Before you configure MobileIron Tunnel for Samsung Knox

Before you configure Tunnel, ensure that you have met the requirements and have read the recommendations and limitations listed in this section.

• Required components for Tunnel for Samsung Knox
• Requirements for Tunnel for Samsung Knox
• Recommendations for Tunnel for Samsung Knox
• Limitations for Tunnel for Samsung Knox

Required components for Tunnel for Samsung Knox

The following components are required for deploying Tunnel for Samsung Knox:

• Standalone Sentry with AppTunnel enabled.
• MobileIron Core with the following:
  • Enabled for Samsung Knox. Ensure that the Samsung general policy is configured with the license for Samsung Knox.
  • Users have Samsung Knox-capable device.
• MobileIron Tunnel for Android.
• MobileIron client for Android: Mobile@Work.

NOTE:

MobileIron Tunnel and Mobile@Work for Android are available from the Google Play store.

For supported versions see the MobileIron Tunnel for Android Release Notes for this release.

Requirements for Tunnel for Samsung Knox

The following are required for deploying Tunnel for Samsung Knox:

• Set up MobileIron Core for Samsung Knox. For more information, see the “Samsung Knox support” section in the MobileIron Core Device Management Guide for Android.
• Install Standalone Sentry. See the Standalone Sentry Installation Guide.
• Set up Standalone Sentry for AppTunnel using identity certificates for device authentication.
  For information about setting up a Standalone Sentry for AppTunnel, see the “Working with Standalone Sentry for AppTunnel” section in the MobileIron Sentry Guide for MobileIron Core.
• Add the apps that will use the Tunnel VPN to the app catalog on MobileIron Core and to the Samsung Knox container.
  For information about adding apps to the MobileIron Core app catalog see the “Adding Google Play apps for Android” and “Apps on Samsung Knox devices” sections in the MobileIron Core Apps@Work Guide.

Recommendations for Tunnel for Samsung Knox

Android 7 devices do not accept self-signed certificates. Therefore, MobileIron strongly recommends that Standalone Sentry use a publicly trusted CA certificate.

Limitations for Tunnel for Samsung Knox

The following are limitations of MobileIron Tunnel for Samsung Knox:

• Front-end load balancer to Standalone Sentry is expected to work but has not been tested.
• Performance depends on the applications using Standalone Sentry. As a best practice, monitor Standalone Sentry usage and deploy additional Sentry servers as needed for horizontal scaling.
• The Certificate Enrollment created for Standalone Sentry setup for AppTunnel must use RSA key length 2048 due to a Knox limitation.
• Routes configured in the Knox VPN configuration in MobileIron Core are ignored by Samsung Knox Workspace. Route lists are not supported in the Knox Workspace. All traffic from an app that uses Tunnel VPN goes over Tunnel.
• Server authentication through Standalone Sentry with Kerberos is not supported.

• Standalone Sentry supports only limited types of UDP traffic,such as DNS traffic. Audio and video traffic through Standalone Sentry is not supported. Therefore, MobileIron recommends configuring SplitUDPPortList to manage UDP traffic.