Deploying VMware Workspace ONE Tunnel for iOS: VMware Workspace ONE Operational Tutorial

VMware Workspace ONE UEM 9.4 and later

Overview

Introduction

VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. In this tutorial, you explore how to configure and deploy the VMware Workspace ONE® Tunnel app to enable per-app VPN on an enrolled device. Procedures include creating and configuring a VPN profile and testing VPN access to VMware Workspace ONE® Web. You also configure Safari domain profiles and test Safari domains with per-app VMware Tunnel.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Both current and new administrators can benefit from using this tutorial. Familiarity with networking and storage in a virtual environment is assumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such as VMware Workspace ONE® Access (formerly VMware Identity Manager) and VMware Workspace ONE® UEM is also helpful.

Deploying VMware Workspace ONE Tunnel for iOS

Introduction

Leveraging Per-App VPN allows you to control which applications on a device have access to your VPN by automatically enabling or disabling VPN access, based on which applications are active. You no longer need to provide a device-wide VPN on your devices, which can allow unintended or unauthorized apps or processes to access your VPN. In this tutorial, you explore how to configure and deploy VMware Workspace ONE® Tunnel to enable per-app VPN on an enrolled device.

These exercises involve the following components:

  • VMware Tunnel Client – The app used to securely connect to the VMware tunnel server (host) to provide Per-App VPN functionality
  • Tunnel Server (Host) – The physical or virtual server (Linux, Windows, UAG) where the tunnel service is installed, and to which the tunnel client connects
  • Per-App Tunnel – The same service for connecting to a secure tunnel channel (VPN) on a per-application basis, which is controlled and configured by the Per-App VPN profile
  • Per-App Tunnel Profiles – The Workspace ONE UEM profile that is pushed to the device that contains the Per-App VPN configurations that the tunnel client reads for Per-App VPN

Prerequisites

Before you can perform this exercise, you must meet the following requirements.

  • Workspace ONE UEM version 9.4 or later
  • iOS 7.0+ device enrolled in Workspace ONE UEM

In addition, you need to create a VPN tunnel. For more information, see Configuring the VMware Tunnel Edge Service: VMware Workspace ONE Operational Tutorial.

Logging In to the Workspace ONE UEM Console

To perform most of the steps in this exercise, you must first log in to the Workspace ONE UEM Console.

1. Launch Chrome Browser

Launch Chrome Browser

On your desktop, double-click the Google Chrome icon.

3. Authenticate In to the Workspace ONE UEM Console

  1. Enter your Username, for example, administrator.
  2. Click Next. After you click Next, the Password text box is displayed.
  1. Enter your Password, for example, VMware1!
  2. Click Login.

Note: If you see a Captcha, be aware that it is case sensitive.

Creating Per-App VPN Profile

For iOS 7+ devices and Android Enterprise devices, you can force selected applications to connect through your corporate VPN. Your VPN provider must support this feature, and you must publish the applications as managed applications.

In this activity, you configure the iOS profile which configures the tunnel client on the device to allow only designated applications to access content on internal servers.

1. Add a New Profile

Add a New Profile
  1. Click Add.
  2. Click Profile.

2. Select the OS for the Profile

Click Apple iOS.

3. Configure the General Properties of the Profile

  1. Enter the name, such as Per-App VPN in this example screenshot.
  2. Select the name of your device's assignment group, and select that group. For example, select All Devices (your@email.shown.here) as the Assigned Smart Group.

4. Add a VPN Payload

  1. Click VPN from the Payload menu.
  2. Click Configure to access the VPN payload settings.

5. Configure the VPN Payload

  1. Select VMware Tunnel from the Connection Type drop-down menu.
  2. Select the Enable VMware Tunnel check box.
  3. Click Save & Publish.

6. Publish the VPN  Profile

Click Publish.

Publishing VMware Tunnel as a Public App

In this activity, you deploy an application configured to use the VPN tunnel on iOS.

Note: A VPN tunnel must be set up before you begin adding it as a public application. For more information, see Configuring the VMware Tunnel Edge Service: VMware Workspace ONE Operational Tutorial.

1. Add VMware Tunnel as a Public App

  1. Click Add.
  2. Click Public Application.

2. Search the App Store for Tunnel App

  1. Select Apple iOS for the Platform.
  2. Enter an application Name. For example, VMware Tunnel.
  3. Click Next.

3. Select the VMware Tunnel Result

Click Select for the VMware Tunnel result.

4. Save and Assign VMware Tunnel

Click Save & Assign.

5. Add Assignment for VMware Tunnel

Click Add Assignment.

6. Configure VMware Tunnel Assignment Settings

  1. Click the Selected Assignment Groups field to display the list of created Assignment Groups. Enter All Devices, and select the All Devices (your@email.shown.here) group.
  2. Select Auto for the App Delivery Method.

7. Configure Policies for VMware Tunnel

  1. Scroll down to find the Policies section.
  2. Select Enabled for Remove On Unenroll.
  3. Click Add.

8. Confirm Assignment and Save

  1. Verify that the assignment you created is displayed.
  2. Click Save & Publish.

9. Preview Assigned Devices and Publish

Click Publish.

Configuring Workspace ONE Web for Per-App VPN

Now that the tunnel client is assigned to the appropriate group, you can add an application enabled to use Per-App Tunnel. After enabling the setting that allows an application to use VPN, you must select the VPN profile that the app should use. Any application that you want to leverage Per-App VPN is pushed to the device from the Workspace ONE UEM Console as a managed app. There is one exception to this, which is the Safari application on iOS. This is covered in detail in a later exercise.

In this activity, you add an application (Workspace ONE Web) from the Public App store to be associated with the VPN profile you created.

1. Add Public Application

  1. Click Add.
  2. Click Public Application.

2. Search for the Application

  1. Select Apple iOS from the Platform drop-down menu.
  2. Enter the app name in the Name text box. For example, Workspace ONE Web.
  3. Click Next.

3. Select Workspace ONE Web

Click Select on the Workspace ONE Web application.

4. Save and Assign Workspace ONE Web

Click Save & Assign.

5. Add Assignment for Workspace ONE Web

Click Add Assignment.

6. Configure Workspace ONE Web Assignment Settings

  1. Click the Selected Assignment Groups field. This displays the list of created Assignment Groups. Enter All Devices and select the All Devices (your@email.shown.here) group.
  2. Select AUTO for the App Delivery Method.

7. Configure Policies for Workspace ONE Web

  1. Scroll down to find the Policies section.
  2. Select Enabled for Remove On Unenroll.
  3. Select Enabled for App Tunneling.
  4. Select the profile named Per-App VPN that you created earlier.
  5. Click Add.

8. Confirm Assignment and Save

  1. Confirm that the Assignment you configured is displayed.
  2. Click Save & Publish.

9. Preview Assigned Devices and Publish

Click Publish.

Testing Per-App VPN on iOS

Now that the device is enrolled and has received the settings configured in the Workspace ONE UEM Console, you are ready to begin testing the Per-App VPN functionality. The applications assigned in the previous exercises should push down during enrollment. The VMware Tunnel and Workspace ONE Web applications should be installed on your device.

In this activity, launch Workspace ONE Web and access the internal website. Then verify that, although the VPN connection is active, other applications on the device are not able to access the tunnel or internal resources.

1. Launch Workspace ONE Web

Launch the VMware Browser

Press the Home button on your device to return to the Launchpad. Swipe right to see the downloaded applications, if needed.

Tap the Workspace ONE Web icon to launch the application. If prompted, select OK to allow the Web to send your device push notifications.

2. Accept the Privacy Prompt

Tap I understand to accept the Privacy prompt.

3. Agree to the Data Sharing Prompt

Tap I agree to accept the Data Sharing Prompt.

4. Access the Internal Website with Workspace ONE Web

  1. When the application launches, enter the URL for your intranet website, such as https://internal.airwlab.com.
  2. Note how the VPN icon appears, indicating the connection is active. The application now connects to Workspace ONE UEM and retrieves the settings for your Organization Group.
  3. Note how the website loads and displays a Welcome message.

5. Select the URL from the Workspace ONE Web

Select the URL from the VMware Browser
  1. Press & hold the Navigation Bar in Workspace ONE Web.
  2. Click Select All to highlight the URL for the internal site.

6. Copy the URL from the Workspace ONE Web

Copy the URL from the VMware Browser

Select Copy.

7. Open Safari

Open Safari

Return to the launchpad by pressing the Home button on your device. Open Safari by selecting the icon form the Launcher.

8. Paste the URL Into the Safari Browser

Paste the URL Into the Safari Browser
  1. Open a new tab by selecting the + sign on the navigation bar.
  2. Select the entry box on the navigation bar.
  3. Press & hold for a count of two then release on the entry box and select Paste.
  4. Select Go on the keyboard.

Note: The website does not load in the Safari browser due to DNS failure. The website is published to an internal DNS that can only be accessed when the VPN connection is being used. Although the VPN connection might remain active (look for the VPN icon in the status bar), Safari is not designated as an application that is allowed to use the Per-App VPN Tunnel. You may have multiple VPN configurations and multiple apps assigned for each VPN. Most public applications (apps using Cocoa framework) are compatible with per-app VPN on iOS.

Configuring Safari Domain Profiles

In this activity, you update the previously created Per-App VPN profile and deploy an application configured to use the VPN tunnel on iOS.

1. Update the Per-App VPN Profile

Return to the Workspace ONE UEM Console.

  1. Click Devices.
  2. Click Profiles & Resources.
  3. Click Profiles.
  4. Select the edit icon next to the Per-App VPN profile.

2. Add Version to Update the Existing Profile

  1. Click Add Version to allow editing.
  2. Select the VPN payload on the left.

3. Configure Safari Domains

  1. In the Safari Domains text box, enter the URL for your intranet website. For example, https://internal.airwlab.com.
    Note: The syntax for Safari Domains does not require a wildcard character. Enter only the domain host name to whitelist the entire domain to initiate VPN in Safari.
  2. Click Save & Publish.

4. Publish the Updated VPN Profile

Click Publish.

Testing Safari Domains with Per-App Tunnel

Now that the VPN profile has been updated to include the domain tested in the first example in the Safari Domains list, you can confirm that these settings have updated on the device and test the settings in the native Safari application.

1. Open Device Settings

Open Device Settings

Tap Settings.

2. Open VPN Settings

Open VPN Settings
  1. Tap General.
  2. Scroll down to find the VPN section.
  3. Tap VPN.

3. Select Your VPN Configuration

Select Your VPN Configuration

Tap VPN Configuration #XXXXXX from your Per-App VPN profile.

4. View Included Per-App VPN Apps

View Included Per-App VPN Apps

All managed applications from the Workspace ONE UEM Console that are enabled to use Per-App VPN and domains listed in Safari Domains in the VPN profile appear in this list.

Whitelisting a domain in the Safari Domains list initiates a VPN connection on demand whenever the user browses to a site within this domain.

Note: Wildcards are not required when whitelisting a Safari Domain. The entire domain is automatically whitelisted for VPN On Demand when added to VPN profile.

5. Open Safari

Open Safari

Return to the launchpad by pressing the Home button on your device. Open Safari by selecting the icon from the Launcher. The VPN icon should not be displayed in the toolbar.

6. Browse to the Internal URL

Browse to http://internal.airwlab.com

Notice that the website now loads in the Safari browser after the VPN profile is updated to include your intranet website in the Safari Domains list, whitelisting the domain for Per-App VPN. The website is published to an internal DNS that can be accessed only when the VPN connection is in use.

Summary and Additional Resources

Conclusion

This operational tutorial provided steps to leverage native Per-App VPN capabilities by publishing Per-App VPN profiles to your devices to ensure that only authorized apps are accessing your VPN. This eliminates the user requirement to manually start and end VPN connections based on what apps they are accessing. It also provides an extra layer of security to your corporate resources by ensuring that non-authorized apps are unable to connect to your VPN.

Terminology Used in This Tutorial

The following terms are used in this tutorial:

application store A user interface (UI) framework that provides access to a self-service catalog, public examples of which include the Apple App Store, the Google Play Store, and the Microsoft Store.
auto-enrollment Auto-enrollment simplifies the enrollment process by automatically enrolling registered devices following the Out-of-Box-Experience.
catalog A user interface (UI) that displays a personalized set of virtual desktops and applications to users and administrators. These resources are available to be launched upon selection.
cloud Asset of securely accessed, network-based services and applications. A cloud can also host data storage. Clouds can be private or public, as well as hybrid, which is both private and public.
device enrollment The process of installing the mobile device management agent on an authorized device. This allows access to VMware products with application stores, such as Workspace ONE Access (formerly VMware Identity Manager).
identity provider (IdP) A mechanism used in a single-sign-on (SSO) framework to automatically give a user access to a resource based on their authentication to a different resource.
mobile device management
(MDM) agent
Software installed on an authorized device to monitor, manage, and secure end-user access to enterprise resources.
one-touch login A mechanism that provides single sign-on (SSO) from an authorized device to enterprise resources.
service provider (SP)
A host that offers resources, tools, and applications to users and devices.
virtual desktop The user interface of a virtual machine that is made available to an end user.
virtual machine A software-based computer, running an operating system or application environment, that is located in the data center and backed by the resources of a physical computer.

For more information, see the VMware Glossary.

Additional Resources

For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level-up in your Workspace ONE knowledge. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.

Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon. 

 

About the Author

This tutorial was written by:

  • Andreano Lanusse, End-User-Computing Staff Architect, Technical Marketing, VMware.

Feedback

The purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.