Additional configurations using key-value pairs for Ivanti Tunnel

Key-value pairs are used to customize Ivanti Tunnel for iOS app behavior. These key-value pairs define app behavior such as idle timeout, email address for sending debug information, and level of log detail that is collected.

The following table provides the key-value pairs for customizing Tunnel for iOS.

Table 4.   Key-value pairs for Ivanti tunnel for iOS



Manage Tunnel timeout

(Ivanti EPMM)

Enter 0 or a number between 5 - 18000.

If the value is 0, then Tunnel VPN never disconnects itself. You have to manually disconnect the VPN in the Tunnel.

If the value is > 0, the Tunnel VPN is disconnected after number entered.

If this key-value pair is not configured, the default is 60 seconds.


Enter any integer between 5000 - 18000000.

The timeout is measured in milliseconds. Configuring idle timeout allows you to control the idle session timeout for the TCP connection between the app and the backend server. You may want to configure idle timeout if the backend server takes more than 60 seconds to respond to a request.

The default idle timeout with Standalone Sentry for per-app VPN if the key-value pair is not configured: 60 seconds.

For packet tunnel, Ivanti recommends setting the idle timeout equal to or larger than the idle timeout for the enterprise server being accessed. If you do not know the idle timeout for the server, set the value to 3600000.


(Available as field value in Ivanti Neurons for MDM)

Enter an email address to forward the debug information.


Enter debug <Log Level>

Use one of the following log level options. The options are listed from the least to the most verbose level.

  • error: Captures error logs if the Tunnel app errors out while performing an action.
  • warning: Captures warning messages logged if there is missing or incorrect information that might cause an error. This log level is rarely used.
  • info: Captures informational level details such as, log prints inputs, metadata, parameter values.
  • debug: Captures debug level information such as, actions, operations, values of critical data, and information that is helpful in debugging.
  • session: Captures everything that occurs during a tunnel session.
  • packet: Captures packet level information, such as, length in bytes. Used for troubleshooting DNS queries and responses to and from Tunnel.

Default if the key-value pair is not configured: info


Enter true.

Tunnel uses Email+ to send debug logs.

If the key-value pair is not configured, Tunnel uses the native iOS email client to send debug logs.


Enter true.

Tunnel provides the device ID to Access.

The device ID is reported on Access in Reports > Errors.

The key-value pair is useful in identifying devices that encounter connection errors when authenticating through Access.

Default if the key-value pair is not configured: false.

DNS and network


Enter a space-separated list of DNS servers that are accessible from the device. Each DNS entry is -separated by a space.

IPv4 and IPv6 addresses are supported.

Since (managed) apps have access to the DNS servers configured on the device, this KVP is needed only in rare cases.



IPv6 ULA network prefix to use for internal NAT table.

DNS query for SRV record (for SSO with Kerberos)


Where DnsDomainName is the internal domain name of the KDC server.


Enter SRV Priority Weight Port Target


  • Priority is the priority of the server.
  • Weight is the load-balancing mechanism that is used when selecting a target
  • Port is the port number the server is listening.
  • Target is the fully qualified domain name (FQDN) of the KDC server.


SRV 0 100 88

SRV record derived from the key-value pair: SRV 0 100 88

Ensure that the domain configured for DnsDomainName and for Target is also configured in Safari Domains in the Tunnel VPN configuration. Configuring the domains in Safari Domains ensures that the traffic goes through Tunnel.



false: Default, if the key-value pair is not configured. Certificate pinning is enabled.

true: Certificate pinning is disabled. Disabling certificate pinning is not recommended for security reasons.

The Standalone Sentry server certificate is automatically pushed to the device.



IP routes of the iOS or macOS device VPN. Enter list separated by semicolon.

The default value if the key-value is not configured is



IP routes that will be excluded from IPRoutes.



Enter list of UDP ports to send through Tunnel VPN. All other UDP packets are sent directly to destination.

If the KVP is not configured, all UDP packets are sent through Tunnel VPN.



Standalone Sentry supports only limited types of UDP traffic, such as DNS traffic. Audio and video traffic through Standalone Sentry is not supported. Therefore, Ivanti recommends configuring SplitUDPPortList to manage UDP traffic.


Tunnel MTU.

The default value if the key-value is not configured is 1400.


IP address of the VPN network interface. Configure only if customer network is in the same range.



Sets the minimum idle time, in seconds, after which probe packets are sent out with outbound Tunnel traffic. If Tunnel does not receive a response for at least one of the probes sent, the existing connection is dropped and a new connection is established with the server.

The minimum idle time is based on the last inbound response received by Tunnel. For example, if the value is 60 seconds, if Tunnel does not receive any inbound traffic for 60 seconds, probe packets are sent with the next outbound Tunnel traffic.

Default value if the key-value pair is not configured: 60 seconds


Sets the interval, in seconds, between probe packets sent after the minimum idle time specified in AtpProbeIdleSec.

Default value if the key-value pair is not configured: 1 second


Sets the total count of the probe packets sent after the minimum idle time specified in AtpProbeIdleSec.

Default value if the key-value pair is not configured: 5

App proxy


Enter true.

Configure if using app proxy Tunnel. The key-value pair is required for Tunnel to handle app proxy localhost traffic from apps.

true: If an app uses localhost, ::1, or, the localhost app proxy (TCP) traffic is redirected to the device itself.