Before you set up Ivanti Tunnel

Before you set up Ivanti Tunnel for iOS devices, see the following:

Required components for deploying Ivanti Tunnel for iOS

The following components are required for an Ivanti Tunnel deployment:

  • Standalone Sentry with AppTunnel enabled or Access.

  • Unified Endpoint Management (UEM) platform:

    • Ivanti EPMM


    • Ivanti Neurons for MDM

  • iOS devices registered with a UEM.

  • Client for iOS:

    • Mobile@Work for Ivanti EPMM deployments


    • Go for Ivanti Neurons for MDM deployments


    • AppStation for Ivanti Neurons for MDM MAM-only deployments

      For information about deploying AppStation for MAM-only, see AppStation for iOS Guide.

For supported versions see the Ivanti Tunnel for iOS Release Notes.

Requirements for configuring Ivanti Tunnel for iOS

Ensure the following before configuring Ivanti Tunnel for iOS:

  • If your deployment uses Standalone Sentry:
    • You have installed Standalone Sentry. See the Standalone Sentry Installation Guide.
    • Standalone Sentry is set up for AppTunnel using identity certificates for device authentication.
      For information about setting up a Standalone Sentry for AppTunnel, see Sentry Guide for your Unified Endpoint Management (UEM) platform.
    • The Standalone Sentry IP address is publicly accessible.
    • The Standalone Sentry name is registered in DNS.
    • To tunnel IP traffic, ensure that you have created an IP_ANY service.
    • For documentation, see Standalone Sentry product documentation.
  • Standalone Sentry is required for packet tunnel provider with per-app VPN.
  • If your deployment uses Access, ensure that Access is set up. See the Access Guide for information on how to set up Access. For documentation, see Access product documentation.
  • The appropriate ports are open.
    See the Ivanti Tunnel for iOS Release Notes.

Recommendations for setting up Ivanti Tunnel for iOS

Review the following recommendations for setting up Ivanti Tunnel for iOS.

Standalone Sentry

Ivanti recommends that Standalone Sentry use a trusted CA certificate. If Standalone Sentry uses a self-signed certificate, you must do the following additional setup in Ivanti EPMM:

  • In the Services > Sentry page, for the Standalone Sentry, click the View Certificate link. This makes the Standalone Sentry’s certificate known to Ivanti EPMM.
  • Follow the instructions in the Using a Self-signed certificate with Standalone Sentry and Ivanti Tunnel knowledge base article in the Support and Knowledge Base portal at
    Using a self signed certificate with Standalone Sentry and Ivanti Tunnel
    If the self-signed certificate is changed at any time, you must push the changed certificate to the device, otherwise there may be a disruption in service. Therefore, Ivanti recommends using a certificate from a trusted certificate authority for the Standalone Sentry.

UDP traffic

Standalone Sentry supports only limited types of UDP traffic, such as DNS traffic. Audio and video traffic through Standalone Sentry is not supported.

To limit the UDP traffic through Standalone Sentry, gather a list of destination UDP ports that should be tunneled through Ivanti Tunnel VPN. All other UDP traffic is, therefore, not tunneled. Configure the SplitUDPPortList key-value pair to limit the UDP traffic through Ivanti Tunnel.