Configuring MobileIron Tunnel in MobileIron Cloud

MobileIron Tunnel creates a secure connection between the managed device and MobileIron Access for authenticating users accessing enterprise cloud resources.

Before you begin 

  • Add a Certificate Authority and create an Identity Certificate setting in MobileIron Cloud.
    • Add the Certificate Authority in Admin > Certificate Authority.
    • Create an Identity Certificate setting in Configuration > Add > Identity Certificate.
      For Certificate Distribution, select Dynamically Generated and for Source, select the certificate you configured in Admin > Certificate Authority.
  • If you were using a Sentry profile to configure Access in MobileIron Cloud, reconfigure your setup to use an Access profile before deploying MobileIron Tunnel 3.1.0 for iOS through the most recently released version as supported by MobileIron. To set up an Access profile, see Configuring Access in MobileIron Cloud.

  • For Android enterprise, app configuration is done when adding the app to the UEM for distribution. The following procedure applies to all supported OS except Android enterprise. However, configuration information provided in this procedure also applies when you configure Android enterprise. For information on how to add MobileIron Tunnel for Android enterprise to MobileIron Cloud, see the relevant section in the MobileIron Tunnel Guide for Administrators.

    NOTE: If you are configuring Tunnel for Android enterprise and using MobileIron Access Profile only, MobileIron recommends adding configuring AllowedAppList to specify the apps for which authentication traffic goes through Tunnel.

Procedure 

  1. In MobileIron Cloud, go to Configurations > +Add.
  2. Search for MobileIron Tunnel and click MobileIron Tunnel.
  3. Select the OS type for the configuration.
  4. Create a separate Tunnel configuration for each OS type.
  5. Enter a name for the configuration.
  6. Select one of the following:
    1. MobileIron Access Profile Only - Select if Tunnel traffic goes only to Access.
    2. MobileIron Sentry + Access Profile - Select if Tunnel VPN supports both traffic to Access for authentication to enterprise cloud resources and through Standalone Sentry to on-premise enterprise resources. This option is available for iOS and Android only.

    Figure 1. Profile mode selection

  7. If you selected MobileIron Sentry + Access Profile for profile mode, select the Sentry profile and the iOS or Android service you created in the Sentry profile.
  8. For a Tunnel for Android configuration, do the following:
    1. For Client Cert. Alias, for Tunnel for Android only, select the same certificate configuration you select for SCEP Identity.
    2. For SCEP Identity, select the Identity Certificate configuration you created for Tunnel.
  9. For a Tunnel for Windows 10 configuration, do the following:
    1. For SCEP Identity, select the Identity Certificate configuration you created for Tunnel.
    2. For Define Tunnel App Settings, select Advanced.

    3. Enter the following key-value pairs:

      Key

      Value

      AppTriggerList/0/App/Id

      App Id that will trigger Tunnel.

      Example:

      %PROGRAMFILES% (x86)\Google\Chrome\Application\chrome.exe

      TrafficFilterList/0/App/Id

      App Id that will tunnel traffic through Tunnel.

      Example:

      %PROGRAMFILES% (x86)\Google\Chrome\Application\chrome.exe

      RouteList/0/Address

      If your Cloud tenant is *.access-na1.mobileiron.com enter:

      18.232.253.154

      If your Cloud tenant is *.access-eu1.mobileiron.com enter:
      18.194.253.44

      RouteList/0/PrefixSize

      32

      TrafficFilterList/0/RoutingPolicyType

      SplitTunnel

      RouteList/1/Address

      If your Cloud tenant is *.access-na1.mobileiron.com enter:

      18.232.30.29

      If your Cloud tenant is *.access-eu1.mobileiron.com enter:
      18.194.99.243

      RouteList/1/PrefixSize

      32

  10. Leave all defaults as is and click Next.

    NOTE: If you are configuring Tunnel for Android enterprise and using MobileIron Access Profile only, MobileIron recommends adding configuring AllowedAppList to specify the apps for which authentication traffic goes through Tunnel.
  11. Select the distribution for the configuration and click Done.
  12. In MobileIron Access,
    1. Navigate to the UEM tab.
    2. Select the Cloud UEM and click the Sync UEM button.
    3. Enter the credentials and click Verify and Done.

    This step is required to pull the Tunnel certificates from the UEM and established trust between Tunnel and Access.

Next steps 

1. Add MobileIron Tunnel to MobileIron Cloud. For information on how to add MobileIron Tunnel to MobileIron Cloud, see the relevant section in the MobileIron Tunnel Guide for Administrators for the device OS.
2. Set up SP and IdP federated pairs.

See Service provider (SP) metadata and Identity provider (IdP) metadata.

Related topics 

For more information about configuring and distributing MobileIron Tunnel see the MobileIron Tunnel Guide for Administrators for the OS.