Qlik Sense Client-Managed Mobile and per-app VPN support for MobileIron
The Qlik Sense Client-Managed Mobile app supports per-app VPN tunneling when deployed using MobileIron Core or MobileIron Cloud.
Together with MobileIron Sentry, the MobileIron Tunnel delivers per-app VPN functionality which provides endpoint security by limiting connections at the application level, instead of at a device level.
The following are the current minimum requirements for MobileIron support:
- MobileIron Tunnel version 4.0
- One of:
- iOS version 13.4, 64bit
- Android version 9, 64bit
Starting with MobileIron Tunnel 4.0, applications using localhost or the loopback IP 127.0.0.1 are now supported for Per App VPN if one of the following conditions are true:
- The ProviderType in the VPN config is set to use the Layer-3 packet-tunnel.
- The ProviderType in the VPN config is set to use the Layer-4 app-proxy and a new key-value pair DirectLocalhost = True is added to the Tunnel config to prevent the VPN client from routing app-internal TCP traffic to the VPN.
Idle connections from the mobile device to Qlik Sense may be prematurely terminated, interrupting the Qlik user experience, unless TcpIdleTmoMs = 300000 is added to the Custom Data key-value pairs. Note that this must be explicitly configured, and is different from the Disconnection Timeout that is also visible.
Provider Type | Sentry Service Type | Custom Data | iOS | Android |
---|---|---|---|---|
packet-tunnel (recommended) | IP_ANY | TcpIdleTmoMs=300000 | Supported | Supported |
app-proxy | TCP_ANY |
DirectLocalhost=True TcpIdleTmoMs=300000 |
Supported | Not Applicable |
Customizing the MobileIron Sentry configuration
The Sentry Profile must include a MobileIron Tunnel service configured with the Service Type above, corresponding with the Provider Type that will be used by MobileIron Tunnel.
Customizing the MobileIron Tunnel configuration
Follow the steps below to customize the MobileIron Tunnel configuration.
Do the following:
- Create a MobileIron Tunnel Per App VPN configuration.
- Select the Provider Type.
- Select the Sentry Profile.
- Select the Sentry Service that corresponds with the Provider Type:
- IP_ANY for packet-tunnel
- TCP_ANY for app-proxy
- Select the SCEP Identity that is used by the MobileIron Tunnel client to authenticate to the MobileIron Sentry.
- Identify your internal DNS Servers in the DNS Resolver IP, for example 172.16.0.100;172.16.0.101
- Record your Domain Names in Match Domains, for example example.com;example.local.
- Add Custom Data key-pairs:
- TcpIdleTmoMs=300000
- DirectLocalhost=true
- Add Safari Domains that will be routed through VPN, for example:
- *.example.com
- *.example.local
- Click Next.
- In Distribution rules, select the devices this configuration is distributed to.
- Click Done.