Controlling VPN traffic
Tunnel VPN on Android native and Android enterprise devices is always on. App traffic is allowed or disallowed based on the allowed (whitelist) or disallowed (blacklist) list, and the routes the administrator sets up in the Tunnel VPN configuration.
The following table compares the behavior between Tunnel for Android versus Tunnel for iOS.
|
Function |
Behavior on Android |
Behavior on iOS |
|
Activating Tunnel |
When Tunnel is first launched on Android native devices, device users must accept the Tunnel VPN connection and allow access to the Tunnel certificate. This is not applicable to Android enterprise and Samsung KNOX devices. |
If the Tunnel VPN profile is installed on your device, the Tunnel VPN connection is automatically turned on when you tap a supported managed app and the app attempts to connect to a backend resource. In rare cases, if the VPN connection is not turned on, you can manually turn on VPN in the Tunnel app. Your IT administrator will tell you if you need to turn on VPN in the Tunnel app. |
|
Automatic Tunnel triggering |
By default, Tunnel VPN is always on for Android native and Android enterprise. User action is not required after the initial activation. If the user disables Tunnel, Tunnel is not triggered automatically. Users must re-enable Tunnel. In the Knox container, on-demand VPN is triggered by managed apps. |
Managed apps or Safari domains can automatically trigger a Tunnel VPN session. |
|
Allowing app traffic |
Admin must create an allowed list or create an exclusion list to allow or block app traffic. |
Admin must make apps managed and assign them Tunnel to enable traffic through Tunnel. |
|
Domain name triggers |
Tunnel VPN is always on. There is no triggering of VPN on Android devices. |
Safari can trigger Tunnel using domain names. |
|
Per-app allow/block list |
No per-app information is sent to Standalone Sentry. Sentry cannot enforce allow/block lists at a per-app level. |
Tunnel sends per-app information to Sentry. Sentry can enforce blocking at a per-app level. |
|
Notifications |
Tunnel can provide notifications to users for various events (connect/disconnect, allow/block). |
When the device is out of compliance, per-app Tunnel VPN cannot provide notifications to the user if traffic is blocked. |
|
UDP support |
Standalone Sentry supports only limited types of UDP traffic,such as DNS traffic. Audio and video traffic through Standalone Sentry is not supported. Therefore, MobileIron recommends configuring SplitUDPPortList to manage UDP traffic. |
Standalone Sentry supports only limited types of UDP traffic,such as DNS traffic. Audio and video traffic through Standalone Sentry is not supported. Therefore, MobileIron recommends configuring SplitUDPPortList to manage UDP traffic. |
|
ICMP support |
ICMP is not supported. |
ICMP is not supported. |
|
IPv6 |
IPv6 is not supported. |
IPv6 is not supported. |