Before you set up MobileIron Tunnel

Before you set up MobileIron Tunnel for iOS devices, see the following:

Required components for deploying MobileIron Tunnel for iOS

The following components are required for a MobileIron Tunnel deployment:

  • Standalone Sentry with AppTunnel enabled or MobileIron Access.

  • MobileIron unified endpoint management (UEM) platform:

    • MobileIron Core


    • MobileIron Cloud

  • iOS devices registered with a MobileIron UEM.

  • MobileIron client for iOS:

    • [email protected] for MobileIron Core deployments


    • MobileIron Go for MobileIron Cloud deployments


    • MobileIron AppStation for MobileIron Cloud MAM-only deployments

      For information about deploying MobileIron AppStation for MAM-only, see AppStation for iOS Guide.

For supported versions see the MobileIron Tunnel for iOS Release Notes.

Requirements for configuring MobileIron Tunnel for iOS

Ensure the following before configuring MobileIron Tunnel for iOS:

  • If your deployment uses Standalone Sentry:
    • You have installed Standalone Sentry. See the Standalone Sentry Installation Guide.
    • Standalone Sentry is set up for AppTunnel using identity certificates for device authentication.
      For information about setting up a Standalone Sentry for AppTunnel, see MobileIron Sentry Guide for your MobileIron unified endpoint management (UEM) platform.
    • The Standalone Sentry IP address is publicly accessible.
    • The Standalone Sentry name is registered in DNS.
    • To tunnel IP traffic, ensure that you have created an IP_ANY service.
    • For documentation, see Standalone Sentry product documentation.
  • Standalone Sentry is required for packet tunnel provider with per-app VPN.
  • If your deployment uses MobileIron Access, ensure that MobileIron Access is set up. See the MobileIron Access Guide for information on how to set up MobileIron Access. For documentation, see MobileIron Access product documentation.
  • The appropriate ports are open.
    See the MobileIron Tunnel for iOS Release Notes.

Recommendations for setting up MobileIron Tunnel for iOS

Review the following recommendations for setting up MobileIron Tunnel for iOS.

Standalone Sentry

MobileIron recommends that Standalone Sentry use a trusted CA certificate. If Standalone Sentry uses a self-signed certificate, you must do the following additional setup in MobileIron Core:

  • In the Services > Sentry page, for the Standalone Sentry, click the View Certificate link. This makes the Standalone Sentry’s certificate known to MobileIron Core.
  • Follow the instructions in the Using a Self-signed certificate with Standalone Sentry and MobileIron Tunnel knowledge base article in the MobileIron Support and Knowledge Base portal at
    If the self-signed certificate is changed at any time, you must push the changed certificate to the device, otherwise there may be a disruption in service. Therefore, MobileIron recommends using a certificate from a trusted certificate authority for the Standalone Sentry.

UDP traffic

Standalone Sentry supports only limited types of UDP traffic, such as DNS traffic. Audio and video traffic through Standalone Sentry is not supported.

To limit the UDP traffic through Standalone Sentry, gather a list of destination UDP ports that should be tunneled through Tunnel VPN. All other UDP traffic is, therefore, not tunneled. Configure the SplitUDPPortList key-value pair to limit the UDP traffic through Tunnel.