Other Features

Conditional Access on Android ISAC Client

Device Validation Support for VoD and Per-App VPN

Device ID Validation

Derived Credential Support

VPN Configuration

Collecting Log Files from Ivanti Secure Access Client for Android

Dark Theme Support

Voice Over Support

UI Mode Switching

Conditional Access on Android ISAC Client

Conditional access feature allows to use identity-driven signals as part of the access control decisions. Conditional Access brings signals together, to make decisions, and enforce organizational policies. This feature allows administrators to restrict access to approved client apps using Intune app protection policies.

For detailed information refer What is Conditional Access in Microsoft Entra ID?

Conditional Access feature is only applicable in case of SAML authentication. Before proceeding with configuring Conditional Access feature on Intune, ensure SAML server is configured on Ivanti connectSecure server. For configuration procedure, see User Verification and Key Concepts.

Ensure you follow the steps to enable Conditional Access feature.

  1. Configure a SAML cloud app on Azure IdP and Ivanti Connect Secure. See, Deploying a BYOD Policy for Microsoft Intune Managed Devices and Client application configuration.

  2. Create Device Feature policy configuration in Intune MDM under Devices > Manage devices > Configuration > Create > New policy.

  3. Configure device compliance policy, see Password compliance policy for Android Enterprise devices.

  4. Connect your Intune account to your Managed Google Play account, see Intune account.

  5. Enrol the android devices, see Android device enrollment guide for Microsoft Intune.

  6. Configure conditional access policy, See Plan a Microsoft Entra Conditional Access deployment.

    1. Create Conditional access policy on Azure IdP:

    2. Select the user to apply the policy.

    3. Select the target resource as the ISAC client name.

  7. Choose conditions. Select Device platform as Android for Android devices.

  8. Select Client apps as Browser, mobile devices use browser for login.

  9. Block or grant access to the resources based on the above conditions and device compliance state.

Ensure “Required Device to be marked as Compliant” is checked.

Identity based restriction is configured from MDM, Conditional access policy gets applied based on the compliance state fetched from Azure IdP.

When establishing a connection with conditional access from ISAC, a prompt to accept the certificate appears and user input is required to proceed with connection

Device Validation Support for VoD and Per-App VPN

Apps can be configured to automatically connect to VPN when they are launched. Using this feature, only the corporate-managed apps will transfer the data over the VPN. Personal data of employees such as personal web browsing, and connections to gaming and social networks will not use the VPN.

When the VPN On Demand profile is applied to the device, VPN will be started automatically in the following two conditions:

When the applications are launched.

When the application sends traffic in the background.

In VPN On Demand, a blocking interface is set up on the device which monitors the configured apps for the network traffic. Whenever an application whose network access type is "require VPN" tries to perform any network activity, the blocking interface detects this. It thereafter authenticates the user, tears down the blocking interface, and establishes the VPN connection.

Enterprise Mobility Management (EMM) Configuration

The configuration needed to be enabled on EMMs. Following Parameters should be configured by the EMM Vendor to set up a VPN On-Demand profile.

  1. For VPN on Demand, Stealth Mode must set as True.

  2. Configure mandatory parameters like Connection Name, URL, Authentication type, Certificate Alias (in case of cert auth), username, password (in case of userpass).

Configuration Keys Value Type Configuration values Description
Stealth Mode String   Stealth Mode Authentication
VPN Trigger Type Choice 0 or 1 or 2 VPN Trigger Type: Manual = 0, OnDemand = 1, Always on VPN = 2
AppVPN Packages String com.android.chrome,com.microsoft.skydrive Application VPN packages (value should be comma separated)
AppVPN Action Choice 0 or 1 Application VPN action: allow = 0, deny = 1
Route Type String 0 or 1 Route Type: device VPN = 0 or Per-App VPN = 1
Role String   VPN Role
Realm String   VPN Realm
VPN-Standard Boolean

 

 Set this profile as default. Existing default profile will be override
Certificate Alias String

 

 Certificate alias in the Android KeyStore
Password2 String

 

 VPN Password 2
Username2 String

 

 VPN username 2
Password String

 

 VPN Password
Username String

 

 VPN username
Authentication Type choice Certalias or userpass or dualauth VPN Authentication Type: certalias: Certificate Authentication, userpass: Username/Password based Authentication, dualauth: combination of userpass/certauth
URL String

 

 VPN Connection URL
Connection Name String

 

 VPN Connection name

VPN On Demand Limitations

No Support for FQDN based Split Tunneling

Device ID Validation

This feature allows to read Unique Device ID (UDID) from MDM application configuration and pass to Connect Secure. On validation, Connect Secure initiates authentication.

Derived Credential Support

This feature provides certificate-based authentication support for classic L3 VPN profiles where certificates are installed and managed by another application. These applications install digital certificates in device keystore for Android and replace the need of physical smartcards for authentication.

Ivanti Secure Access Client 22.5R1 onwards supports Ivanti EPMM and Ivanti Neurons for MDM and Entrust application as certificate provider.

Supported Platforms

Ivanti Secure Access Client 22.5.1 onwards

PIV-D manager application

Ivanti Mobile@Work / Ivanti Go for core and cloud respectively

Configuration of Derived Credentials

The configuration includes initial setting up by admin and then end user enrollment.

1.Admin configures the CA root certificates, and the User certificates provided by the vendor in the MDM.

2.Admin adds appconfig policy to config ISAC client details in the MDM.

3.Admin installs corresponding CA root certificates on ICS for cert chain validation.

4.End user enrolls to MDM to fetch the appconfig policy.

5.End users browse the Entrust portal and select I’d like to enroll for a derived mobile smart credential.

6.In the next screen, select the option I’ve successfully downloaded and installed the Smart Credential enabled application. Then click Next.

7.Enter the name for the derived credential and click OK.

8.A QR code displays, use the PIV-D Manager application to scan and enter the password to install the certificates.

The certificates are installed in the MDM and ISAC fetches the user certificate from MDM client application.

VPN Configuration

Mobile devices use a VPN connection profile to initiate a connection with the VPN server. Use VPN profiles in Microsoft Intune to deploy VPN settings to mobile devices in your organization, so they can easily and securely connect to the network. For more information, see Use VPN settings for Android Enterprise in Microsoft Intune.

Before proceeding, make sure you have IP address or FQDN name of Ivanti Connect Secure (ICS) server that mobile devices will connect to.

To create a VPN profile:

  1. In the Intune admin console, navigate to Home > Devices > Android > Configuration.

  2. Under Policies, click Create and select New Policy.

  3. In the Create a profile window, select Platform as Android Enterprise and choose VPN as Profile type and click Create.

  4. In the Basics details, enter a name and description for the policy.

  5. In the Configuration settings, from the Connection type drop-down list, select Custom VPN.
    ISAC is named as Pulse Secure VPN. You can use Pulse Secure as VPN. Ensure to re-push the profiles in case the profiles are not recognised by the VPN application.

  6. Under Base VPN details, enter the ICS server name for Connection Name.

  7. For VPN IP address name, enter the ICS sign-in URL or the server IP address.

  8. From the Authentication method, drop down list. You can select to use credential based or certificate-based authentication. If you select Certificates, click Select and choose client certificate for authentication. Enter the SCEP Certificate profile name created before; for details, see Creating Certificate Profile.

This procedure creates a Manual VPN connection. User needs to manually establish the connection from ISAC.

Collecting Log Files from Ivanti Secure Access Client for Android

Logs may sometimes be requested by the Ivanti support team to diagnose issues with the Ivanti Secure Access Client on Android.

  1. On the Android device, start the Ivanti Secure Access Client app.

  2. From the bottom menu, click on the lifesaver.

  3. At the bottom of the screen, click Send Logs.

  4. Using the default mail client, the logs will be attached. Enter the email address where to send the logs to.

If mail is not configured on the Android device, the logs cannot be gathered.

Dark Theme Support

Ivanti Secure Access Client supports Dark mode or bright mode as per mobile settings.

Voice Over Support

Ivanti Secure Access Client supports voice over instructions as per mobile settings.

UI Mode Switching

Ivanti Secure Access Client supports switching between classic UI and New-UX. Use Menu and UI mode to switch between the modes.

 

.