Custom data key-value pairs for Ivanti Tunnel for Android native and Samsung Knox Workspace

The following table provides a description of the custom data key-value pairs.

**Table 7.** Tunnel configuration key-value pairs description
Key	Value: Enter	Description
Manage Tunnel timeout
TcpIdleTmoMs	An integer	The Tunnel TCP session idle timeout, on Standalone Sentry, in milliseconds. Tunnel sends this value to Standalone Sentry during the initial handshake in header X-App-TcpIdleTimeoutMs. If this key-value pair is not configured, the default value is 3600000 milliseconds (one hour). Frequently, in production environments, there are firewalls and load balancers between the device and Standalone Sentry. Each network element may have a different idle timeout, shorter than the timeout for Standalone Sentry. Ivanti recommends that the value for TcpIdleTmoMs is less than the idle timeout for all the other network elements. As an alternative, consider configuring TCP keep-alive.
VPN connection
AllowBypass (Android native only)	true false	true: Allows all apps to bypass this VPN connection. Apps may use methods such as setProcessDefaultNetwork(Network) to send and receive directly over the underlying network or any other network for which they have permissions. false: Default, if the key-value pair is not configured. All traffic from apps is forwarded through the VPN interface. Apps cannot bypass the VPN.
SplitDomainsList	List of domain suffixes separated a semicolon (;)	Example: acme.com; google.com DNS requests with domains matching the values are sent to the DNS for the VPN. DNS requests with non-matching domains are sent to the device's DNS. Example: All DNS queries that match .company.com are handled by the VPN DNS server, but all other queries are handled by the device network DNS i.e. not the VPN DNS server. The DNS handler for the Tunnel plugin decides which DNS request will be sent to which DNS server, based on the configured domains: All sub domains are matched. Example: example.com matches example.com, staf.example.com, and jira.example.com The configured domain is considered completed with top domains. Anything to the right of the top domain is omitted. Example: example.com does not match example.com.akamai.com Only complete domains are matched. Example: example.com does not match myexample.com '' and '?' are not valid characters for the configuration. The filtering is done on an IP packet level, therefore, DNS resolver functionality is not provided. The default behavior sends all DNS requests to the DNS for the VPN.
SplitUDPPortList	List of UDP ports separated by a semicolon (;)	List of UDP ports to send through Ivanti Tunnel VPN. All other UDP packets are sent directly to destination. If the key-value pair is not configured, all UDP packets are sent through Ivanti Tunnel VPN. Example 53;161-162;200-1024
MTU	An integer	Tunnel MTU. The default value if the key-value is not configured is 1400
quickRetryMaxAttempts	An integer	Number of attempts to reconnect to VPN. The default if the key-value pair is not configured is 3.
quickRetryIntervalSec	An integer	Time between attempts to reconnect to VPN in seconds. The default if the key-value pair is not configured is 1.
slowRetryIntervalSec	An integer	Time between attempts to reconnect to VPN in seconds. The default if the key-value pair is not configured is 60.
TcpKeepCount	An integer	The value configured specifies the number of unacknowledged probes for TCP keep-alive to send before the connection is considered as dead. The default value, if the key-value pair is not configured, is 20. The key is part of the Android operating system specifications.
TcpKeepIntervalSec	An integer	The value configured specifies the TCP keep-alive interval between subsequent failed keep-alive probes in seconds. The default value, if the key-value pair is not configured, is 2 seconds. The key is part of the Android operating system specifications.
AtpProbeIdleSec	An integer	Sets the minimum idle time, in seconds, after which probe packets are sent out with outbound Tunnel traffic. If Tunnel does not receive a response for at least one of the probes sent, the existing connection is dropped and a new connection is established with the server. The minimum idle time is based on the last inbound response received by Tunnel. For example, if the value is 60 seconds, if Tunnel does not receive any inbound traffic for 60 seconds, probe packets are sent with the next outbound Tunnel traffic. Default value if the key-value pair is not configured: 60 seconds
AtpProbeIntervalSec	An integer	Sets the interval, in seconds, between probe packets sent after the minimum idle time specified in AtpProbeIdleSec. Default value if the key-value pair is not configured: 1 second
AtpProbeCount	An integer	Sets the total count of the probe packets sent after the minimum idle time specified in AtpProbeIdleSec. Default value if the key-value pair is not configured: 5
Certificates
DisablePinning	true false	false: Default, if the key-value pair is not configured. Certificate pinning is enabled. true: Certificate pinning is disabled. Disabling certificate pinning is not recommended for security reasons. The Standalone Sentry server certificate is automatically pushed to the device.
Troubleshooting
UINotificationLevel	0 1 2	The user will see error notifications or all Tunnel related notifications, based on the level of notifications you configure. Configure one of the following levels of user notifications that the Tunnel app will provide: 0: Notifications or errors are not displayed, except if an error occurs upon establishing Tunnel. 1: Only errors notifications are displayed. This is the default setting if the key-value is configured. 2: Error notifications and connect/disconnect confirmations are displayed. There are no notifications to indicate that an app is blocked or allowed.
DebugLog	0 6 4 3 2	Controls the amount of logging. The client app can override the VPN profile. 0: Default setting if the key-value pair is not configured. Minimal level of logs are collected. 6: ERROR level 4: INFO level. 3: DEBUG level 2: VERBOSE level
AllowCapture	false true	Allows users to capture traffic in a PCAP file. false: Device users are not allowed to trigger inner traffic capture. true: Device users are allowed to trigger inner traffic capture and email the PCAP file. The default, if the key-value pair is not configured, is false. The PCAP file may contain sensitive information.
debugInfoRecipient	Email address	The device debug logs are sent to the configured email address. When users tap Email Debug Info, the To field is auto filled with the value configured for debugInfoRecipient.
EnableUserControl	true false	true: Tunnel VPN is enabled. The option to enable or disable Tunnel VPN is available to the device user. false: Tunnel VPN is enabled. The option to enable or disable Tunnel VPN is not available to the device user. Default value if the key-value pair is not configured: true The key-value pair is not applicable to Tunnel deployed in the Samsung Knox workspace. By default, device users in the Samsung Knox workspace do not have the option to enable or disable Tunnel VPN.
DefaultMaxNumLogs	An integer	Sets the maximum number of log files. The default if the key-value pair is not configured is 8.
DefaultMaxPcapSize	An integer	Sets the maximum pcap file size in bytes. The default if the key-value pair is not configured is 2097152.
DefaultMaxNumPcaps	An integer	Sets the maximum number of pcap files. The default if the key-value pair is not configured is 10.
AnalyticsEnabled	true false	true: Enables collection of analytics data for Mixpanel. false:Collection of analytics data is disabled. Default value if the key-value pair is not configured: true.
SendDeviceID	true false	true: Ivanti Tunnel provides the device ID to Access. The device ID is reported on Access in Reports > Errors. false: Ivanti Tunnel does not provide the device ID to Access. The key-value pair is useful in identifying devices that encounter connection errors when authenticating through Access. Default value if the key-value pair is not configured: false
Tethering
ExcludeTethering	true false	true: Ivanti Tunnel VPN continues to work on the tethered host device without impacting the tethering client connection. false: Ivanti Tunnel VPN may impact the tethering client connection. Default value if the key-value pair is not configured: false This key-value pair may be required for Ivanti Tunnel for Android native only. If the KVP is configured to true, ensure that internal IP ranges do not overlap with the IP ranges used by the tethering client. Avoid the following IP ranges: 192.168.42.0/23 (192.168.42.0 ~ 192.168.43.255) 192.168.44.0/22 (192.168.44.0 ~ 192.168.47.255) 192.168.48.0/23 (192.168.48.0 ~ 192.168.49.255) Tethering traffic from client devices does not go through the VPN of the host device.