Secure Mobile Access 12.4 Administration Guide

VPN-Controlled Apps

When a Mobile Connect user removes authorization of an app, the application no longer remains a VPN-controlled app. Any further access through the app behaves like the app was never in the App. Checking or unchecking an app takes effect immediately. There is no need to disconnect and reconnect Mobile Connect.

When using Application Access Control can a user continue to access network resources or personal web sites with an application approved for use if the user removes authorization of the application?

For example, while a user is accessing a corporate resource with Chrome (an application approved for use) the following steps occur in this instance:

  1. When Chrome is checked, Chrome can send traffic over the corporate network.

  2. When Chrome is unchecked, the client guarantees that none of the user’s traffic is sent via the tunnel to the corporate network.

  3. Whether Chrome is checked or unchecked, if the user navigates to a location not on the corporate network that traffic flows out the user’s normal network interface. Traffic to/from a location not on the corporate network never uses the tunnel. That is, SMA always uses Split Tunnel and never redirects all when using Application Access Control.

  4. Traffic to destinations inside the corporate network that the user has been granted access to will be either delivered to the tunnel if the app is checked or dropped if the app is unchecked. Traffic to destinations inside the corporate network will never flow out the normal interface of the user’s device.

    The checkbox only controls if the traffic is dropped on the floor or sent down the tunnel, it does not have the ability to determine where the traffic will flow. That kind of dynamic routing is not something we can support with the current client interfaces.

It is not strictly true that applications under control are not affected by the VPN. If the Mobile Connect client is running and connected to the server, all traffic bound for IP addresses on the corporate network from ANY application (even those not listed) is captured. Traffic not from a listed application is dropped. This is important if there are IP address collisions, those same issues can occur with Application Access Control and will affect all applications on the user's device whether they are under control or not under control.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.