Before you configure MobileIron Tunnel for Android enterprise (Core and Cloud)

Before you configure Tunnel, ensure that you have met the requirements and have read the recommendations and limitations listed in this section.

Required components for deploying Tunnel for Android enterprise

The following components are required for a MobileIron Tunnel deployment on Android enterprise devices:

Standalone Sentry with AppTunnel enabled or MobileIron Access
MobileIron UEM with the following:
- MobileIron UEM enabled for Android enterprise
- Users have Android enterprise-capable device.
  MobileIron UEM is MobileIron Core or MobileIron Cloud.
MobileIron client for Android enterprise:
- MobileIron Core: Mobile@Work
- MobileIron Cloud: MobileIron Go

NOTE:

MobileIron Tunnel for Android enterprise and Mobile@Work for Android are available from the Google Play store.

For supported versions see the MobileIron Tunnel for Android Release Notes for this release.

The following are required for deploying Tunnel for Android enterprise:

Your MobileIron Cloud must be set up for Android enterprise. For more information, see:
- MobileIron Core: MobileIron Core Device Management Guide for Android and Android enterprise.
- MobileIron Cloud: Getting Started with Android for Work.
If your deployment uses Standalone Sentry:
- You must have installed Standalone Sentry. See the Standalone Sentry Installation Guide.
- Standalone Sentry must be set up for AppTunnel using Identity certificates for device authentication.
  For information about setting up a Standalone Sentry for AppTunnel, see:
  MobileIron Cloud: MobileIron Sentry Guide for Cloud.
  MobileIron Core: MobileIron Sentry Guide for Core.
If your deployment uses MobileIron Access, ensure that MobileIron Access is set up.
See the MobileIron Access Guide for information on how to set up MobileIron Access.
Ensure that the appropriate ports are open.
See the MobileIron Tunnel for Android Release Notes.

The following are recommendations for deploying MobileIron Tunnel for Android enterprise:

MobileIron strongly recommends that Standalone Sentry use a publicly trusted CA certificate. Android version 7 through the latest versions as supported by MobileIron does not accept self-signed certificates.
If your deployment includes Android 5 and 6 devices, and if Standalone Sentry uses a self-signed certificate, see Using a Self-signed certificate with Standalone Sentry and MobileIron Tunnel knowledge base article in the MobileIron Support and Knowledge Base portal at
https://community.mobileiron.com/docs/DOC-1713. The configuration sections describe the use of MobileIron Core UI. However for MobileIron Cloud as well, create a certificate setting and upload the Sentry server certificate to MobileIron Cloud and distribute the certificate setting to devices.
If access to the ActiveSync server is going through Standalone Sentry, configure Tunnel so that email clients are excluded from being routed through Tunnel.

The following are limitations of MobileIron Tunnel for Android enterprise:

Deployments that use a trusted front-end such as Apache/F5 to terminate SSL or the use of backend proxy from Standalone Sentry to upstream applications are not supported. (Cloud only)
Front-end load balancer to Standalone Sentry is expected to work but has not been tested.
Performance depends on the apps using Standalone Sentry. As a best practice, monitor Standalone Sentry usage and add more Standalone Sentry servers as needed for horizontal scaling.
Server authentication through Standalone Sentry with Kerberos is not supported.
Standalone Sentry supports only limited types of UDP traffic,such as DNS traffic. Audio and video traffic through Standalone Sentry is not supported.