Tunnel for Android native configuration field description

The following table provides field descriptions for the Tunnel configuration. There are some variations in field names between MobileIron Core and MobileIron Cloud.

Table 1. Tunnel configuration field description

Item

Description

Name

Enter a name for the MobileIron Tunnel VPN profile.

Description

Enter a description for the profile.

Connection Type
(MobileIron Core)

Select MobileIron Tunnel (Android).

Only fields relevant to MobileIron Tunnel for Android are displayed.

Choose OS to create Tunnel Configuration
(MobileIron Cloud)

Click Android.

Fields relevant to MobileIron Tunnel for Android are displayed.

Enable Access
(MobileIron Core)

Select to enable authentication traffic through MobileIron Access.

The option is available only if Access as a service is set up with MobileIron  For information about how to set up Access as a service with MobileIron Core, see the MobileIron Access Guide.

Profile selection mode to use for this configuration
(MobileIron Cloud)

Select one of the following:

  • Sentry Profile Only: Select if Tunnel traffic goes only through Standalone Sentry.
  • MobileIron Access Profile Only: Select if Tunnel traffic goes to Access. This option is available only if an Access as a service deployment is set up with MobileIron Cloud.
  • MobileIron Sentry + Access Profile: Select if Tunnel VPN supports both traffic to Access for authentication to enterprise cloud resources and through Standalone Sentry to on-premise enterprise resources. This option is available only if an Access as a service deployment is set up with MobileIron Cloud.

Sentry (Profile)

Core: Select the Standalone Sentry on which you created the IP_ANY tunnel service.

Cloud: Select the Standalone Sentry profile on which you created the Tunnel service for Android. The option is not available if the profile mode is MobileIron Access Profile Only.

Sentry Service

(MobileIron Cloud)

Select the MobileIron Tunnel service you created for Android. The option is not available if the profile mode is MobileIron Access Profile Only.

Identity Certificate
(MobileIorn Core)

Select the Certificate Enrollment setting you created for Sentry setup for AppTunnel.

Client Cert. Alias

(MobileIron Cloud)

Select the Identity Certificate configuration you created for Standalone Sentry setup.

If the profile mode is Access only or Sentry + Access, select the same certificate you select for SCEP Identity.

SCEP Identity

(MobileIron Cloud)

Select the Identity Certificate configuration you created for Tunnel.

This field is applicable if the profile mode is Access only or Sentry + Access.

Debug Info Recipient

(MobileIron Cloud)

For MobileIron Core, the setting is configured using key-value pairs in Custom Data.

Enter a valid email address. The device debug logs are sent to the configured email address.

When users tap Email Debug Info, the To field is auto filled with the configured email address.

UI Notification Level

(MobileIron Cloud)

For MobileIron Core, the setting is configured using key-value pairs in Custom Data.

The user will see error notifications or all Tunnel related notifications, based on the level of notifications you configure.

  • Never show notifications: Notifications or errors are not displayed, except if an error occurs upon establishing Tunnel.
  • Error notifications only: Only errors notifications are displayed. This is the default setting if the key-value is configured.
  • All notifications: Error notifications and connect/disconnect confirmations are displayed.
NOTE: There are no notifications to indicate that an app is blocked or allowed.

Debug Log

(MobileIron Cloud)

For MobileIron Core, the setting is configured using key-value pairs in Custom Data.

Select the log level. The client app can override the VPN profile.

Tunneled Applications

(MobileIron Core)

Select one, either Add Allowed Apps or Add Disallowed Apps, to configure the apps that can use MobileIron Tunnel.

If you select an app from the MobileIron app catalog, the package name is automatically added. Otherwise, enter the app name and the package name. If the list is empty, all apps are allowed through Tunnel VPN.

Add Allowed apps

Use this setting if you want only the listed apps to use Tunnel VPN.

Only apps in the MobileIron App Catalog can be added to the app list.

This setting creates a whitelist.

For MobileIron Cloud,

  • enter a semicolon (;) separated list.
  • if Allowed Apps List is configured, the Disallowed Apps List setting is grayed out and vice versa.

Add Disallowed apps

Use this setting if you do not want the listed apps to use Tunnel VPN.

Only apps that are not listed will use Tunnel VPN.

This setting creates a blacklist.

For MobileIron Cloud,

  • enter a semicolon (;) separated list.
  • if Allowed Apps List is configured, the Disallowed Apps List setting is grayed out and vice versa.

Routes List / Added Routes

Configure the network routes that are allowed through Tunnel.

Use CIDR format. Each entry in the list is separated by ‘;’. IPv4 only.

This enables split tunneling where only specific traffic can be taken through Tunnel. The routes configured only impact apps that use Tunnel.

Example: 10.0.0.0/8;101.210.48.9/32

NOTE: In an Access deployment, if routes are not configured, then authentication traffic that is federated through Access goes to Access and all data-traffic goes to Sentry.
MobileIron recommends configuring a route list so that only traffic destined to on-premise enterprise resources goes through Standalone Sentry and all other data traffic goes directly to the destination.

DNS Resolver IP

Configure the list of DNS for Tunnel.

Each entry is separated by ‘;’. IPv4 only.

The DNS configured here are different from the DNS for the original Wi-Fi or cellular connection. If needed, the administrator should set the appropriate routes to ensure that DNS routes the requests to the appropriate destination.

Search Domain

Enter a list of search domains for DNS resolver separated by a semicolon (;)

Custom Data

Add key-value pairs to configure the app. See Custom data key-value pairs for Tunnel for Android native and Samsung Knox Workspace for a description of the restrictions.