Ivanti Tunnel configuration field description for Android Enterprise

The following table provides a description of the configuration fields for Ivanti Tunnel enterprise.

**Table 8.** Configuration field description for Tunnel enterprise
Restriction	Description
Ivanti Tunnel profile mode ( Ivanti Neurons for MDM)	Select one of the following: Sentry Profile Only: Select if Tunnel traffic goes only through Standalone Sentry. Access Profile Only: Select if Tunnel traffic goes to Access. This option is available only if an Access as a service deployment is set up with Cloud. Sentry + Access Profile: Select if Ivanti Tunnel VPN supports both traffic to Access for authentication to enterprise cloud resources and through Standalone Sentry to on-premise enterprise resources. This option is available only if an Access as a service deployment is set up with Ivanti Neurons for MDM.
Sentry Server	Specify the FQDN for the Sentry server that is configured with the IP_ANY service. Configure Sentry Server if you selected one of the following Ivanti Tunnel profile modes: Sentry Profile Only Sentry + Access Profile
AllowedAppList	Optional. Use only if DisallowedAppList is empty. Applies only to apps in the Android Enterprise work profile. Provide a list of apps in the Android Enterprise profile that are allowed to use the Ivanti Tunnel VPN connection by supplying the app package names, separated by ‘;’. Example Example: com.salesforce.chatter;com.appexample.two If AllowedAppsList has one or more entries, only the apps in the list are allowed to use VPN. This is a whitelist.
DisallowedAppList	Optional. Use only if AllowedAppList is empty. Applies only to apps in the enterprise work profile. Provide a list of applications in the Android Enterprise profile to be prevented from using Tunnel by supplying the app package names separated by ‘;’. Example: com.salesforce.chatter;com.appexample.two If AllowedAppList is empty, then all apps can use VPN except the apps in the DisallowedAppList. This is a blacklist. Configuration conditions: Both DisallowedList and DNSResolverIP Configured: DNS resolved by non-DNSResolverIP for DisallowedList apps, independent of SplitDomainsList priority. Anti-phishing URLs not blocked for DisallowedList apps as traffic bypasses tunnel.
AllowBypass	Select to allow all apps to bypass this Ivanti Tunnel VPN.
AddedRoutes	Enter the network routes that are allowed through Ivanti Tunnel. Use CIDR format. Each entry in the list is separated by a semicolon (;). IPv4 only. This enables split tunneling where only specific traffic can be taken through Tunnel. The routes configured only impact apps that use Tunnel. Example: 10.0.0.0/8;101.210.48.9/32 In an Access deployment, if routes are not configured, then authentication traffic that is federated through Access goes to Access and all data-traffic goes to Sentry. Ivanti recommends configuring a route list so that only traffic destined to on-premise enterprise resources goes through Standalone Sentry and all other data traffic goes directly to the destination.
ExcludedRoutes	This API excludes a network route from the VPN interface. Calling this method overrides previous calls to addRoute(IpPrefix) for the same destination. This functionality leverages the new Android API level 33 to allow exclusion of specified IP routes from VPN traffic, directing them through the device’s native network. If multiple routes match the packet destination, route with the longest prefix takes precedence.
DNSResolverIP	Enter the list of DNS for Ivanti Tunnel. Each entry is separated by a semicolon (;). IPv4 only. The DNS configured here are different from the DNS for the original Wi-Fi or cellular connection. If needed, the administrator should set the appropriate routes to ensure that DNS routes the requests to the appropriate destination. Configuration conditions: DNSResolverIP Configured, AllowedAppList Not Configured: DNS resolved by IP in DNSResolverIP. Both DNSResolverIP and AllowedAppList Configured: Browsing with AllowedAppList app: DNS resolved by DNSResolverIP. Browsing with non-AllowedAppList app: DNS resolved by device DNS.
SplitUdpPortList
SplitDomainsList	Enter a list of domains suffixes separated by a semicolon (;). Example: mobileiron.com; google.com DNS requests with domains matching the values are sent to the VPN's DNS. DNS requests with non-matching domains are sent to the device's DNS. Example: All DNS queries that match .company.com are handled by the VPN DNS server, but all other queries are handled by the device network DNS i.e. not the VPN DNS server. The Ivanti Tunnel plugin's DNS handler decides which DNS request will be sent to which DNS server, based on the configured domains: All sub domains are matched. Example: mobileiron.com matches mobileiron.com, taf.mobileiron.com, and jira.mobileiron.com The configured domain is considered completed with top domains. Anything to the right of the top domain is omitted. Example: mobileiron.com does not match mobileiron.com.akamai.com Only complete domains are matched. Example: mobileiron.com does not match mymobiliron.com '' and '?' are not valid characters for the configuration. The filtering is done on an IP packet level, therefore DNS resolver functionality is not provided. The default behavior sends all DNS requests to the VPN's DNS Server.
IsSplitDomainsListisPriority	Domains (DNS IP) are resolved based on this configuration if SplitDomainsList and DNSResolverIP are configured. If ‘Yes’, SplitDomainsList takes priority and DNS is resolved based on SplitDomainsList configuration. If ‘No’, DnsResolvedIP takes priority and DNS is resolved based on DnsResolvedIP configuration. Default for "IsSplitDomainsListisPriority" is Yes. Configuration conditions: If SplitDomainsList Configured: DNS resolved by SplitDomainsList. If SplitDomainsList Not Configured but DNSResolverIP Configured: DNS resolved by DNSResolverIP. If Neither Configured: DNS resolved by Sentry DNS.
SearchDomain	Enter a list of search domains for DNS resolver separated by a semicolon (;).
SentryService (Ivanti Neurons for MDM only)	Name of the IP Tunnel service defined on Sentry.
SentryPort (Ivanti EPMM only)	Sentry Tunnel port. Use port 443, typically.
ClientCertAlias	Ivanti EPMM This is the certificate alias set up in Ivanti EPMM. The value is $CERT_ALIAS:<name-of-SCEP>$ where <name-of-SCEP> is the Certificate Enrollment setting configured in Ivanti EPMM UI. Example: $CERT_ALIAS:scepIdentityCert$ where scepIdentityCert is the name of the SCEP configured in Ivanti EPMM. Ivanti Neurons for MDM Select the Identity certificate setting you created.
SentryCertificate ( Ivanti EPMM only)	Copy and paste the Sentry certificate from the sentry-server-cert-chain.pem file. This is required if DisablePinning is not selected. For information on how to retrieve the sentry-server-cert-chain.pem file see KB article. For an example of which section of the sentry-server-cert-chain.pem file to copy, see Example showing the Sentry certificate in the certificate chain.
DisablePinning	Disabling certificate pinning is not recommended for security reasons. If selected, the SentryCertificate is not required.
EnableUserControl	Select the check box to enable. Enabled: Tunnel VPN is enabled. The option to enable or disable Tunnel VPN is available to the device user. Disabled: Tunnel VPN is enabled. The option to enable or disable Tunnel VPN is not available to the device user.
enableOpenssl	Enable this parameter to reduce the reading and writing time to Sentry. It also enhances performance for low-end devices where the performance is limited by device or application speed.
UINotificationLevel	Choose one of the following levels of user notifications that the Tunnel app will provide: Never show notifications: Notifications or errors are not displayed, except if an error occurs upon establishing Tunnel. Error notifications only: Only errors notifications are displayed. All notifications: Error notifications and connect/disconnect confirmations are displayed. The user will see error notifications or all Ivanti Tunnel related notifications, based on the level of notifications you choose. There are no notifications to indicate that an app is blocked or allowed.
DebugLog	Controls the amount of logging. The client app can override the VPN profile. Default setting if the key-value pair is not configured. Minimal level of logs are collected. ERROR level INFO level. DEBUG level VERBOSE level
TrafficVerboseLog	Captures traffic logs. Off: Default setting. No logs are collected. Minimal: Minimal logs are collected. All: Detailed logs are collected.
Allow traffic capture	Allows users to capture traffic in a PCAP file. The PCAP file may contain sensitive information.
TcpIdleTmoMs	The Ivanti Tunnel TCP session idle timeout, on Standalone Sentry, in milliseconds. Tunnel sends this value to Standalone Sentry during the initial handshake in header X-App-TcpIdleTimeoutMs. If this key-value pair is not configured, the default value is 3600000 milliseconds (one hour). Frequently, in production environments, there are firewalls and load balancers between the device and Standalone Sentry. Each network element may have a different idle timeout, shorter than the timeout for Standalone Sentry. Ivanti recommends that the value for TcpIdleTmoMs is less than the idle timeout for all the other network elements. As an alternative, consider configuring TCP keep-alive.
UdpIdleTmoMs
MTU	Enter an integer for Tunnel MTU. The default value is 1400.
DebugInfoRecipient	Provide an email address. The device debug logs are sent to the configured email address. When users tap Email Debug Info, the To field is autofilled with the value configured for debugInfoRecipient.
quickRetryMaxAttempts	Number of attempts to reconnect to VPN. The default is 3.
quickRetryIntervalSec	Time between attempts to reconnect to VPN in seconds. The default is 1.
slowRetryIntervalSec	Time between attempts to reconnect to VPN in seconds. The default is 60.
appRunningCheckIntervalSec	Time between app status checks in seconds. By default this key is enabled with an interval of 60 seconds. To disable this key, enter 0.
TcpKeepIdleSec	Enables or disables TCP keep-alive and specifies the interval between the last data packet sent and the first keep-alive probe in seconds. ACKs are not considered as data. A value of 0 means TCP keep-alive is disabled. The default value, if the key-value pair is not configured, is 0. TCP keep-alive helps detect a dead tunnel connection and prevents most network load balancers and firewalls from idle-out the connection. The Standalone Sentry TcpIdleTmoMs is not impacted by TCP keep-alive. The key is part of the Android operating system specifications.
TcpKeepCount	The value configured specifies the number of unacknowledged probes for TCP keep-alive to send before the connection is considered as dead. The default value, if the key-value pair is not configured, is 20. The key is part of the Android operating system specifications.
TcpKeepIntervalSec	The value configured specifies the TCP keep-alive interval between subsequent failed keep-alive probes in seconds. The default value, if the key-value pair is not configured, is 2 seconds. The key is part of the Android operating system specifications.
AtpProbeIdleSec	Sets the minimum idle time, in seconds, after which probe packets are sent out with outbound Tunnel traffic. If Tunnel does not receive a response for at least one of the probes sent, the existing connection is dropped and a new connection is established with the server. The minimum idle time is based on the last inbound response received by Tunnel. For example, if the value is 60 seconds, if Tunnel does not receive any inbound traffic for 60 seconds, probe packets are sent with the next outbound Tunnel traffic. Default value if the key-value pair is not configured: 60 seconds
AtpProbeIntervalSec	Sets the interval, in seconds, between probe packets sent after the minimum idle time specified in AtpProbeIdleSec. Default value if the key-value pair is not configured: 1 second
AtpProbeCount	Sets the total count of the probe packets sent after the minimum idle time specified in AtpProbeIdleSec. Default value if the key-value pair is not configured: 5
AtpProbeIdleLimit
InternalDebugOption1	Use only if instructed by Support for troubleshooting purposes.
TunIP	Use only if instructed by Support for troubleshooting purposes.
MaxNumLogs	Specify the maximum number of log files. The default is 8.
MaxNumPcaps	Specify the maximum number for pcap files. The default is 10.
AnalyticsEnabled	Check to enable collection of analytics data for Mixpanel. The box is checked by default.
SaveAfwConfiguration	Enable this configuration only if requested by Support.
AutoBackgroundLaunch	Check to enable the Tunnel app to automatically launch. The app is automatically launched without user interaction when a user tries to connect to a backend resource. For the feature to work, ensure that always-on is also enabled. The feature is available on Android N, O, and P.
AllowPerAppTunnel	For internal use only. Do not use this setting.
ClientCertsNumInChain	The value designates the number of certificates in the certificate chain that are passed to Sentry or Access. By default, only the leaf certificate is used. Ivanti recommends not changing the default setting unless additional certificates need to be passed to Sentry or Access.
SendDeviceID
slowRetryMaxAttempts	Allows restarting the tunnel session. When slowRetryMaxAttempts are reached, the session stops, and a new connection begins. If the key-value pair is not configured, the default value is 0 seconds, which disables auto restart.