Adding an AppTunnel configuration

AppTunnel secures the data that moves between your secure AppConnect apps and your corporate data sources. A Standalone Sentry deployment is required to set up AppTunnel. Setting up AppTunnel for an AppConnect app is a two-step process.

  1. Configure a Custom HTTP or Custom TCP AppTunnel service on a Standalone Sentry configured for AppTunnel.
  2. Add an AppTunnel configuration for the app.

Before you begin 

  • Ensure that you have a Standalone Sentry configured to support AppTunnel. The required steps include:
    • Setting up the Standalone Sentry connectivity settings, which include the Sentry host name or IP address, and the port number Ivanti Neurons for MDM uses to access the Sentry.
    • Enabling the Standalone Sentry for AppTunnel.
    • Configuring the Standalone Sentry for device authentication, which is how the device authenticates to the Standalone Sentry. This authentication includes setting up certificates if you require them.

    See "Standalone Sentry for AppTunnel," in the Standalone Sentry Guide for Ivanti Neurons for MDM for information on how to set up Sentry for AppTunnel.

  • Configure a Custom HTTP or Custom TCP AppTunnel service on Standalone Sentry.

    You create the AppTunnel service in Ivanti Neurons for MDM, in Admin > Infrastructure > Sentry, in a Sentry profile.

    For information about creating a AppTunnel service, see "Configuring Standalone Sentry for AppTunnel" in the Standalone Sentry Guide for Ivanti Neurons for MDM.

  • Add the AppConnect app to the Ivanti Neurons for MDM.


  1. In Ivanti Neurons for MDM, go to Apps > App Catalog.

  2. Click the name of the AppConnect app to edit.
  3. Click App Configurations.
  4. For AppTunnel, click + to add a new AppTunnel configuration.
  5. Use the guidelines in the following table to enter the configuration.




    Enter a descriptive name for the configuration.


    Sentry Profile

    Select a Sentry profile configured for AppTunnel from the drop-down list.

    Enable Split Tunneling using MobileIron Tunnel

    iOS only. Requires Go 5.4.0 for iOS and Tunnel 4.1.0 for iOS.

    Before enabling the option, ensure that Tunnel is deployed and the Tunnel VPN configuration is applied to the AppConnect app. For information about deploying Tunnel and applying the Tunnel VPN configuration to a managed app, see "Main tasks for configuration Tunnel for iOS (Ivanti Neurons for MDM)" in the Tunnel for iOS Guide.

    Select the option if the AppConnect app will transition to using WKWebView or the app currently uses WKWebView and any of the following is also true:

    • AppTunnel rules are configured to tunnel app data.

    • Enable MobileIron Access is selected.

    Enabling the option allows the configured AppTunnel rules to be managed through Tunnel rather than through AppTunnel.

    For information about the UIWebView API deprecation, see UIWebView Deprecation and AppConnect Compatibility.

    Rules configured in the Tunnel VPN configuration impact whether app data to the enterprise resource is tunneled. Consider the following case:

    • You have an AppTunnel rule set up to tunnel app data to an enterprise resource.

    • Tunnel VPN is configured to disconnect if the enterprise Wi-Fi is available.

    In the above case, data from the app to the enterprise resource will not be tunneled if the device switches to the enterprise Wi-Fi network.

    AppTunnel Rules

    Choose service

    Select a service name from the drop-down list.

    This is the Custom HTTP or Custom TCP service you created in the Sentry profile.

    URL Wildcard

    Enter one of the following:

    • an app server’s hostname


    • a hostname with wildcards. The wildcard character is *. 

      Example: *

    If the AppConnect app requests access to this hostname, Sentry tunnels the app data. The Sentry profile and service fields that you specify determine the target app server.


    (Optional) Enter a port numbe for the backend enterprise resource to which the traffic is tunneled.

    The app data is tunneled only if the app’s request matches the hostname in the URL Wildcard field and this port number.


    Click to configure additional service and URL wildcards.

    Multiple wildcards are evaluated in the order in which they appear. You can reorder the sequence by dragging a row up or down.

  6. Select a distribution option.
  7. Click Save.
  • “Configuring Standalone Sentry for AppTunnel” in the Standalone Sentry Guide for Ivanti Neurons for MDM.