Setup overview for Ivanti Access

This section provides an overview of the setup required for implementing access control to cloud services using Ivanti Access and contains the following:

•Before you configure Ivanti Access

•Overview of steps to set up Ivanti Access

•Authentication options

Before you configure Ivanti Access

Before you start configuring Ivanti Access the following infrastructure setup is required:

• Federated authentication
  Ivanti Access supports federated authentication using SAML and WS-Fed. Refer to the documentation provided by your SP and IdP for information on how to set up federated authentication using SAML or WS-Fed.

• Standalone Sentry enabled for AppTunnel
  By default, Ivanti Access trusts all AppTunnel traffic.

  Required only for Ivanti Access + Standalone Sentry deployment.

• Ivanti Tunnel or AppConnect
  Ivanti Access control for managed apps requires Ivanti Tunnel. Access control for AppConnect apps requires either Ivanti Tunnel or AppTunnel.

  AppTunnel is supported only with an Ivanti Access + Standalone Sentry deployment.

• App distribution
  Managed apps are distributed through Ivanti EPMM or Ivanti Neurons for MDM.

For related documentation, see the following:

• Ivanti EPMM documentation
  For information on how to set up AppTunnel, AppConnect, Ivanti Tunnel, and app distribution see the following documents: at:
  • For information on how to setup AppTunnel see the Sentry Guide at Sentry Product Documentation.
  • For information on how to configure Ivanti Tunnel see Ivanti Tunnel Guide at
    Ivanti Tunnel for Android Product Documentation
    
  • For information on how to set up an AppConnect app and how to distribute managed apps using Ivanti EPMM, see the following at AppConnect Guide.
    Ensure that the Ivanti Tunnel (iOS) VPN setting is selected in the app configuration for non-AppConnect apps.
• Ivanti Neurons for MDM documentation
  For information on how to set up AppTunnel, AppConnect, Ivanti Tunnel, and app distribution on Ivanti Neurons for MDM, see Ivanti Neurons for MDM Product Documentation or by clicking on Help in your Ivanti Neurons for MDM instance.

Overview of steps to set up Ivanti Access

The setup for Ivanti Access is done in the Ivanti Access administrative portal.

• Basic configuration
• Advanced configuration
• Split tunneling configuration
• Delegated IdP

Basic configuration

1. Get started with the set up.
   See Getting Started with Ivanti Access.
2. If your deployment uses Standalone Sentry, then register and assign Standalone Sentry to Ivanti Access.
   See Set up Ivanti Access + Standalone Sentry.
   OR
   If your deployment is Ivanti Access (without Standalone Sentry), set up integration with UEM.
   See Set up Ivanti Access with UEM.
3. Set up a cloud service provider (SP) and identity provider (IdP) federated pair.
   See Federated Pairs.
4. Upload Proxy metadata to the cloud service and identity provider.
   See Uploading proxy metadata.
5. Publish the profile.
   See Publishing a profile.
6. Verify traffic flow.
   See Verifying traffic flow.

Advanced configuration

1. Set up conditional rules for access control. Conditional rules allow you to define which applications and IP network ranges can access a cloud resource.
   See Conditional Access.
2. Set up session revocation, which allows you to terminate or revoke the session token if a device is out of compliance and the compliance action is blocked or a device is retired.
   See Session Revocation.
3. Set up mobile app single sign-on (SSO) to allow users to access enterprise cloud services from their managed mobile devices without having to enter passwords.
   See Configuring Mobile App Single Sign-on (SSO).
4. Set up Zero Sign-on to allow users access to enterprise cloud services from their unmanaged devices without having to enter passwords.
   See Zero Sign-on with Ivanti Access.
5. Set up multi-factor authentication using the UEM client to allow users to access their enterprise cloud services from an unmanaged device using multi-factor authentication in addition to their enterprise credentials.
   See Multi-factor Authentication with UEM Client.
6. Set up Ivanti Access desktop trust agent to verify and establish trust for unmanaged Windows 7 and Windows 10 desktops.
   See Desktop Trust Agent Guide.

Split tunneling configuration

In an Ivanti Access deployment, all authentication traffic for the federated pairs configured in Access goes through Ivanti Access using Ivanti Tunnel VPN. Depending on the type of Access deployment, all other traffic through Ivanti Tunnel VPN goes directly to the destination server or through Standalone Sentry. Split tunneling allows you to control which traffic goes through Standalone Sentry to on-premise enterprise resources and which traffic goes directly to the destination.

For information about configuring Ivanti Access as the delegated IdP, see Split Tunneling.

Delegated IdP

In most cases, Ivanti Access is deployed as an intermediary between the service provider (SP) and the identity provider (IdP). In such a deployment, Ivanti Access acts as a proxy to the IdP and all federated SP traffic goes through Ivanti Access. In some cases, you may want to retain the existing SP-IdP federated setup, but deploy Ivanti Access to federate a sub set of the traffic, such as traffic from mobile devices. In such cases Ivanti Access can be deployed as a delegated IdP rather than as a proxy to the IdP.

For information about configuring split tunneling, see Delegated IdP.

Authentication options

With a basic Ivanti Access setup, when users initially attempt to log in to an enterprise cloud service from their managed device, they are prompted for their username and password. In addition, Ivanti Access allows you to set up various authentication options to allow your users ease of access from both managed and unmanaged devices to enterprise cloud services. The following table describes these options. See Advanced configuration for information on how to set up the various authentication options.

Table 3.  Authentication options

Feature	Purpose	Description
Mobile app single sign-on
Native mobile application single sign-on (SSO)	Password less access from managed device.	Password less certificate-based single sign-on from managed devices. Users do not need to enter their username and password.
SaaS sign-on
Zero Sign-on	Password less access from managed device.	Password less certificate-based single sign-on from managed devices. Users do not need to enter their username and password.
	Password less access from unmanaged devices.	A QR code is presented to users attempting to access a cloud service from their unmanaged device. Scanning the QR code with their managed device authenticates the user and allows access from the unmanaged device. Users have the option to enable push notifications or one-time passcode (OTP). If enabled, a push notification is sent to the managed device on subsequent logins from the unmanaged device. Alternately, users can use OTP. Users do not need to enter their username and password.
Multi-factor authentication	Ivanti Access from unmanaged devices.	Two factor authentication allows users to access cloud services from unmanaged devices. Users enter their username and password on the unmanaged device. A push notification is sent to the user's managed device. If accepted, users can access the cloud service from their unmanaged device. Alternately, users can use OTP.
Desktop trust agent
Desktop trust agent	Ivanti Access from unmanaged Windows 7 and Windows 10 desktops.	The desktop trust agent verifies and establishes trust for unmanaged Windows 7 and Windows 10 desktops, thus allowing access to cloud services