Additional configurations using key-value pairs for Ivanti Tunnel

Key-value pairs are used to customize Ivanti Tunnel for iOS app behavior. These key-value pairs define app behavior such as idle timeout, email address for sending debug information, and level of log detail that is collected.

The following table provides the key-value pairs for customizing Tunnel for iOS.

**Table 4.** Key-value pairs for Ivanti tunnel for iOS
Key	Value
Manage Tunnel timeout
disconnectTimeoutInSeconds (Ivanti EPMM)	Enter 0 or a number between 5 - 18000. If the value is 0, then Tunnel VPN never disconnects itself. You have to manually disconnect the VPN in the Tunnel. If the value is > 0, the Tunnel VPN is disconnected after number entered. If this key-value pair is not configured, the default is 60 seconds.
TcpIdleTmoMs	Enter any integer between 5000 - 18000000. The timeout is measured in milliseconds. Configuring idle timeout allows you to control the idle session timeout for the TCP connection between the app and the backend server. You may want to configure idle timeout if the backend server takes more than 60 seconds to respond to a request. The default idle timeout with Standalone Sentry for per-app VPN if the key-value pair is not configured: 60 seconds. For packet tunnel, Ivanti recommends setting the idle timeout equal to or larger than the idle timeout for the enterprise server being accessed. If you do not know the idle timeout for the server, set the value to 3600000.
Troubleshooting
debugInfoRecipient (Available as field value in Ivanti Neurons for MDM)	Enter an email address to forward the debug information.
LogLevel	Enter debug <Log Level> Use one of the following log level options. The options are listed from the least to the most verbose level. error: Captures error logs if the Tunnel app errors out while performing an action. warning: Captures warning messages logged if there is missing or incorrect information that might cause an error. This log level is rarely used. info: Captures informational level details such as, log prints inputs, metadata, parameter values. debug: Captures debug level information such as, actions, operations, values of critical data, and information that is helpful in debugging. session: Captures everything that occurs during a tunnel session. packet: Captures packet level information, such as, length in bytes. Used for troubleshooting DNS queries and responses to and from Tunnel. Default if the key-value pair is not configured: info
UseSecureEMail	Enter true. Tunnel uses Email+ to send debug logs. If the key-value pair is not configured, Tunnel uses the native iOS email client to send debug logs.
SendDeviceID	Enter true. Tunnel provides the device ID to Access. The device ID is reported on Access in Reports > Errors. The key-value pair is useful in identifying devices that encounter connection errors when authenticating through Access. Default if the key-value pair is not configured: false.
MaxLogFolderSize	When this KVP is set to true, then support for setting the log folder size in MB is enabled. If the KVP is not set, it defaults to 10MB.
EnableConsoleLogging	When this KVP is set to true, then Tunnel app logs messages to console
DNS and network
PublicDNS	Enter a space-separated list of DNS servers that are accessible from the device. Each DNS entry is -separated by a space. IPv4 and IPv6 addresses are supported. Since (managed) apps have access to the DNS servers configured on the device, this KVP is needed only in rare cases. Example 8.8.8.8 8.8.8.1
IPv6NetworkPrefix	IPv6 ULA network prefix to use for internal NAT table.
DNS query for SRV record (for SSO with Kerberos)
SRV_kerberos._tcp.DnsDomainName Where DnsDomainName is the internal domain name of the KDC server. Example: SRV_kerberos._tcp.example.com	Enter SRV Priority Weight Port Target Where: Priority is the priority of the server. Weight is the load-balancing mechanism that is used when selecting a target Port is the port number the server is listening. Target is the fully qualified domain name (FQDN) of the KDC server. Example SRV 0 100 88 kdc.example.com SRV record derived from the key-value pair: _kerberos._tcp.example.com. SRV 0 100 88 kdc.example.com. Ensure that the domain configured for DnsDomainName and for Target is also configured in Safari Domains in the Tunnel VPN configuration. Configuring the domains in Safari Domains ensures that the traffic goes through Tunnel.
Certificates
DisablePinning	false: Default, if the key-value pair is not configured. Certificate pinning is enabled. true: Certificate pinning is disabled. Disabling certificate pinning is not recommended for security reasons. The Standalone Sentry server certificate is automatically pushed to the device.
Packet-tunnel
IPRoutes	IP routes of the iOS or macOS device VPN. Enter list separated by semicolon. The default value if the key-value is not configured is 0.0.0.0/0 Example 10.0.0.0/8;172.16.0.0/16
ExcRoutes	IP routes that will be excluded from IPRoutes. Example 10.10.10.10/32.
SplitUDPPortList	Enter list of UDP ports to send through Tunnel VPN. All other UDP packets are sent directly to destination. If the KVP is not configured, all UDP packets are sent through Tunnel VPN. Example 53;161-162;200-1024 Standalone Sentry supports only limited types of UDP traffic, such as DNS traffic. Audio and video traffic through Standalone Sentry is not supported. Therefore, Ivanti recommends configuring SplitUDPPortList to manage UDP traffic.
MTU	Tunnel MTU. The default value if the key-value is not configured is 1400.
TunIP	IP address of the VPN network interface. Configure only if customer network is in the same range. Example 192.168.13.10
AtpProbeIdleSec	Sets the minimum idle time, in seconds, after which probe packets are sent out with outbound Tunnel traffic. If Tunnel does not receive a response for at least one of the probes sent, the existing connection is dropped and a new connection is established with the server. The minimum idle time is based on the last inbound response received by Tunnel. For example, if the value is 60 seconds, if Tunnel does not receive any inbound traffic for 60 seconds, probe packets are sent with the next outbound Tunnel traffic. Default value if the key-value pair is not configured: 60 seconds
AtpProbeIntervalSec	Sets the interval, in seconds, between probe packets sent after the minimum idle time specified in AtpProbeIdleSec. Default value if the key-value pair is not configured: 1 second
AtpProbeCount	Sets the total count of the probe packets sent after the minimum idle time specified in AtpProbeIdleSec. Default value if the key-value pair is not configured: 5
App proxy
DirectLocalhost	Enter true. Configure if using app proxy Tunnel. The key-value pair is required for Tunnel to handle app proxy localhost traffic from apps. true: If an app uses localhost, ::1, or 127.0.0.1, the localhost app proxy (TCP) traffic is redirected to the device itself.
SplitUDPPortList	Enter list of UDP ports to send through Tunnel VPN. All other UDP packets are sent directly to destination. If the KVP is not configured, all UDP packets are sent through Tunnel VPN. Example 53;161-162;200-1024 Standalone Sentry supports only limited types of UDP traffic, such as DNS traffic. Audio and video traffic through Standalone Sentry is not supported. Therefore, Ivanti recommends configuring SplitUDPPortList to manage UDP traffic.
EnableLegacyAppProxyDNSSetup	When this KVP is set to true, then Tunnel code will use the old logic. But if this KVP does not exist or if this KVP is set to false, then the tunnel code will not set the system level DNS servers.