App Based VPN Solution (AirWatch / MobileIron and more) with Qlik Sense
Connectivity to the Qlik Sense Hub using a Per App VPN has been positively validated with iOS 13.5 (May 2020). However older releases of iOS 13 do not support Qlik Sense Mobile together with Per App VPN.
When using a Per-App VPN on an IOS device with older iOS versions, only a white screen or app rain is presented when trying to access a Qlik Sense application. This does not affect users on Android devices.
Known iOS issues in iOS 10, early iOS 11 affected modern web browsers, and all Airwatch/MobileIron managed web browsers. As Qlik Sense requires websockets communication (a HTML 5 standard) between web client and Qlik Sense web server, communication on those iOS versions could not be guaranteed.
Furthermore iOS 13.0 (Sept 2019) broke “Split Tunneling” capabilities that Qlik Sense Mobile requires for Per App VPN connectivity to on-premise instances of Qlik Sense Enterprise. This prevented Qlik Sense Mobile from working properly with MobileIron, PaloAlto GlobalProtect, AirWatch and other Enterprise Mobility Management (EMM) suites.
We recommend that Qlik customers configure their EMM to disable automatic upgrades to iOS 14.0 (when available) until it has been confirmed that Apple continues to support the required connectivity.
Browser connectivity from iOS devices to Qlik Sense Enterprise requires that the browser utilizes Apple’s WKWebView rendering engine. The older (now deprecated) UIWebView engine does not support Qlik’s stylesheets satisfactorily, and may not route websocket traffic correctly (for example, Citrix Secure Web v20.5 uses UIWebView and does not support Websocket Connectivity to on-premise instances of Qlik Sense Enterprise even though the corresponding Netscaler Appliance does).
It may be necessary to enable a KeepAlive feature in the Qlik Sense Proxy, to prevent Network Infrastructure from prematurely terminating apparently idle websocket connections. Such terminations cause a “Lost Connection” message to be displayed to the User, and they have to refresh the browser (losing their Current Selections) to proceed with their analysis.
Qlik Sense Mobile uses TCP communication between components within the app, and the VPN Client must be configured with “Split Tunneling” to ignore 127.0.0.1 traffic otherwise Qlik Sense Mobile will display a blank screen or a networking error message. Properly configured AirWatch and MobileIron environments do now (since iOS 13.4) support connectivity to Qlik Sense Enterprise.