Tunneling use cases for derived credentials on iOS
AppTunnel with HTTP/S tunneling and Kerberos authentication to the backend resource
This use of derived credentials is supported only on iOS devices.
Consider the case where:
-
You want to use AppTunnel to tunnel data between an AppConnect app on an iOS device to a backend resource, and
-
You want to authenticate the device user to the backend resource using Kerberos authentication.
This scenario requires:
-
AppTunnel with HTTP/S tunneling, because only it, not AppTunnel with TCP tunneling (also known as Advanced AppTunnel), supports Kerberos authentication to the backend resource
-
Authenticating the device to the Sentry using a certificate that identifies the user, not just the device.
This identity certificate can be a derived credential. You specify the derived credential when setting up the AppTunnel configuration for an AppConnect app.
Tunnel app and certificate authentication to the backend or web resource
This use of derived credentials is supported only on iOS devices.
Consider the case where:
-
You want to tunnel data between an AppConnect app on an iOS device and a backend or web resource, and
-
You want to authenticate the device user to the resource using a derived credential.
This scenario requires AppTunnel with TCP tunneling (also known as Advanced AppTunnel), which uses the Tunnel app. This set up allows the app to pass an identity certificate to a backend or web resource. This identity certificate can be a derived credential.
To configure this scenario:
-
You configure AppTunnel with TCP tunneling as you normally would. This configuration involves using the Tunnel app to set up a per-app VPN for the app.
-
You configure the AppConnect app in Ivanti EPMM so that the app will receive the derived credential in its app-specific configuration key-value pairs.