Skip to main content
Skip table of contents

Secure Microtunnel profiles (UI)

Configuring the Secure Microtunnel profile

Use a Secure Microtunnel profile to set these options with the Secure Microtunnel policy. (See Policy profiles for general information about managing policy profiles.) 

Click Apps, then Android or iOS, then the app you want to secure. The App details screen appears.

Click the settings gear on the Secure Microtunnel panel. The Policy details page appears, where you can create a new profile or edit an existing profile. 

Click + Secure Microtunnel Profile to create a new profile, or click the View/Edit profile icon next to an existing Secure Microtunnel profile. The Profile details page appears.

Name the profile, and configure the other options: 

VPN Server

Server Label: A human readable name to identify the gateway that you want the app to connect to.

Server Address: A numeric IP address or a fully qualified host name.

If users may be using IPv6 networks, Blue Cedar recommends using a host name instead of an IP address for the Server Address. Using a host name allows the address to resolve itself on either IPv4 or IPv6 networks correctly.

Authentication method

(IKEv1 only) Choose one of the following authentication methods.

Digital Certificate

By default, the policy console sets the authentication method to "Digital Certificate". This is the required setting that allows for automatic client certificate provisioning for a mobile device.

Also by default, the policy console displays a Client certificate provisioning mode checkbox that is pre-selected for "Enable automatic client certificate provisioning". This is the required setting to enable the easy certificate enrollment and provisioning feature on the gateway.

Note: For details about the gateway's easy certificate enrollment feature, see "Setting up certificate enrollment" in the Gateway IT Administrator's Guide.

To enroll the client certificates manually, clear the Client certificate provisioning mode check box. This disables the easy certificate enrollment that the gateway provides. In this case, you must manually install the certificates on the mobile device itself.

Pre-shared Key (PSK)

If you select this method, the policy console provides two options for entering the Pre-shared Key (PSK):

  • If you enter the PSK into the "Pre-shared Key (PSK)" field, Blue Cedar automatically securely applies the PSK to the app.
  • If you do not enter the PSK into the "Pre-shared Key (PSK)" field, the app prompts the user of the mobile device to enter the PSK during login to the app. Blue Cedar recommends that you leave this field empty to make the user provide the PSK.

If you change the PSK on the gateway after securing the app, then you must re-secure the app with the new PSK and have the end user install the updated secured app on their device. Otherwise, the existing secured app fails to work with the gateway.

When using PSK, Blue Cedar recommends using an IP address instead of a host name for the VPN Server Address to protect against DNS poisoning, which is an attack that compromises a DNS name server’s database and reroutes traffic to an incorrect IP address.

Note that using specific IP addresses fails for users on IPv6-only networks.

Authentication groupTo assign the Secure Microtunnel profile to a specific gateway-defined auth-group, enter the name of the group in the Authentication group box. This group must be configured on the gateway. See "Configuring AAA" in the Gateway IT Administrator's Guide.
Server's Certificate Authority (CA) certificate

(IKE v1 only; Digital Certificate only) Click "Choose File" to select the trust anchor certificate for the gateway server.

Valid format: The certificate must be a PEM-encoded certificate file. Apps secured with DER-encoded certificates cannot communicate with the gateway.

IKE parameters

IKE Version

Choose the IKE version for your VPN server.

  • IKEv1: Also configure the other authentication options.
  • IKEv2: Experimental. Requires IKEv2-based Blue Cedar Connect Gateway (currently Beta)

DH Group

Choose a DH Group (a Diffie-Hellman group), from one of these available values:

  • Group Default (Note: Choosing this option allows the protected app to negotiate any of the available groups (1, 2, 5, 14). If you need to specify a DH Group, choose that option explicitly.)
  • Group 1
  • Group 2
  • Group 5
  • Group 14

If you choose a group other than "Default", it must agree with the group configured on the gateway you are connecting to. If the groups do not match, the gateway cannot establish the tunnel.

App OptionsSelect "Allow app to run offline after initial enrollment" to apply offline mode as described in Offline mode behavior.

Click Save changes. This profile is available when you apply the Secure Microtunnel policy to an app.

Enabling the Secure Microtunnel policy

Before enabling the Secure Microtunnel policy, you must define a Secure Microtunnel profile. 

Click Apps, then Android or iOS, then the app you want to secure. The App details screen appears.

Under Policies to apply, click the triangle to expand the Secure Microtunnel panel.

Select "Enable Secure Microtunnel policy."

Choose a Secure Microtunnel profile.

Click Apply policies.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.