Per app VPN and the MobileIron Tunnel app on iOS and macOS devices

MobileIron Core pushes per app VPN profiles to devices regardless of whether devices have the VPN client (MobileIron Tunnel). Core will install apps to devices that require MobileIron Tunnel to function correctly, even if those devices do not have Tunnel installed or per app VPN enabled. If MobileIron Tunnel is not installed to devices with these apps, the apps will not function correctly. To enable the use of apps that require MobileIron Tunnel type per app VPN to function, you must ensure devices have MobileIron Tunnel installed and per app VPN functionality enabled.

MobileIron makes the following recommendations with regard to apps requiring per app VPN:

  • When sending app installation messages to devices for apps requiring MobileIron Tunnel type per app VPN, Core installs the apps to devices even if Tunnel or per app VPN is not installed or enabled on these devices. To send app installation messages only to devices with MobileIron Tunnel type per app VPN, you must send the app installation message to a label you create that includes only devices with MobileIron Tunnel type per app VPN.
  • When sending an app installation or conversion request (from unmanaged to managed) on registration or sign-in, Core installs to devices apps requiring Tunnel or per app VPN regardless of whether devices have Tunnel installed or per app VPN enabled. To send app installation or conversion requests only to devices with MobileIron Tunnel type per app VPN configurations, you must send the app installation or conversion message to a label you create that includes only devices with MobileIron Tunnel type per app VPN.
  • When signing out of the multi-user web clip for iOS, Core triggers the removal of the per app VPN profile from the device twice.
  • Apply the following dynamic label to the VPN configuration profile you apply to devices: "common.mi_tunnel_app_installed" = "production"
  • When configuring per app VPN settings to an app, select Per app VPN by label only, then select the MobileIron Tunnel VPN configuration. You must move only the MobileIron Tunnel VPN configuration to the right side of per app VPN list, as Core does not support this functionality if other types of VPN configurations exist on the device.