AppTunnel and TLS protocol versions in Android AppConnect apps

An AppConnect for Android app uses a TLS protocol version to communicate with:

the Standalone Sentry for network requests using AppTunnel with HTTP/S tunneling or TCP tunneling
enterprise servers that use certificate authentication using AppTunnel with TCP tunneling

TLSv1.2 is more secure. Therefore, MobileIron recommends that you configure your Standalone Sentry and applicable enterprise servers to accept TLSv1.2.

The following table shows the TLS protocol version the app uses, which depends on:

the version of the AppConnect wrapper
whether the app is configured for AppTunnel with HTTP/S tunneling or AppTunnel with TCP tunneling
whether the app is configured with the applicable key-value pair.
IMPORTANT: In all cases, make sure your Standalone Sentry and applicable enterprise servers accept one of the TLS protocol versions that the AppConnect wrapper requests.

Table 1. TLS protocol versions used by AppConnect Wrapper for TCP Tunneling

Wrapper version

Default TLS protocol

Applicable key-value pair in the app's AppConnect app configuration

8.0 through 8.4

HTTP/S Tunneling

TLSv1.2 falling back to TLSv1.0 if required by server

None

8.0 through 8.4

TCP Tunneling

(Generation 2 wrapper only)

TLSv1.0

MI_AC_USE_TLS1.2

Defaults to false

Include this key with the value set to true to make the AppConnect wrapper in the app use TLSv1.2 instead of TLSv1.0.

Defaults to false

Include this key with the value set to true to make the AppConnect wrapper in the app use TLSv1.2 instead of TLSv1.0.

8.5 through the most recently released version as supported by MobileIron

HTTP/S Tunneling and TCP Tunneling

TLSv1.2

MI_AC_ENABLE_TLS_FALLBACK KVP

Defaults to false

Include this key with the value set to true if you want the AppConnect wrapper in the app to fallback to TLSv1.0 if the TLSv1.2 request is not accepted by the server.
NOTE: The AppConnect wrapper is the consumer of the key-value pair; the AppConnect app itself ignores it.

Related topics