Ivanti Tunnel for iOS configuration field description

The following table provides field descriptions for the Ivanti Tunnel configuration. There are some variations in field names between Ivanti EPMM and Ivanti Neurons for MDM.

Table 2.   Ivanti tunnel configuration field description

Item

Description

Name

Enter a name for the Ivanti Tunnel VPN profile.

Description

Enter a description for the profile.

Connection Type
( Ivanti EPMM)

Select Ivanti Tunnel.

Only fields relevant to Tunnel are displayed.

Choose OS to create Ivanti Tunnel Configuration
(Ivanti Neurons for MDM. Per-app VPN)

Select iOS/macOS.

Profile selection mode to use for this configuration
(Ivanti Neurons for MDM)

Select one of the following:

  • Sentry Profile Only: Select if Tunnel traffic goes only through Standalone Sentry only.
    • Access Profile Only: Select if Tunnel traffic goes to Access only. Only authentication traffic is tunneled to Access. This option is available only if a Access deployment is set up.

      If Access Profile Only is configured with per-app VPN packet tunnel provider type, only authentication traffic is tunneled to Access. All other traffic is dropped. If Access Profile Only is configured with device-level VPN packet tunnel provider type, only authentication traffic is tunneled to Access. All other traffic goes directly to the destination.

  • Sentry + Access Profile: Select if Tunnel VPN supports both traffic to Access for authentication to enterprise cloud resources and through Standalone Sentry to on-premise enterprise resources. This option is available only if a Access as a service deployment is set up.

Legacy App Support (iOS only)

Select one of the following:

  • Enabled: Select to enable per-app VPN with the Tunnel Legacy app (versions of Tunnel prior to 2.0) on all versions of iOS.
  • Enabled for iOS 7 and 8: Select to enable per-app VPN using the Tunnel Legacy app for devices running iOS 7 and 8 only. This option enables the per-app VPN feature with Tunnel 2.0 on devices running iOS 9 through the most recently released version as supported by Ivanti.

The per-app VPN feature with Tunnel requires a separate license and Sentry 5.0 through the most recently released version as supported by Ivanti. Ensure your organization has purchased the necessary license before enabling this feature. Tunnel 2.0 through the most recently released version as supported by Ivanti is required for devices running iOS 9 through the most recently released version as supported by Ivanti.

VPN Sub Type

(Ivanti Neurons for MDM)

(Optional) Overrides the bundle identifier for a customized Tunnel app.

Enable Access
( Ivanti EPMM)

Select to enable authentication traffic through Access.

The option is available only if Access as a service is set up with Ivanti EPMM. For information about how to set up Access as a service with Ivanti EPMM, see the Access Guide.

Provider Type

(In Ivanti Neurons for MDM, this field is available only in the Tunnel configuration for per-app VPN.

app-proxy: This is the default setting. Use this setting for TCP tunneling only.

packet-tunnel: Select to allow Tunnel to also handle IP traffic.

Device-level VPN automatically uses the packet tunnel provider type.

Per-app VPN
( Ivanti EPMM)

The options are available if Provider Type is packet-tunnel. Otherwise, the options are grayed out. Device-level VPN is not available for app proxy tunnel.

Yes: This is the default setting. Connectivity is established for an app, rather than the device.

No: Select to establish connectivity for the device, rather than just an app.

Sentry (Profile)

Ivanti EPMM: Select the Standalone Sentry on which you created the tunnel service.

Ivanti Neurons for MDM: Select the Standalone Sentry profile on which you created the Tunnel for iOS service.
The field is not available if the profile mode is Access Profile Only.

Sentry Service

Ivanti EPMM: Select the TCP or IP service that the Safari domain or managed app will use. If you are configuring packet tunnel provider type, select the IP service you created for Tunnel. If you are configuring app proxy, select the TCP service you created for Tunnel.

Ivanti Neurons for MDM: Select the Tunnel for iOS service.
The field is not available if the profile mode is Access Profile Only.

Only TCP services are available for selection if the provider type is app proxy.

Only IP services are available for selection if the provider type is packet tunnel.

SCEP Identity

(Ivanti Neurons for MDM)

Select the Identity Certificate configuration you created for Tunnel.

The Identity Certificate is automatically selected if Sentry Profile Only or Sentry + Access Profile is enabled.

Debug Info Recipient (Ivanti Neurons for MDM)

Enter an email address to forward the debug information.

Identity Certificate
( Ivanti EPMM)

Select the certificate setting you created.

If you are using user-provided certificates, select the user provided certificate you created for Tunnel.

On Demand Rules (iOS 9 and later; macOS 10.13 and later)

VPN on-demand rules are applied when the device's primary network interface changes, for example, when the device switches to a different Wi-Fi network. Devices will drop the Tunnel VPN connection if an enterprise Wi-Fi is detected. If the network is not a Wi-Fi network or if its SSID does not appear in the list, the device will continue to use Ivanti Tunnel VPN.

  • A matching rule is not required. The Default Rule is applied if a matching rule is not defined.
  • If you select Evaluate Connection, a matching rule is not required.
  • You can create up to 10 On Demand matching rules.
  • For each matching rule you can create up to 50 Type and Value pairs.

An Ethernet on-demand rule is only applicable to macOS devices. If the rule is pushed to iOS device, the rule may cause issues with Tunnel behavior and how traffic through Tunnel is handled. Therefore, Ivanti strongly recommends using separate Tunnel VPN configurations for iOS and macOS.

Add +

Click to add a new On Demand matching rule.

On Demand Action

Select one of the following actions to apply to the matching rule:

  • Connect
  • Disconnect

Matching Rules

For each On Demand matching rule to which the action is applied enter the type and value pair.

Add +

Click to add a new On Demand matching rule.

A dialog box appears.

Type

Select the following key type:

  • SSID

Value

Enter a list of SSIDs to match the enterprise Wi-Fi. If the network is not a Wi-Fi network or if its SSID does not appear in the list, the match will fail.

To add multiple SSIDs, create a separate SSID Type-Value pair for each SSID.

Description

Enter additional information about this matching rule.

OK

Click to add the On Demand Action and the associated Matching Rules.

Default Rule

The default rule (action) is applied to a connection that does not match any of the matching rules.

On Demand Action

From the drop down list, select Connect.

Safari Domains

The device user can access servers ending with these domains in Safari.

A Tunnel configuration is only applied to a managed app. Therefore, a managed app with the Tunnel configuration must be installed on the device for the device user to access the domains using per-app VPN.

  • If the device resolves the destination domain, then Tunnel is not launched.
  • If the Safari domains use Kerberos authentication, you must also do the setup described in Setting up single sign-on with Kerberos.

Safari Domain

Enter a domain name.

Only alphanumeric characters and periods (.) are supported.

Description

Enter a description for the domain.

Add New

Click to add a domain.

Calendar Domains (iOS 13 and later; macOS 10.15 and later)

A Tunnel VPN connection is automatically established for these domains.

Only available for per-app VPN.

Calendar Domain

Enter a domain name.

Only alphanumeric characters and periods (.) are supported.

Description

Enter a description for the domain.

Add New

Click to add a domain.

Contact Domains (iOS 13 and later; macOS 10.15 and later)

A Tunnel VPN connection is automatically established for these domains.

Only available for per-app VPN.

Contact Domain

Enter a domain name.

Only alphanumeric characters and periods (.) are supported.

Description

Enter a description for the domain.

Add New

Click to add a domain.

Mail Domains (iOS 13 and later; macOS 10.15 and later)

A Tunnel VPN connection is automatically established for these domains.

Only available for per-app VPN.

Mail Domain

Enter a domain name.

Only alphanumeric characters and periods (.) are supported.

Description

Enter a description for the domain.

Add New

Click to add a domain.

Included Routes (Added Routes)

Only available for device-level VPN. Configured routes are set to the TUN interface. If routes are not configured, Tunnel uses 0.0.0.0/0.

Enter list of IPv4 ranges in CIDR format.

For multiple values, enter a semicolon separated list.

DNS Resolver IPs

Only for packet tunnel provider type.

Enter a domain name server (DNS) to resolve the IP address. IPv4 only.

For multiple values, enter a semicolon separated list. Ensure that the DNS is routable if the default route in not used.

If DNS is not configured, the Sentry DNS is used.

DNS Search Domain List

Only for packet tunnel provider type.

Enter DNS search domains for resolving the domain names.

For multiple values, enter a semicolon separated list.

Match Domain List

Only for packet tunnel provider type.

Enter domains for the VPN DNS to resolve.

For multiple values, enter a semicolon separated list.

Custom Data

Enter Key Value pair to configure the Tunnel VPN disconnect, debug, and timeout behavior.

See Additional configurations using key-value pairs for Ivanti Tunnel.

iOS 14.0+ and macOS 11.0+

Associated Domains

Specify one or more associated domains. Connections to servers within one of these domains are associated with the Ivanti Tunnel.

Excluded Domains

Specify one or more excluded domains. Connections to servers within one of these domains are excluded from the Ivanti Tunnel.

Disconnection Timeout

Enter the disconnection timeout duration (in seconds). You can set any value between 0 and 86,400. Default value is set to 60 seconds.

+ Add Network Rules

Enter the disconnection timeout duration (in seconds). You can set any value between 0 and 86,400. Default value is set to 60 seconds.

  • DNS Domain Match

  • DNS Server Address Match

  • SSID Match

  • URL String Probe

  • URL String Probe

+ Add Connection Rules

Connection rules allow when needed, or never allow connections to the networks that evaluate as true. For connection rules, you can specify the following types of parameters:

  • DNS Domain Match

  • DNS Server Address Match

  • SSID Match

  • URL String Probe

  • Interface Type Match

Action

Select one of the following options to apply the Rule Type and Value for the configuration:

  • Connect

  • Disconnect

  • Ignore

Enforce Routes

Select this check box to enforce routes through Ivanti Tunnel.

Exclude Local Networks

Select this check box to exclude all local networks.

Include All Networks

Select this check box to include all network types.