AppTunnel and TLS protocol versions in Android secure apps

An AppConnect for Android app uses a TLS protocol version to communicate with:

• the Standalone Sentry for network requests using AppTunnel with HTTP/S tunneling or TCP tunneling

•enterprise servers that use certificate authentication using AppTunnel with TCP tunneling

TLSv1.2 is more secure. Therefore, Ivanti recommends that you configure your Standalone Sentry and applicable enterprise servers to accept TLSv1.2.

The following table shows the TLS protocol version the app uses, which depends on:

• the version of the AppConnect wrapper

•whether the app is configured for AppTunnel with HTTP/S tunneling or AppTunnel with TCP tunneling

•whether the app is configured with the applicable key-value pair.

In all cases, make sure your Standalone Sentry and applicable enterprise servers accept one of the TLS protocol versions that the AppConnect wrapper requests.

Table 1. TLS protocol versions used by AppConnect Wrapper for TCP Tunneling

Wrapper version	Default TLS protocol	Applicable key-value pair in the app's AppConnect app configuration
8.0 through 8.4 HTTP/S Tunneling	TLSv1.2 falling back to TLSv1.0 if required by server	None
8.0 through 8.4 TCP Tunneling (Generation 2 wrapper only)	TLSv1.0	MI_AC_USE_TLS1.2 Defaults to false Include this key with the value set to true to make the AppConnect wrapper in the app use TLSv1.2 instead of TLSv1.0. Defaults to false Include this key with the value set to true to make the AppConnect wrapper in the app use TLSv1.2 instead of TLSv1.0.
8.5 and supported newer versions HTTP/S Tunneling and TCP Tunneling	TLSv1.2	MI_AC_ENABLE_TLS_FALLBACK KVP Defaults to false Include this key with the value set to true if you want the AppConnect wrapper in the app to fallback to TLSv1.0 if the TLSv1.2 request is not accepted by the server.

Wrapper version

Default TLS protocol

Applicable key-value pair in the app's AppConnect app configuration

8.0 through 8.4

HTTP/S Tunneling

TLSv1.2 falling back to TLSv1.0 if required by server

None

8.0 through 8.4

TCP Tunneling

(Generation 2 wrapper only)

TLSv1.0

MI_AC_USE_TLS1.2

Defaults to false

Include this key with the value set to true to make the AppConnect wrapper in the app use TLSv1.2 instead of TLSv1.0.

Defaults to false

Include this key with the value set to true to make the AppConnect wrapper in the app use TLSv1.2 instead of TLSv1.0.

8.5 and supported newer versions

HTTP/S Tunneling and TCP Tunneling

TLSv1.2

MI_AC_ENABLE_TLS_FALLBACK KVP

Defaults to false

Include this key with the value set to true if you want the AppConnect wrapper in the app to fallback to TLSv1.0 if the TLSv1.2 request is not accepted by the server.

The AppConnect wrapper is the consumer of the key-value pair; the AppConnect app itself ignores it.

Configuring the TLS protocol for AppTunnel

You can configure an AppConnect app to use a TLS protocol version other than the default versions by using the key-value pairs described in AppTunnel and TLS protocol versions in Android secure apps .

Procedure

In the MobileIron Core Admin Portal, go to Policies & Configs > Configurations.

Select the appropriate setting for the app.

For Docs@Work, select a Docs@Work setting.

For Web@Work, select a Web@Work setting.

For other secure apps, select an AppConnect app configuration.

Click Edit.

In the App-specific Configurations section (called Custom Configurations for Docs@Work and Web@Work settings), click Add+.

For apps wrapped with AppConnect wrapper 8.0 through 8.4, add the key MI_AC_USE_TLS1.2 with the value true if you want to use only TLSv1.2 instead of TLSv1.0.

For apps wrapped with AppConnect wrapper 8.5 and supported newer versions, add the key MI_AC_ENABLE_TLS_FALLBACK with the value true if you want to fallback to using TLSv1.0 if TLSv1.2 is not accepted.

Click Save.