches of [email protected], users are prompted to enter the secure apps passcode, unless they had recently entered it to use on some other AppConnect app.

    After device users have registered the device with Ivanti EPMM and, if required, entered their secure apps passcode, they have no further [email protected] setup to do.

    A device user cannot specify [email protected] as the default browser on the device. This prohibition ensures that the device user always has easy access to a browser for non-enterprise browsing, even if the device becomes unauthorized to use [email protected]

Secure enterprise web content access using AppTunnel

[email protected] uses AppTunnel technology to securely access web content behind your enterprise’s firewall. This technology allows you to:

  • Set up [email protected] to access enterprise websites without requiring the device user to set up VPN.
  • Support Single Sign On using Kerberos Constrained Delegation (KCD).

    The device users register [email protected] with Ivanti EPMM by entering their Ivanti credentials. Then, the device user can use [email protected] to access an enterprise app server without having to enter any further credentials. This support depends on your environment being set up to use KCD, plus the necessary AppTunnel configuration.

  • Limit enterprise access to [email protected]

    Other apps, such as mobile email and calendar synchronization, are not impacted by [email protected]’s enterprise access. Therefore, unlike when you use VPN for enterprise access, you do not have to retest the behavior of these existing apps.

  • Limit the enterprise sites that a device user can access.

    You can specify accessible sites in the tunneling configuration. Specifically, as long as the device stays on the external network, internal sites that are not specified in the tunneling configuration remain inaccessible. Also, you can vary the accessible sites according to device and user attributes, such as user membership in the enterprise directory.

  • Terminate enterprise website access based on compliance policies.

    Using the security policy for a device, you can specify which non-compliance situations block AppTunnel access.

  • Perform URL filtering to audit and enforce web use policies.

    If you direct all outgoing traffic through a filtering proxy, you can direct traffic that you tunnel through the proxy, too. For example, by setting up [email protected] to tunnel all requests to, you can set the URL rules in your filtering proxy to block access to that site.

Benefit from split-tunneling.

You can allow device users to access some public websites without tunneling, while enforcing tunneling for other external as well as enterprise websites. By setting up split-tunneling, your device users can access public sites without incurring additional load on enterprise network infrastructure. In addition, split-tunneling allows users to access public websites without visibility to the enterprise. Regional privacy regulations sometimes require this for personally-owned devices.

Secure tunneled web traffic using multi-factor authentication and authorization.

To use [email protected]:

  • You can optionally require a secure apps passcode to access [email protected], in addition to the device passcode.

Also, establishing an AppTunnel requires a unique client-side certificate, ensuring that only managed and authorized devices can access enterprise websites. You can get certificates from a third-party certificate authority (CA) or from the CA built into Ivanti EPMM

Enable Access for [email protected]

[email protected] now supports Access. Access is a Ivanti Neurons for MDM service that secures access to enterprise content in business Ivanti Neurons for MDM services such as Office 365,G Suite, Salesforce, Box, and Dropbox. For information about Access as a service and how to set up the service with Ivanti EPMM, see the Access Guide.