Following are the main steps for configuring Ivanti Tunnel for iOS. These configuration tasks are performed in the Ivanti EPMM Admin Portal.
- Main tasks for configuring Ivanti Tunnel for iOS (Ivanti EPMM)
- Applying the Ivanti Tunnel VPN setting to managed apps in Ivanti EPMM
Ivanti Tunnel supports per-app and device-level VPN. Choose the appropriate configuration depending on whether you are creating a per-app VPN or a device-level VPN.
You can create multiple Ivanti Tunnel configurations to push to a device. The VPN profiles pushed to a device are listed in Settings > General > VPN, and in Settings > General > Device Management. Depending on the app in use, iOS automatically switches to use the VPN profile applied to the app.
You can apply both per-app VPN and device-level VPN to a device. However, per-app VPN takes priority over device-level VPN. The device-level VPN is used for apps that are not associated with a per-app VPN.
Before you begin
- If you are configuring app proxy VPN, ensure that you have created a TCP AppTunnel service in Standalone Sentry.
- If you are configuring packet tunnel provider type, ensure that you have created an IP AppTunnel service in Standalone Sentry.
- For information on setting up a TCP or IP AppTunnel service see “Working with Standalone Sentry for AppTunnel” in the Standalone Sentry Guide for Ivanti EPMM.
- If you are configuring Ivanti Tunnel for securing authentication traffic with Access see the Access Guide.
Ivanti strongly recommends creating separate Ivanti Tunnel VPN configurations for iOS and macOS. Using the same Ivanti Tunnel VPN configuration for iOS and macOS may cause issues with how Ivanti Tunnel operates and how traffic through Ivanti Tunnel is handled.
- In the Admin Portal, go to Policies & Configs > Configurations.
- Click Add New > VPN.
- For Connection Type, select Ivanti Tunnel.
- Add the necessary configurations.
- Click Save.
- If you created a device-level VPN configuration, apply the configuration to a label that contains iOS devices.
The configuration is distributed to the devices in the label.
- For a description of the configuration fields for Ivanti Tunnel (iOS) VPN, see Ivanti Tunnel for iOS configuration field description.
- For a description of the key-value pairs, see Additional configurations using key-value pairs for Ivanti Tunnel.
When you Add or Edit an app in the App Catalog, you have the option to select the per-app VPN setting to apply to the app. Select the per-app Ivanti Tunnel (iOS) VPN setting you created. This procedure is not needed for a device-level VPN configuration.
- In the Admin Portal, go to Apps > App Catalog.
- Select iOS from the Platform list.
- Click the Add+, or select an app and click the edit icon next to the app.
- In the form, for Per App VPN Settings, select the per-app Ivanti Tunnel (iOS) VPN configuration you created.
For more information about adding and editing apps for distribution, see the following sections in the Ivanti EPMM Apps@Work Guide:
- “Using the wizard to import iOS apps from the Apple App Store.”
- “Using the wizard to add an in-house iOS or macOS app to the App Catalog.”
Adding Ivanti Tunnel to the App Catalog makes the app available in the app storefront.
Ivanti Tunnel is also available in the Apple App Store. The device user can download the app directly from the Apple App Store. Device users can download the app directly from the Apple AppStore at itunes.
If you are a using a self-signed or an untrusted certificate for the Standalone Sentry, the certificate must be pushed to the device. The Standalone Sentry certificate is required on the device for Tunnel to authenticate the Standalone Sentry and establish a per-app VPN session. If the certificate is changed at any time, you must push the changed certificate to the device, otherwise there may be a disruption in service. Therefore, we recommend using a certificate from a trusted certificate authority for the Standalone Sentry.
If the certificate is changed at any time, you must push the changed certificate to the device, otherwise there may be a disruption in service. To push the Standalone Sentry certificate to the device, follow the instructions in the Using a Self-signed certificate with Standalone Sentry and Tunnel knowledge base article.