Tunnel for iOS configuration field description

The following table provides field descriptions for the Tunnel configuration. There are some variations in field names between MobileIron Core and MobileIron Cloud.

Table 1. Tunnel configuration field description

Item

Description

Name

Enter a name for the MobileIron Tunnel VPN profile.

Description

Enter a description for the profile.

Connection Type
(MobileIron Core)

Select MobileIron Tunnel.

Only fields relevant to MobileIron Tunnel are displayed.

Choose OS to create Tunnel Configuration
(MobileIron Cloud. Per-app VPN)

Select iOS/macOS.

Profile selection mode to use for this configuration
(MobileIron Cloud)

Select one of the following:

  • Sentry Profile Only: Select if Tunnel traffic goes only through Standalone Sentry only.

  • MobileIron Access Profile Only: Select if Tunnel traffic goes to Access only. Only authentication traffic is tunneled to Access. This option is available only if a MobileIron Access deployment is set up.

    NOTE: If MobileIron Access Profile Only is configured with per-app VPN packet tunnel provider type, only authentication traffic is tunneled to Access. All other traffic is dropped. If MobileIron Access Profile Only is configured with device-level VPN packet tunnel provider type, only authentication traffic is tunneled to Access. All other traffic goes directly to the destination.
  • MobileIron Sentry + Access Profile: Select if Tunnel VPN supports both traffic to Access for authentication to enterprise cloud resources and through Standalone Sentry to on-premise enterprise resources. This option is available only if a MobileIron Access as a service deployment is set up.

Legacy App Support (iOS only)

Select one of the following:

  • Enabled: Select to enable per-app VPN with the MobileIron Tunnel Legacy app (versions of MobileIron Tunnel prior to 2.0) on all versions of iOS.
  • Enabled for iOS 7 and 8: Select to enable per-app VPN using the MobileIron Tunnel Legacy app for devices running iOS 7 and 8 only. This option enables the per-app VPN feature with MobileIron Tunnel 2.0 on devices running iOS 9 through the most recently released version as supported by MobileIron.

The per-app VPN feature with MobileIron Tunnel requires a separate license and Sentry 5.0 through the most recently released version as supported by MobileIron. Ensure your organization has purchased the necessary license before enabling this feature. MobileIron Tunnel 2.0 through the most recently released version as supported by MobileIron is required for devices running iOS 9 through the most recently released version as supported by MobileIron.

VPN Sub Type

(MobileIron Cloud)

(Optional) Overrides the bundle identifier for a customized MobileIron Tunnel app.

Enable MobileIron Access
(MobileIron Core)

Select to enable authentication traffic through MobileIron Access.

The option is available only if Access as a service is set up with MobileIron Core. For information about how to set up Access as a service with MobileIron Core, see the MobileIron Access Guide.

Provider Type

(In MobileIron Cloud, this field is available only in the MobileIron Tunnel configuration for per-app VPN.

app-proxy: This is the default setting. Use this setting for TCP tunneling only.

packet-tunnel: Select to allow Tunnel to also handle IP traffic.

NOTE: Device-level VPN automatically uses the packet tunnel provider type.

Per-app VPN
(MobileIron Core)

The options are available if Provider Type is packet-tunnel. Otherwise, the options are grayed out. Device-level VPN is not available for app proxy tunnel.

Yes: This is the default setting. Connectivity is established for an app, rather than the device.

No: Select to establish connectivity for the device, rather than just an app.

Sentry (Profile)

Core: Select the Standalone Sentry on which you created the tunnel service.

Cloud: Select the Standalone Sentry profile on which you created the Tunnel for iOS service.
The field is not available if the profile mode is MobileIron Access Profile Only.

Sentry Service

Core: Select the TCP or IP service that the Safari domain or managed app will use. If you are configuring packet tunnel provider type, select the IP service you created for Tunnel. If you are configuring app proxy, select the TCP service you created for Tunnel.

Cloud: Select the Tunnel for iOS service.
The field is not available if the profile mode is MobileIron Access Profile Only.

Only TCP services are available for selection if the provider type is app proxy.

Only IP services are available for selection if the provider type is packet tunnel.

SCEP Identity

(MobileIron Cloud)

Select the Identity Certificate configuration you created for Tunnel.

The Identity Certificate is automatically selected if Sentry Profile Only or MobileIron Sentry + Access Profile is enabled.

Debug Info Recipient (MobileIron Cloud)

Enter an email address to forward the debug information.

Identity Certificate
(MobileIron Core)

Select the certificate setting you created.

If you are using user-provided certificates, select the user provided certificate you created for MobileIron Tunnel.

On Demand Rules (iOS 9 and later; macOS 10.13 and later)

VPN on-demand rules are applied when the device's primary network interface changes, for example, when the device switches to a different Wi-Fi network. Devices will drop the Tunnel VPN connection if an enterprise Wi-Fi is detected. If the network is not a Wi-Fi network or if its SSID does not appear in the list, the device will continue to use Tunnel VPN.

Note The Following:  

  • A matching rule is not required. The Default Rule is applied if a matching rule is not defined.
  • If you select Evaluate Connection, a matching rule is not required.
  • You can create up to 10 On Demand matching rules.
  • For each matching rule you can create up to 50 Type and Value pairs.
IMPORTANT: An Ethernet on-demand rule is only applicable to macOS devices. If the rule is pushed to iOS device, the rule may cause issues with Tunnel behavior and how traffic through Tunnel is handled. Therefore, MobileIron strongly recommends using separate Tunnel VPN configurations for iOS and macOS.

Add +

Click to add a new On Demand matching rule.

On Demand Action

Select one of the following actions to apply to the matching rule:

  • Connect
  • Disconnect

Matching Rules

For each On Demand matching rule to which the action is applied enter the type and value pair.

Add +

Click to add a new On Demand matching rule.

A dialog box appears.

Type

Select the following key type:

  • SSID

Value

Enter a list of SSIDs to match the enterprise Wi-Fi. If the network is not a Wi-Fi network or if its SSID does not appear in the list, the match will fail.

TIP: To add multiple SSIDs, create a separate SSID Type-Value pair for each SSID.

Description

Enter additional information about this matching rule.

OK

Click to add the On Demand Action and the associated Matching Rules.

Default Rule

The default rule (action) is applied to a connection that does not match any of the matching rules.

On Demand Action

From the drop down list, select Connect.

Safari Domains

The device user can access servers ending with these domains in Safari.

A MobileIron Tunnel configuration is only applied to a managed app. Therefore, a managed app with the MobileIron Tunnel configuration must be installed on the device for the device user to access the domains using per-app VPN.

Note The Following:  

  • If the device resolves the destination domain, then Tunnel is not launched.
  • If the Safari domains use Kerberos authentication, you must also do the setup described in Setting up single sign-on with Kerberos.

Safari Domain

Enter a domain name.

Only alphanumeric characters and periods (.) are supported.

Description

Enter a description for the domain.

Add New

Click to add a domain.

Calendar Domains (iOS 13 and later; macOS 10.15 and later)

A Tunnel VPN connection is automatically established for these domains.

Only available for per-app VPN.

Calendar Domain

Enter a domain name.

Only alphanumeric characters and periods (.) are supported.

Description

Enter a description for the domain.

Add New

Click to add a domain.

Contact Domains (iOS 13 and later; macOS 10.15 and later)

A Tunnel VPN connection is automatically established for these domains.

Only available for per-app VPN.

Contact Domain

Enter a domain name.

Only alphanumeric characters and periods (.) are supported.

Description

Enter a description for the domain.

Add New

Click to add a domain.

Mail Domains (iOS 13 and later; macOS 10.15 and later)

A Tunnel VPN connection is automatically established for these domains.

Only available for per-app VPN.

Mail Domain

Enter a domain name.

Only alphanumeric characters and periods (.) are supported.

Description

Enter a description for the domain.

Add New

Click to add a domain.

Included Routes (Added Routes)

Only available for device-level VPN. Configured routes are set to the TUN interface. If routes are not configured, Tunnel uses 0.0.0.0/0.

Enter list of IPv4 ranges in CIDR format.

For multiple values, enter a semicolon separated list.

DNS Resolver IPs

Only for packet tunnel provider type.

Enter a domain name server (DNS) to resolve the IP address. IPv4 only.

For multiple values, enter a semicolon separated list. Ensure that the DNS is routable if the default route in not used.

If DNS is not configured, the Sentry DNS is used.

DNS Search Domain List

Only for packet tunnel provider type.

Enter DNS search domains for resolving the domain names.

For multiple values, enter a semicolon separated list.

Match Domain List

Only for packet tunnel provider type.

Enter domains for the VPN DNS to resolve.

For multiple values, enter a semicolon separated list.

Custom Data

Enter Key Value pair to configure the MobileIron Tunnel VPN disconnect, debug, and timeout behavior.

See Additional configurations using key-value pairs for MobileIron Tunnel.