The Secure Microtunnel policy establishes secure IPsec tunnels for individual mobile apps, securing the device's data in transit. Only the secured app has access to the connection, preventing rogue or malicious apps from accessing or performing reconnaissance on corporate networks.
Note: A mobile user on an IPv6 network can establish a secure microtunnel to the Blue Cedar Gateway if the IPv6 network includes a NAT64 gateway connection to the gateway.
The Mobile User Experience
The first time users launch an app that requires a secure connection, they are asked to enter their credentials, and they see any acceptable use policy that has been configured on the gateway.
The Secure Microtunnel policy also includes several checks and settings that may affect the mobile user experience:
- Offline mode: If the app cannot connect or loses its connection, the user may be able to continue using the app offline, or the app may terminate, depending on the offline mode setting and whether the app has successfully enrolled. (Configured in the Secure Microtunnel profile. See Offline mode behavior.)
- Multiple auth-groups: Users who are not part of an authorized auth-group see an "unable to connect" error. For more information about setting the auth-group, see the Secure Microtunnel profile details and "Configuring AAA" in the Gateway IT Administrator's Guide.
Offline mode behavior
You can set offline mode within the Secure Microtunnel policy to allow end users to access corporate apps even without being connected. Users may be in an environment with no cell or wi-fi coverage or may need to be in airplane mode. If offline mode is not enabled, users cannot access a secured app when there is no connection to the corporate servers.
When offline mode is disabled, the app behaves like this:
|An app starts but cannot establish a secure connection to the gateway.||The app terminates.|
|An app successfully connects to the gateway, then loses connectivity.||The app attempts to reconnect forever.|
When offline mode is enabled:
|At app startup, the app can't connect to the gateway and has never successfully enrolled with the gateway.||The app terminates. (The user must successfully enroll before offline mode can be applicable.)|
|At app startup, the app can't connect to the gateway but has previously enrolled with the gateway.||The app continues to run and attempts to connect to the gateway in the background.|
|An app successfully connects to the gateway and then loses connectivity.||The app continues to run and attempts to connect to the gateway in the background.|