Per app VPN and the Tunnel app on iOS and macOS devices

Ivanti EPMM pushes per app VPN profiles to devices regardless of whether devices have the VPN client (Tunnel). Ivanti EPMM will install apps to devices that require Tunnel to function correctly, even if those devices do not have Tunnel installed or per app VPN enabled. If Tunnel is not installed to devices with these apps, the apps will not function correctly. To enable the use of apps that require Tunnel type per app VPN to function, you must ensure devices have Tunnel installed and per app VPN functionality enabled.

Ivanti EPMM makes the following recommendations with regard to apps requiring per app VPN:

  • When sending app installation messages to devices for apps requiring Tunnel type per app VPN, Ivanti EPMM installs the apps to devices even if Tunnel or per app VPN is not installed or enabled on these devices. To send app installation messages only to devices with Tunnel type per app VPN, you must send the app installation message to a label you create that includes only devices with Tunnel type per app VPN.
  • When sending an app installation or conversion request (from unmanaged to managed) on registration or sign-in, Ivanti EPMM installs to devices apps requiring Tunnel or per app VPN regardless of whether devices have Tunnel installed or per app VPN enabled. To send app installation or conversion requests only to devices with Tunnel type per app VPN configurations, you must send the app installation or conversion message to a label you create that includes only devices with Tunnel type per app VPN.
  • When signing out of the multi-user web clip for iOS, Ivanti EPMM triggers the removal of the per app VPN profile from the device twice.
  • Apply the following dynamic label to the VPN configuration profile you apply to devices: "common.mi_tunnel_app_installed" = "production"
  • When configuring per app VPN settings to an app, select Per app VPN by label only, then select the Tunnel VPN configuration. You must move only the Tunnel VPN configuration to the right side of per app VPN list, as Ivanti EPMM does not support this functionality if other types of VPN configurations exist on the device.