Before you set up Ivanti Tunnel for macOS, see the following:
- Required components for deploying Ivanti Tunnel for macOS
- Requirements for setting up Ivanti Tunnel for macOS
- Recommendations for setting up Ivanti Tunnel for macOS (Ivanti EPMM)
- Limitations for Ivanti Tunnel for macOS
The following components are required for an Ivanti Tunnel for macOS deployment:
- Standalone Sentry with AppTunnel enabled or Access.
- Unified Endpoint Management (UEM) platform:
- Ivanti EPMM
- Ivanti Neurons for MDM
- macOS devices registered with a UEM.
Ivanti EPMM: For information about registering macOS devices, see “Registering iOS and macOS devices through the web” in the Ivanti EPMM Device Management Guide for iOS and macOS Devices.
Ivanti Neurons for MDM: For information about registering macOS devices on Ivanti Neurons for MDM, see the Ivanti Neurons for MDM Guide or the Help on Ivanti Neurons for MDM.
For supported versions see the Ivanti Tunnel for macOS Release Notes.
The following are requirements for setting up Ivanti Tunnel for macOS:
- If your deployment uses Standalone Sentry:
- You have installed Standalone Sentry. See the Standalone Sentry Installation Guide.
- Standalone Sentry is set up for AppTunnel using identity certificates for device authentication.
For information about setting up a Standalone Sentry for AppTunnel, see Standalone Sentry for Ivanti EPMM Guide for Unified Endpoint Management (UEM) platform.
- The Standalone Sentry IP address is publicly accessible.
- The Standalone Sentry name is registered in DNS.
- To tunnel IP traffic, ensure that you have created an IP_ANY service.
- For documentation, see Standalone Sentry product documentation.
- Standalone Sentry is required for packet tunnel provider with per-app VPN.
- If your deployment uses Access, ensure that Access is set up. See the Access Guide for information on how to set up Access. For documentation, see Access product documentation.
- The appropriate ports are open.
See the Ivanti Tunnel for macOS Release Notes.
Standalone Sentry: Ivanti recommends that Standalone Sentry use a trusted CA certificate. If Standalone Sentry uses a self-signed certificate, you must do the following additional setup in Ivanti EPMM:
In the Services > Sentry page, for the Standalone Sentry, click the View Certificate link. This makes the Standalone Sentry’s certificate known to Ivanti EPMM.
Follow the instructions in the Using a Self-signed certificate with Standalone Sentry and Ivanti Tunnel knowledge base article.
If the self-signed certificate is changed at any time, you must push the changed certificate to the device, otherwise there may be a disruption in service. Therefore, Ivanti recommends using a certificate from a trusted certificate authority for the Standalone Sentry.
UDP traffic: If you want to limit the UDP traffic through Standalone Sentry, gather a list of destination UDP ports that should be tunneled through Ivanti Tunnel VPN. All other UDP traffic is, therefore, not tunneled. Configure the SplitUDPPortList key-value pair to limit the UDP traffic through Ivanti Tunnel.
Ivanti Tunnel for macOS has the following limitations:
- Single sign on with Kerberos is not supported.