Solution

  • Workspace ONE

Type

  • Document

Level

  • Overview

Category

  • Operational Tutorial

Product

  • Workspace ONE UEM

Technology

  • Tunnel

OS/Platform

  • iOS

Phase

  • Manage

Deploying VMware Workspace ONE Tunnel: VMware Workspace ONE Operational Tutorial

Overview

Introduction

VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. In this tutorial, explore how to configure and deploy the VMware Workspace ONE Tunnel app across iOS, Android, macOS, and Windows platforms to enable Per-App Tunnel on a managed device. Procedures include enable per-app tunneling on managed devices and SDK-enabled applications, configuration of Tunnel policies, deployment of the client and profiles to devices, and general lifecycle maintenance.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Both current and new administrators can benefit from using this tutorial. Familiarity with networking in a virtual environment, knowledge of VMware Unified Access Gateway and VMware Workspace ONE® UEM is assumed.

Getting Started with Per-App Tunnel

Introduction

Workspace ONE Tunnel enables secure access for mobile workers and devices. Users have a simple experience and need not enable or interact with Tunnel, and IT organizations may take a least-privilege approach to enterprise access, ensuring only defines apps and domains have access to the network.

Tunnel provides industry-best security and builds on TLS 1.2+ libraries, implements SSL Pinning to ensure no MITM attacks, and client certificate whitelisting, to ensure identity integrity. Combined with explicit definitions of managed applications and integration with Workspace ONE compliance engine, Tunnel can help customers attain Zero Trust goals for their workforce.

Prerequisites

Before you can perform the steps in this tutorial, you must install and configure the following components:

  • VMware Unified Access Gateway 3.9 with VMware Tunnel edge service configured
  • Workspace ONE UEM 1909 and later
  • A device for the platform you plan to use (Windows 10, macOS, Android, or iOS)

Ensure the following settings are enabled in the Workspace ONE UEM Console:

  • Organization Group created and set as Customer Type 
  • Device Root Certificate issued
  • VMware Tunnel configured

1. Confirm VMware Tunnel Edge Service is Configured

The remainder of this section assumes you have configured the VMware Tunnel edge service on the Unified Access Gateway. For more information, see Configuring the VMware Tunnel Edge Service: VMware Workspace ONE Operational Tutorial. The following steps demonstrate how to validate that the edge service is configured.

1.1. Navigate to Configurations

Devices > Dashboard

In the Workspace ONE UEM Console:

  1. Click Groups & Settings.
  2. Click Configurations.

1.2. Select Tunnel Settings

Groups & Settings > Configurations
  1. Scroll through the list of Configurations if necessary.
  2. Select Tunnel.

1.3. Select Test Connection

Groups & Settings > Configurations

Select Test Connection.

1.4. Confirm Successful Test Connection

Groups & Settings > Configurations

Ensure that both the Console to AWCM and Tunnel to API tests report Success.

Understanding Network Traffic Rules

Network traffic rules allow you to set granular control over how the VMware Tunnel Edge Service on Unified Access Gateway directs traffic from devices.

Workspace ONE UEM defines two types of network traffic rules in support of Workspace ONE Tunnel:

  • Server Traffic Rules
  • Device Traffic Rules

You can create device traffic rules to control how devices handle traffic from specified applications and server traffic rules to manage network traffic when you have third-party proxies configured.

Device Traffic Rules

The Device Traffic Rules define how traffic from specified applications is routed by the Workspace ONE Tunnel application. The device traffic rules serve as a locally enforced Access Control List, defining which apps and destinations should be blocked, tunneled, proxied, or bypass the tunnel completely.

The device traffic rules are created and ranked to give an order of execution. Every time a specified app is opened, every time a specified app is opened, the Tunnel client evaluates the Device Traffic Rules assigned to it before making any routing decisions. If no set rules match the situation, the Tunnel applies the default action. The default action, set for all applications except for Safari, applies to domains not mentioned in a rule. If no rules are specified, the default action applies to all domains. The device traffic rules created, apply to all VPN VMware Tunnel profiles in the organization group the rules are created in.

Server Traffic Rules

The Server Traffic Rules enables you to manage how application traffic is routed throughout your network after traversing the Tunnel Service on Unified Access Gateway infrastructure. Specifically, if you require the use of proxies in your network or for external access, these proxies can be defined and configured as part of Server Traffic Rules.

Configuration of Service Traffic Rules will not be covered in this tutorial. For additional information, see Configure Server Traffic Rules in VMware Docs.

Supported Platforms

VMware Tunnel Edge Service supports network traffic rules for the following platforms:

  • iOS devices with VMware Workspace ONE Tunnel for iOS.
  • macOS devices with VMware Workspace ONE Tunnel for macOS.
  • Android devices with VMware Workspace ONE Tunnel for Android.
  • Windows desktop devices with VMware Workspace ONE Tunnel Desktop application.

Per-App tunnelling is also supported on unmanaged devices using SDK-enabled applications. The Workspace ONE SDK is available on iOS and Android.

Per-App Tunnel Support for MAM Workflow

Many organizations do not need to manage devices for their mobile fleets for various reasons, including possible privacy or legal issues. However, they might need to distribute mobile applications to access internal resources, so Workspace ONE UEM offers the flexibility of deploying the standalone catalog (MAM workflow) that works independently of the MDM feature.

Applications that leverage the Workspace ONE SDK, such as Workspace ONE Web, can be configured to access internal web applications through Per-App Tunnel. The Workspace ONE Tunnel app is not required for this scenario. Also, organizations that develop internal apps can integrate with Workspace ONE SDK to enable access from unmanaged devices. Workspace ONE SDK is available on iOS and Android platforms.

In a MAM mode scenario, users do not have to enroll the device and the Workspace ONE Tunnel app is not required, but rather they use the Intelligent Hub app in register mode to access the Workspace ONE UEM standalone catalog. This catalog distributes all application types; public, purchased, internal, and Web.  Although end-user devices are not enrolled in MDM, you can access a device record in the Workspace ONE UEM console. The device record is for auditing purposes and the status of these devices in the UEM console displays as App Catalog Only.

Configuration Requirements for MAM

To enable the MAM workflow, navigate to Groups and Settings > Apps > Settings and Policies > Security Policies in the Workspace ONE UEM Console.

  1. Select Enabled to enable the AirWatch App Tunnel.
  2. Select VMware Tunnel for the App Tunnel Mode.

After that, define the Device Traffic Rules for the iOS and Android SDK-enabled applications which will be covered later as part of this tutorial.

As a reminder, when using the MAM workflow, devices must be enrolled in register mode using the Workspace ONE Intelligence Hub, the SDK-enabled apps must be deployed through the HUB catalog, and the Workspace ONE Tunnel app is not required.

Next Steps

The procedures in this tutorial consist of the following:

  • Device Traffic Rule configuration
  • Deployment of Per-App VPN Profile
  • Deployment of Workspace ONE Tunnel Client
  • Testing configurations on the chosen device

The procedures are almost the same for each platform. To ensure you understand any existing particularity and stay focused on the platform of your choice, the following steps in this tutorial are organized per platform. Select one of the following:

Deploying Workspace ONE Tunnel for iOS

Introduction

Per-App Tunneling helps users to access critical information using applications on their devices from their devices Mobile flows helps users perform business-critical tasks from a single app — streamlining the user experience.

Leveraging Per-App Tunnel allows you to control which applications on a device and what internal resources the applications have access to by automatically enabling or disabling Per-App VPN access, based on which applications are active. By enabling remote access, you no longer need to provide a device-wide VPN on your devices, which can allow unintended or unauthorized apps or processes to access your VPN. In this tutorial, you configure and deploy VMware Workspace ONE Tunnel to enable the Per-App Tunnel component on managed devices.

These exercises involve the following components:

  • Workspace ONE Tunnel – The app used on the device to securely connect to the Unified Access Gateway to provide Per-App Tunnel functionality, also referred to as Tunnel Client.
  • Unified Access Gateway – The virtual appliance where the VMware Tunnel edge service is installed, and to which the tunnel client connects.
  • Per-App Tunnel – Component of VMware Tunnel edge service for connecting to a secure tunnel channel on a per-application basis, which is controlled and configured by the VPN profile payload and Device Traffic Rules.
  • Per-App VPN Profile and Device Traffic Rules – The Workspace ONE UEM configuration that is pushed to the device that contains the Per-App Tunnel configurations. Every time a specified application is opened, the Workspace ONE Tunnel client evaluates the Device Traffic Rules assigned to it before making any routing decisions, and establish a Per-App tunnel connection with the Unified Access Gateway based on the Per-App VPN Profile configuration.

High-Level Architecture

Example of Per-App Tunnel remote access using Workspace ONE Tunnel iOS application.

The device contains the applications required by the end-user to perform their daily job. Some applications require access to internal resources to function. Those applications, based on Per-App VPN configuration, use Workspace ONE Tunnel which communicates with the Tunnel Service on Unified Access Gateway hosted on the DMZ, to validate if the device requesting access is in compliance or not before authorizing access through the internal resource.

Prerequisites

Before you can configure the Per-App Tunnel component for iOS, you must have the following components installed and configured:

  • Workspace ONE UEM version 9.4 and later
  • iOS 7.0+ device enrolled in Workspace ONE UEM
  • VPN Tunnel must be configured before you can add it as an application
  • Workspace ONE Tunnel application for iOS

Configuring Device Traffic Rules for iOS

First, because Apple's Mail, Calendar, and Contacts applications may contain both corporate and personal data, administrators must take an extra step to define corporate-owned domains which should be marked for Per-App Tunnel. 

Device traffic rules provide a centralized location to configure which domain traffic uses per-app tunneling. When a Workspace ONE administrator configures devices for Safari on iOS, Workspace ONE automatically merges these parameters into the VPN payload sent to iOS devices. These parameters allow the VMware Tunnel edge service to apply the appropriate device traffic rules for those specific domains.    

Second, Safari is another app that may be used for personal use on a corporate device. As such, Safari cannot be configured to tunnel all traffic. Device traffic rules for Safari must specify the domain and top-level domain component (for example, vmware.com) although an asterisk (*) may be used to wildcard subdomains (for example, *.vmware.com).

Note: Domain values used in this section are examples only. Your values will differ.

1. Access Configurations

The Configurations for Groups and Settings in the Workspace ONE UEM Console.

In the Workspace ONE UEM Console:

  1. Click Groups & Settings.
  2. Click Configurations.

2. Select Tunnel Settings

The list of Configurations in the Workspace ONE UEM Console.
  1. Scroll through the list of Configurations if necessary.
  2. Select Tunnel.

3. Edit Device Traffic Rules

The Device Traffic Rules for Tunnel Configuration in Workspace ONE UEM Console.

From within the Device Traffic Rules information block on the Tunnel Configuration page, click Edit.

4. Observe Default Device Traffic Rule

Groups & Settings > Configurations
  1. Observe (and optionally modify) the default action which applies to all iOS applications selected to use Per-App VPN except Safari:
    • Tunnel – All apps, except Safari, on the device configured for Per-App Tunnel send network traffic through the tunnel. For example, set the Default Action to Tunnel to ensure all configured apps without a defined traffic rule use the Workspace ONE Tunnel for internal communications.
    • Block – Blocks all apps, except Safari, on the device configured for Per-App Tunnel from sending network traffic. For example, set the Default Action to Block to ensure that all configured apps without a defined traffic rule cannot send any network traffic regardless of destination.
    • Bypass – All apps, except Safari, on the device configured for Per-App Tunnel bypass the tunnel and connect to the Internet directly. For example, set the Default Action to Bypass to ensure all configured apps without a defined traffic rule bypass the Workspace ONE Tunnel to access their destination directly.
  2. Click Add Device Traffic Rule.

5. Build Device Traffic Rule

Groups & Settings > Configurations
  1. Click the drop-down for the Applications list. Alternatively, on the drop-down select All Applications to apply the rule to all iOS applications listed in the drop-down, which are the ones that you assigned the Per-App VPN profile.
  2. Select one or more iOS apps for which this rule applies.
  3. Enter one or more destinations to control via Workspace ONE Tunnel.
  4. Select the Action to apply for the selected apps when they attempt to access the specified destinations

Tip:  iOS apps are automatically added to the Applications selection list after you enable an application for Per-App Tunnel when creating assignments in Apps and Books.

Note: Wildcards must follow one of these formats:

  • *.<domain>.*
  • *<domain>.*
  • *.* — You cannot use this wildcard for Safari rules.
  • * — You cannot use this wildcard for Safari rules.

6. Add Additional Rules and Publish

Groups & Settings > Configurations
  1. Click Add Device Traffic Rule and repeat Build Device Traffic Rule for any additional required rules.
  2. Drag the rules to adjust your Device Traffic Rules priority.
  3. After the Device Traffic Rules are configured as necessary, click Save and Publish.

Distributing Workspace ONE Tunnel for iOS

Workspace ONE Tunnel is an iOS application available for free on the App Store. It is also available for managed distribution volume licensing through Apple Business Manager and Apple School Manager. Use device-based licensing to distribute Workspace ONE Tunnel to corporate-managed iOS devices. This section demonstrates how to purchase Workspace ONE Tunnel and assign it to devices.

Note: The VPN tunnel should already be configured as part of the Prerequisites.

1. Get Workspace ONE Tunnel Licenses

Searching for Workspace ONE Tunnel application in Apple Business Manager.

In Apple Business Manager (or Apple School Manager):Applications > Native

  1. Click Apps and Books.
  2. Search for workspace tunnel in the search text box.
  3. Select Tunnel - Workspace ONE for iOS.
  4. Select the location for which you have uploaded the sToken into Workspace ONE UEM.
  5. Enter the quantity of licenses you want to purchase.
  6. Click Get. The button changes to Purchasing and when the purchase is complete changes back to Get.

2. Sync Assets in Workspace ONE UEM

The native application list view in Workspace ONE UEM console.

In the Workspace ONE UEM console:

  1. Click Apps & Books.
  2. Expand Applications and click Native.
  3. Select Purchased.
  4. Click Sync Assets.
  5. Click OK on the dialog box.
  6. Wait a few moments and click Refresh to update the app list.
  7. Click the Workspace ONE Tunnel app for iOS in the app list.

3. Enable Device Assignment

Applications > Native
  1. Click Enable Device Assignment.
  2. Click OK to confirm device-based licensing.
  3. Click Save & Assign.

4. Add Assignment

Applications > Native

Click Add Assignment.

5. Edit Assignment

Applications > Native
  1. Click Add Assignment.
  2. Select an Assignment Group (or alternatively, create a new smart group containing the targeted devices).
  3. Enter a number of licenses to allocate. Allocate up to the total number of unallocated licenses.
  4. Select Auto.
  5. Select Save.

6. Save Assignment

Applications > Native
  1. If more assignments are necessary, click Add Assignment and repeat the steps in Edit Assignment.
  2. Click Save and Publish then Publish when all assignments have been added.

Creating Per-App VPN Profile for iOS

For iOS 7+ devices and Android Enterprise devices, you can force selected applications to connect through your corporate VPN. Your VPN provider must support this feature, and you must publish the applications as managed applications.

In this activity, you configure the iOS profile which configures the tunnel client on the device to allow only designated applications to access content on internal servers.

1. Add a New Profile

Add Per-App VPN Profile in Workspace ONE UEM Console.
  1. Click Add.
  2. Click Profile.

2. Select the OS for the Profile

Select Apple iOS Profile in Workspace ONE UEM console.

Select Apple iOS.

3. Configure the General Properties of the Profile

  1. Enter the name, such as Per-App VPN in this example screenshot.
  2. Select the name of your device's smart group, and select that group. For example, select All Devices (your@group.shown.here) as the assigned Smart Group.
  3. Click VPN then click Configure.

4. Configure the VPN Payload

Configure the VPN Payload in iOS device profile.
  1. Select Workspace ONE Tunnel from the Connection Type drop-down menu.
  2. Select the Enable VMware Tunnel check box.
  3. Add any Mail, Contacts, and Calendar Domains. Do not configure Safari Domains - these are configured in the VMware Tunnel Configuration later in this guide.
  4. Click Save & Publish then click Publish.

Note: Safari Domains should be configured in the Device Traffic Rules for Workspace ONE Tunnel.  

Configuring Workspace ONE Web for Per-App Tunnel

Workspace ONE Web is part of the secure productivity app suite from VMware. Administrators can deploy Workspace ONE Web when data loss and copy/paste restrictions are critical to the business use case. In this activity, you distribute and configure Workspace ONE Web for Per-App Tunnel on iOS.

1. Get Workspace ONE Web Licenses

Apple Business Manager

In Apple Business Manager (or Apple School Manager):

  1. Click Apps and Books.
  2. Search for Workspace ONE Web in the search text box.
  3. Select Web - Workspace ONE for iOS.
  4. Choose the location for which you have uploaded the sToken into Workspace ONE UEM.
  5. Enter the quantity of licenses you want to purchase.
  6. Click Get. The button changes to Purchasing and when the purchase is complete, it changes back to Get.

2. Sync Assets in Workspace ONE UEM

Applications > Native

In the Workspace ONE UEM console:

  1. Click Apps & Books.
  2. Expand Applications and click Native.
  3. Click Purchased.
  4. Click Sync Assets.
  5. Click OK on the dialog box.
  6. Wait a few moments and click Refresh to update the app list.
  7. Click the Web - Workspace ONE app for iOS in the app list.

3. Enable Device Assignment

Applications > Native
  1. Click Enable Device Assignment.
  2. Click OK to confirm device-based licensing.
  3. Click Save & Assign.

4. Add Assignment

Applications > Native

Click Add Assignment.

5. Edit Assignment

Applications > Native
  1. Click Add Assignment.
  2. Select an Assignment Group (or alternatively, create a new smart group containing the targeted devices).
  3. Enter a number of licenses to allocate. Allocate up to the total number of unallocated licenses.
  4. Select Auto for Assignment Type.
  5. Select Enabled for Remove on Unenroll.
  6. Select Enabled for Prevent Application Backup.
  7. Select Enabled for Make App MDM Managed if User Installed.
  8. Select Enabled and then select the Per-App VPN profile created in Creating Per-App VPN Profile for iOS.
  9. Click Save.

6. Save Assignment

Applications > Native
  1. If more assignments are necessary, click Add Assignment and repeat the steps in Edit Assignment.
  2. Click Save and Publish then Publish when all assignments have been added.

Testing Safari Domains with Per-App Tunnel

Now that the VPN profile includes a domain in the Safari Domains list, you can confirm that these settings have updated on the device and test the settings in the native Safari application.

1. Open Device Settings

Open Device Settings

Tap Settings.

2. Open VPN Settings

Open VPN Settings
  1. Tap General.
  2. Scroll down to find the VPN section.
  3. Tap VPN.

3. Select Your VPN Configuration

Select Your VPN Configuration

Tap VPN Configuration from your Per-App VPN profile.

4. Verify Included Per-App VPN Apps

View Included Per-App VPN Apps

All managed applications from the Workspace ONE UEM Console that are enabled to use Per-App VPN and have an associated Device Traffic Rule appear in this list. Note that Safari is displayed to show that domains are configured for tunneling in Safari.

5. Open Safari

Open Safari

Return to the Launchpad by pressing the Home button on your device.

Tap the Safari icon. The VPN icon should not be displayed in the toolbar.

6. Browse to the Internal URL

Browse to http://internal.airwlab.com
  1. Enter the URL for a website that is accessible only through VPN.
  2. Confirm that the VPN indicator is displayed when iOS launches the VPN and connects.
  3. Confirm that the internal page loads.

Testing Per-App Tunnel on iOS

Now that the enrolled device has received the settings configured in the Workspace ONE UEM Console, you are ready to begin testing the Per-App Tunnel functionality. The applications assigned in the previous exercises should push down during enrollment. The VMware Tunnel and Workspace ONE Web applications should be installed on your device.

In this activity, launch Workspace ONE Web and access the internal website. Then verify that, although the VPN connection is active, other applications on the device cannot access the tunnel or internal resources.

1. Launch Workspace ONE Web

Launch the VMware Browser

Press the Home button on your device to return to the Launchpad. Swipe right to see the downloaded applications, if needed.

Tap the Workspace ONE Web icon to launch the application. If prompted, select OK to allow the Web to send your device push notifications.

2. Create and Confirm Password

iPad
  1. If prompted, create a passcode for Workspace ONE Web.
  2. Click Next.
  3. Confirm the passcode by entering it again.
  4. Click Confirm.

3. Accept the Privacy Prompt

Tap I understand to accept the Privacy prompt.

4. Agree to the Data Sharing Prompt

Tap I agree to accept the Data Sharing Prompt.

5. Access the Internal Website with Workspace ONE Web

  1. When the application launches, enter the URL for your intranet website.
  2. Confirm that the VPN icon appears, indicating the connection is active. The application now connects to Workspace ONE UEM and retrieves the settings for your Organization Group.
  3. Confirm that the website loads. In this example, it displays a Welcome message.

Note: Depending on the Workspace ONE Web and SDK settings configured at your particular organization group level, the address bar may not be editable. This configuration is called Kiosk Mode. To work around this, there are two options which can be configured at  Groups & Settings > Configurations > Workspace ONE Web:

  • Click the Bookmarks tab, click Override (if necessary), click Add Bookmark, enter a name and URL for the testing URL, and click Save.
  • Scroll the settings to Kiosk Mode and click Disabled. Click Save.

These changes affect the Default settings for Workspace ONE Web in this Organization Group and all inherited organization groups unless otherwise configured.  

Troubleshooting Per-App Tunnel on iOS

This section contains some basic steps to troubleshooting Per-App Tunnel on iOS.

1. Open Workspace ONE Tunnel

iPad

On an enrolled iOS device, tap Tunnel.

2. Continue to Tunnel Status

iPad

Tap Continue.

3. Accept the Privacy Prompt

Tap I understand to accept the Privacy prompt.

4. Agree to the Data Sharing Prompt

Tap I agree to accept the Data Sharing Prompt.

5. Validate Device Connectivity

iPad
  1. Ensure the device and Internet connectivity are OK (showing a green checkmark symbol).
  2. Tap the logging icon.

6. Enable Debug Logging

iPad

Adjust the slider to Enable Debug.

Tip: With Enable Debug turned on, Workspace ONE administrators can view logging information for the iOS device as follows:

  1. Plug the iOS device into a device running macOS.
  2. Ensure the iOS device trusts the connection to macOS.
  3. Connect to Console, by either:
    1. Open Apple Configurator 2 and double-click the test iOS device. Click Console to view the output from the device.
    2. Open Console.app and select the iOS device from the left side.
  4. Search for tunnel or iOSAppProxyProvider.

 

Deploying Workspace ONE Tunnel for macOS

Introduction

Per-App Tunneling helps users to access critical information using applications on their devices from their devices Mobile flows helps users perform business-critical tasks from a single app — streamlining the user experience.

Leveraging Per-App Tunnel allows you to control which applications on a device and what internal resources the applications have access to by automatically enabling or disabling Per-App VPN access, based on which applications are active. By enabling remote access, you no longer need to provide a device-wide VPN on your devices, which can allow unintended or unauthorized apps or processes to access your VPN. In this tutorial, you configure and deploy VMware Workspace ONE Tunnel to enable the Per-App Tunnel component on managed devices.

These exercises involve the following components:

  • Workspace ONE Tunnel – The app used on the device to securely connect to the Unified Access Gateway to provide Per-App Tunnel functionality, also referred to as Tunnel Client.
  • Unified Access Gateway – The virtual appliance where the VMware Tunnel edge service is installed, and to which the tunnel client connects.
  • Per-App Tunnel – Component of VMware Tunnel edge service for connecting to a secure tunnel channel on a per-application basis, which is controlled and configured by the VPN profile payload and Device Traffic Rules.
  • Per-App VPN Profile and Device Traffic Rules – The Workspace ONE UEM configuration that is pushed to the device that contains the Per-App Tunnel configurations. Every time a specified application is opened, the Workspace ONE Tunnel client evaluates the Device Traffic Rules assigned to it before making any routing decisions, and establish a Per-App tunnel connection with the Unified Access Gateway based on the Per-App VPN Profile configuration.

High-Level Architecture

The device contains the applications required by the end-user to perform their daily job. Some applications require access to internal resources to function. Those applications, based on Per-App VPN configuration, use Workspace ONE Tunnel which communicates with the Tunnel Service on Unified Access Gateway hosted on the DMZ, to validate if the device requesting access is in compliance or not before authorizing access through the internal resource.

Prerequisites

Before you can perform the steps in this exercise, you must have the following components installed and configured:

  • Workspace ONE UEM version 1909 and later
  • macOS Mojave and later enrolled in Workspace ONE UEM
  • The latest version of macOS Tunnel from Apple macOS App Store

Configuring Device Traffic Rules for macOS

First, because Apple's Mail, Calendar, and Contacts applications may contain both corporate and personal data, administrators must take an extra step to define corporate-owned domains which should be marked for Per-App VPN. The Mail, Calendar, and Contacts apps do not automatically adhere to device traffic rules. Administrators must specify which domains are corporate-owned by enabling the Mail, Contacts, and Calendar domains parameters in the VPN profile payload. Enabling these parameters in the VPN payload allows VMware Tunnel edge service to apply the appropriate device traffic rules for those specific domains.    

Second, Safari is another app that may be used for personal use on a corporate device. As such, Safari cannot be configured to tunnel all traffic. Device traffic rules for Safari must specify the domain and top-level domain component (for example, vmware.com), although an asterisk (*) may be used to wildcard subdomains (for example, *.vmware.com).

Note: Domain values used in this section are examples only. Your values will differ.

1. Access Configurations

Devices > Dashboard

In the Workspace ONE UEM Console:

  1. Click Groups & Settings.
  2. Click Configurations.

2. Select Tunnel Settings

Groups & Settings > Configurations
  1. Scroll through the list of Configurations if necessary.
  2. Select Tunnel.

3. Edit Device Traffic Rules

Groups & Settings > Configurations

From within the Device Traffic Rules information block on the Tunnel Configuration page, click Edit.

4. Add macOS Application to Rule Builder

Groups & Settings > Configurations

Click Add Windows or macOS Application.

5. Define the Application

Groups & Settings > Configurations
  1. Select macOS for Platform.
  2. Enter the friendly name of the application, for example, Firefox Browser. The friendly name is displayed in the Device Traffic Rule.
  3. Enter the application's package id, which is the Identifier value displayed by running the command:
codesign -dv --entitlements - /path/to.app

4.  Enter the application's designated requirement, which is displayed to the right of the  => sign of the following command:

codesign -d -r- /path/to.app

5.  For macOS 10.15 (Catalina) and later, enter a path if creating a device traffic rule for a binary or command-line utility bundled within an application. For example, the executable vmware-remotemks must be whitelisted with path details along with the VMware Horizon Client application.

6.  Click Save.

 

Using Firefox as an example, a Workspace ONE administrator would see the commands and values as follows:

techzone@testmac ~ % codesign -dv --entitlements - /Applications/Firefox.app
Executable=/Applications/Firefox.app/Contents/MacOS/firefox
Identifier=org.mozilla.firefox
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20500 size=415 flags=0x10000(runtime) hashes=4+5 location=embedded
Signature size=9018
Timestamp=Oct 1, 2019 at 9:08:41 PM
Info.plist entries=26
TeamIdentifier=43AQ936H96
Runtime Version=10.11.0

<<< trimmed for length >>>

techzone@testmac ~ % codesign -d -r- /Applications/Firefox.app
Executable=/Applications/Firefox.app/Contents/MacOS/firefox
designated => anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "43AQ936H96"

As highlighted in the terminal output, the necessary information is as follows:

  • Package ID: org.mozilla.firefox
  • Designated Requirement: anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "43AQ936H96"

Caution: Some apps spawn helper applications to assist with background tasks. One particular example of this is Google Chrome, which performs network functions outside the Google Chrome.app process in a Google Chrome Helper process. In this case, the helper application must be added to the Device Traffic Rule, otherwise specific settings must be changed client-side.  

In the case of Google Chrome, perform the following:

  1. In the URL field, type chrome://flags
  2. Search for network in the Search Flags text box.
  3. Set Runs network service in-process to Enabled and relaunch Google Chrome before proceeding with testing.

6. Add Device Traffic Rule

Groups & Settings > Configurations
  1. Observe (and optionally modify) the default action which applies to all macOS applications except Safari:
    • Tunnel – All apps, except Safari, on the device configured for Per-App Tunnel send network traffic through the tunnel. For example, set the Default Action to Tunnel to ensure all configured apps without a defined traffic rule use the Workspace ONE Tunnel for internal communications.
    • Block – Blocks all apps except Safari, on the device configured for Per-App Tunnel from sending network traffic. For example, set the Default Action to Block to ensure that all configured apps without a defined traffic rule cannot send any network traffic regardless of destination.
    • Bypass – All apps, except Safari, on the device configured for Per-App Tunnel bypass the tunnel and connect to the Internet directly. For example, set the Default Action to Bypass to ensure all configured apps without a defined traffic rule bypass the Workspace ONE Tunnel to access their destination directly.
  2. Click Add Device Traffic Rule.

7. Build Device Traffic Rule

In the newly created Device Traffic Rule:

  1. Click the down arrow to display the Application list.
  2. Select one or more triggering applications to control with this rule. In case you select All Applications, the rule will be applied only to Safari and macOS applications selected in additional rules defined as part of the Device Traffic Rules..
  3. Enter one or more comma-separated fully qualified domain names as destinations to which Workspace ONE Tunnel should apply the Device Traffic Rule. A single asterisk (*) can be used as a wildcard for subdomains.  
  4. Select the Appropriate Action for Workspace ONE Tunnel to perform on traffic from the selected apps:
    • Tunnel – Sends app network traffic for specified domains through the tunnel to your internal network.
    • Block – Blocks all traffic sent to specified domains.
    • Bypass – Bypasses the Workspace ONE Tunnel so the application accesses specified domains directly.
    • Proxy – Redirect traffic to the specified HTTPS proxy for the listed domains. The proxy must be HTTPS and must follow the correct format: https://example.com:port.
  5. If necessary, adjust the Device Traffic Rules rank in the list. Lower-numbered rank is highest priority.
  6. Click Save.

Note: Wildcards must follow one of these formats:

  • *.<domain>.*
  • *<domain>.*
  • *.* — You cannot use this wildcard for Safari rules.
  • * — You cannot use this wildcard for Safari rules.

8. Add Additional Rules and Publish

Groups & Settings > Configurations
  1. Click Add Device Traffic Rule and repeat  Build Device Traffic Rule for any additional required rules.
  2. Drag the rules to adjust your Device Traffic Rules priority.
  3. When the Device Traffic Rules are configured as necessary, click Save and Publish.

Distributing Workspace ONE Tunnel for macOS

Workspace ONE Tunnel is a macOS application available for free on the Mac App Store. It is also available for managed distribution volume licensing through Apple Business Manager and Apple School Manager. Use device-based licensing to distribute Workspace ONE Tunnel to managed macOS devices. This section demonstrates how to purchase Workspace ONE Tunnel and assign it to devices.

Note: The VPN tunnel should already be configured as part of the Prerequisites.

1. Get Workspace ONE Tunnel Licenses

Search for Workspace ONE Tunnel in Apple Business Manager.

In Apple Business Manager (or Apple School Manager):

  1. Click Apps and Books.
  2. Search for workspace tunnel in the search text box.
  3. Select Tunnel - Workspace ONE for macOS.
  4. Choose the location for which you have uploaded the sToken into Workspace ONE UEM.
  5. Enter the quantity of licenses you want to purchase.
  6. Click Get. The button changes to Purchasing and when the purchase is complete changes back to Get.

2. Sync Assets in Workspace ONE UEM

Sync assets for native purchased Workspace ONE Tunnel application in the Workspace ONE UEM Console.

In the Workspace ONE UEM console:

  1. Click Apps & Books.
  2. Expand Applications and click Native.
  3. Click Purchased.
  4. Click Sync Assets.
  5. Click OK on the dialog box.
  6. Wait a few moments and click Refresh to update the app list.
  7. Click the Workspace ONE Tunnel app in the app list.

3. Enable Device Assignment

Applications > Native
  1. Click Enable Device Assignment.
  2. Click Save & Assign.

4. Add Assignment

Applications > Native

Click Add Assignment.

5. Edit Assignment

Applications > Native
  1. Select an Assignment Group (or alternatively, create a new smart group containing the targeted devices).
  2. Enter a number of licenses to allocate. Allocate up to the total number of unallocated licenses.
  3. Select Auto for Assignment Type.
  4. Select Save.

6. Save Assignment

Applications > Native
  1. If more assignments are necessary, click Add Assignment and repeat the steps in Edit Assignment.
  2. Click Save and Publish when all assignments have been added.

7. Publish Assignment

Applications > Native

Click Publish.

Creating Per-App VPN Profile for macOS

Before device traffic rules take effect on macOS, Workspace ONE administrators must deploy a VPN profile payload that configures macOS to leverage Workspace ONE Tunnel. In this activity, you create the macOS profile which configures the tunnel client on the device to allow only designated applications to access content on internal servers.

1. Add Profile

Applications > Native
  1. Click Add.
  2. Click Profile.

2. Select Platform

Devices > List View

Select macOS.

3. Select Context

Devices > List View

Select Device Profile.

4. Complete General Profile Details

Devices > List View
  1. Enter a name for the profile, for example, Per-App VPN.
  2. Select Auto as the assignment type
  3. Select one or more Smart Groups to assign the VPN profile (or create a new smart group).
  4. Click the VPN payload.

5. Configure Payload

Getting Started > Getting Started

Click Configure.

6. Edit Profile Payload Details

Getting Started > Getting Started
  1. Enter a name for the Per-App VPN Connection, for example, VMware Per-App VPN.
  2. Select Workspace ONE Tunnel as the Connection Type.
  3. If required, select the check boxes for Enable Mail Domains, Enable Contacts Domains, and Enable Calendar Domains.
  4. For each check box, enter a domain which should be tunneled.
  5. If multiple domains are required, click Add to enter an additional domain. Repeat as necessary.
  6. Click Save and Publish.

7. Publish Profile

Profiles & Resources > Profiles

Click Publish.

Testing Per-App Tunnel on macOS

With the settings configured in the Workspace ONE UEM Console, administrators can test the Per-App Tunnel functionality on an enrolled device. The Workspace ONE Tunnel assigned in the previous exercises should install automatically during enrollment. As part of testing, the applications defined in the Device Traffic Rules should be deployed as described in Deploying Third-Party macOS Applications: VMware Workspace ONE Operational Tutorial.

As a reminder, the prerequisites for testing Per-App Tunnel on macOS include the following:

  • Tunnel Edge Service configured on Unified Access Gateway
  • Device Traffic Rules configured in Workspace ONE UEM
  • Workspace ONE Tunnel and additional apps defined in Define Traffic Rules deployed to an enrolled device running macOS
  • A valid endpoint that is not accessible to the apps on the device except via per-app Tunnel

Validate Per-App Tunnel based on Device Traffic Rules

Test per-app tunnel on mac OS device.
  1. Open an app specified in a Device Traffic Rule and ensure the application attempts to connect to the mapped domain name(s).
  2. Open an app that is not specified in a Device Traffic Rule, such as Safari (which will not adhere to the default Device Traffic Rule due to the wildcard mapping). Ensure the same mapped domain name does not work.

In the section of this tutorial where device traffic rules were created for macOS, Firefox was the allowed application. In the screenshot, note that Firefox is launched and attempted connection to an approved (wildcard) destination (#1). Also, observe that Safari (which was not granted access to the tunnel) cannot connect to the endpoint.

Extending Tunnel Configuration for Kerberos SSO in macOS Catalina

With macOS Catalina, Apple introduced a new single sign-on (SSO) extension framework and included a built-in Kerberos SSO extension. The Kerberos SSO extension syncs passwords between a user's account in Active Directory and the local macOS account. It also brings Kerberos SSO functionality directly into the OS via MDM-manageable payloads. This tutorial aims to help experienced Workspace ONE administrators to configure the Kerberos SSO extension for macOS Catalina, and enable off-network access for the extension through per-app tunneling.

Software Prerequisites Configuration Prerequisites
Before using this section of the tutorial, Workspace ONE administrators must ensure the following software version prerequisites are met:
 
  • Workspace ONE UEM version 1909+

  • macOS Catalina 10.15.0+

Optionally, if configuring the SSO Extension to use Per-App Tunnel, administrators should meet these additional prerequisites:
  • Unified Access Gateway 3.8+

  • VMware Tunnel app for macOS version 4.1+






     

Before using this section of the tutorial, Workspace ONE administrators must complete the following types of configurations within their environment:
 
  • Microsoft Active Directory

  • Internal Websites or applications configured for Kerberos Authentication

    • Microsoft IIS should be configured for Windows Authentication with Negotiate as the primary enabled provider. When connecting to the IIS-hosted site from a web browser configured in the Device Traffic Rule, the browser should prompt for Username/Password prior to completion of this section as macOS should have no Kerberos awareness.

1. Validate No Pre-Existing Kerberos Tickets

Confirm no pre-existing Kerberos tickets before enabling remote access.
  1. Press CMD+SpaceBar (+Space) and enter terminal into the Finder window.
  2. Select Terminal to open Terminal.app.
  3. Enter klist and press Return on the keyboard.
  4. Ensure that there are no Kerberos Tickets and the command returns No credentials cache file found.

2. Validate Kerberos Application or Website Fails

LC-DEP-MBP-8G8WM-10.15.1
  1. Launch an application which should be Kerberos-enabled. If using a website, browse to the Kerberos-enabled website.
  2. Note that authentication either fails (as there are no Kerberos tickets) or reverts to a non-Kerberos authentication type (such as certificate authentication or username/password).

3. Define the Kerberos Extension in Device Traffic Rules

To connect the SSO Kerberos Extension over Per-App Tunnel, you must add the appropriate device traffic rules to the Tunnel configuration to support this. This section covers how to add the appropriate device traffic rules.

3.1. Access Configurations

Devices > Dashboard

In the Workspace ONE UEM Console:

  1. Click Groups & Settings.
  2. Click Configurations.

3.2. Select Tunnel Settings

Groups & Settings > Configurations
  1. Scroll through the list of Configurations if necessary.
  2. Select Tunnel.

3.3. Edit Device Traffic Rules

Groups & Settings > Configurations

From within the Device Traffic Rules information block on the Tunnel Configuration page, click Edit.

3.4. Add macOS Application to Rule Builder

Groups & Settings > Configurations

Click Add Windows or macOS Application.

3.5. Define the Application

Groups & Settings > Configurations
  1. Select macOS for Platform.
  2. Enter the friendly name of the application, for example, Kerberos SSO Extension.
  3. Enter the application's Package ID (com.apple.AppSSOKerberos.KerberosExtension), which is the Identifier value displayed by running the command:
codesign -dv --entitlements - /System/Library/PrivateFrameworks/AppSSOKerberos.framework/PlugIns/KerberosExtension.appex/Contents/MacOS/KerberosExtension

4.  Enter the application's Designated Requirement (identifier "com.apple.AppSSOKerberos.KerberosExtension" and anchor apple), which is displayed to the right of the  => sign of the following command:

codesign -d -r - /System/Library/PrivateFrameworks/AppSSOKerberos.framework/PlugIns/KerberosExtension.appex/Contents/MacOS/KerberosExtension

5.  Enter the following Path:  

 /System/Library/PrivateFrameworks/AppSSOKerberos.framework/PlugIns/KerberosExtension.appex/Contents/MacOS/KerberosExtension

6.  Click Save.

3.6. Add Device Traffic Rule

Groups & Settings > Configurations
  1. Click Add Device Traffic Rule.
  2. Click the down arrow in the Application column of the new device traffic rule.
  3. Select Kerberos SSO Extension (or whatever friendly name you defined in the previous step).
  4. Select Tunnel as the action.
  5. Configure destination domain names (include wildcards if needed) that match your domain controllers.
  6. Click Save and Publish.

4. Configure Kerberos Profile Payload

Next, create the Kerberos profile and configure the SSO extension payload.

4.1. Add Profile

Applications > Native
  1. Click Add.
  2. Click Profile.

4.2. Select Platform

Devices > List View

Select macOS.

4.3. Select Context

Devices > List View

Select Device Profile.

4.4. Complete General Profile Details

Devices > List View
  1. Enter a name for the profile, for example, Kerberos SSO Extension.
  2. Select Auto as the Assignment Type.
  3. Select one or more Smart Groups to assign the SSO Extension profile (or create a new smart group).

4.5. Configure SSO Extension Payload

Workspace ONE UEM Console
  1. Search for the SSO payload.
  2. Click SSO Extension.
  3. Click Configure.

4.6. Modify and Save SSO Extension Payload

Workspace ONE UEM Console
  1. Select Kerberos for Extension Type.
  2. Enter the Active Directory Realm (in capital letters) where the user logs in. For example, AAPP.BETAVMWEUC.COM.
  3. Enter the Active Directory hosts and domains that can be authenticated through the extension. For example, aapp.betavmweuc.com.
  4. Select whether the extension should use active directory and DNS to discover its AD site.
  5. Select whether the extension should save passwords to the keychain.
  6. Select whether the user should be required to use biometrics or a password to use the keychain.
  7. Enter the application Bundle IDs allowed to use the extension. For example, org.mozilla.firefox.
  8. Select whether to allow users to initiate directory password changes from the extension.
  9. Select whether to keep the local macOS user account password synchronized with the Active Directory account password.
  10. Select whether passwords must meet Active Directory's definition of complex.
  11. Optionally, scroll down to configure additional parameters with regards to password settings.
  12. Click Save and Publish.

4.7. Publish SSO Extension Profile

Profiles & Resources > Profiles

Click Publish.

5. Validate Kerberos Tickets

Finally, log in to Kerberos and confirm that the Kerberos credentials are obtained over Per-App VPN by the Kerberos SSO Extension.

5.1. Log In to Kerberos Extension

LC-DEP-MBP-8G8WM-10.15.1
  1. Click the extension (key icon) in the menu bar.
  2. Click Sign In.
  3. Enter a user's username and password.
  4. Click Sign In.

5.2. Accept Automatic Sign-In

LC-DEP-MBP-8G8WM-10.15.1

Click Yes.

5.3. Re-run Klist Command

LC-DEP-MBP-8G8WM-10.15.1
  1. In Terminal.app, enter klist and press return.
  2. Observe the Kerberos Credential obtained over Per-App VPN by the built-in macOS Catalina Kerberos SSO Extension.

5.4. Validate Kerberos-enabled Application or Website

LC-DEP-MBP-8G8WM-10.15.1
  1. Launch an application which is Kerberos-enabled. If using a website, browse to the Kerberos-enabled website.
  2. Note the application or website is authenticated without any intervention from the user (no certificate chooser or username/password prompt).

Note: Some applications may require additional configuration to enable Kerberos Authentication. Google Chrome and Firefox also require additional configuration to enable Kerberos Authentication.

For Firefox:

  1. Open Firefox and enter about:config in the address bar.
  2. Search for negotiate and then double-click network.negotiate-auth.trust-uris.
  3. Enter a comma-separated list of domain names that should be enabled for Kerberos Authentication and click Ok.
  4. Open a new tab and re-try the Kerberos-enabled website.

For Google Chrome:

  1. Create a Custom Settings payload in a User Profile for the device, targeting com.google.Chrome as the PayloadType.
  2. Include the following keys in your settings:

 <key>AuthServerWhitelist</key>

 <string>*.domain.name</string>

 <key>AuthNegotiateDelegateWhitelist</key>

 <string>*.domain.name</string>

Caution: Some apps spawn helper applications to assist with background tasks. In these cases, the helper apps may be making DNS calls or performing other network tasks requiring the Per-App Tunnel but may not be part of a device traffic rule. One particular example of this is Google Chrome, which performs network functions outside the Google Chrome.app process. In this case, the helper application must be added to the device traffic rule, otherwise, specific settings are required to be changed client-side within the application. 

As an example, to validate Kerberos-enabled websites in Google Chrome using Per-App Tunnel, perform the following:

  1. In the URL field, enter chrome://flags
  2. Search for network in the Search flags text box.
  3. Set Runs network service in-process to Enabled and relaunch Google Chrome before proceeding with testing.

This small change allows Google Chrome to leverage the Per-App Tunnel for connectivity required to query DNS and obtain Kerberos tickets. At the time of writing, the ForceNetworkInProcess key was not available in Chrome for macOS and must be enabled by the individual user.

Troubleshooting Per-App Tunnel on macOS

If a Per-App Tunnel problem occurs on macOS, you can check a number of places to troubleshoot. This section of the operational tutorial covers where to troubleshoot on macOS at a high level. Depending on the problem, there may be steps that should be performed on the Unified Access Gateway. However, troubleshooting the Unified Access Gateway is outside the scope of this tutorial. Workspace ONE UEM administrators should contact VMware Support for assistance when troubleshooting Per-App Tunnel, Workspace ONE Tunnel, or the Unified Access Gateway.

This section covers a high-level set of initial troubleshooting steps.

1. Open Workspace ONE Tunnel

macOS Dock
  1. Click the Launchpad on the Dock.
  2. Click VMware Tunnel.

2. Ensure Tunnel is Configured

Workspace ONE Tunnel macOS application
  1. Ensure that the Device Configured status shows Configured. This indicates that Workspace ONE Tunnel has received configuration data from Workspace ONE UEM. If the status is not configured, try one of the following:
    • Check the Device Traffic Rules and Save and Publish the rules again.
    • Check the last seen value for the device in the Workspace ONE UEM console. Is the device communicating with Workspace ONE UEM?
    • Validate that other MDM commands are being sent to the device. Create an assignment (smart) group containing the single device and attempt to send it a new profile payload.
  2. Ensure that the Internet status shows Connected. If Tunnel cannot connect to the Internet, it probably cannot connect to the Unified Access Gateway.
    • Validate the device has a working Ethernet or Wi-Fi connection (IP Address, Subnet Mask, Gateway, and DNS addresses are present).
    • Validate DNS resolution: Open Terminal and enter nslookup uag.fully.qualified.domain to ensure an IP address is resolved.
    • Validate Connectivity to UAG: Within Terminal, enter nc -vz uag.fully.qualified.domain uagport (such as nc -vz uag.company.com 443).
  3. Ensure that the Enterprise Network status shows ConnectedIf Workspace ONE Tunnel is disconnected from the Enterprise network, apps cannot leverage Per-App Tunnel. This may indicate an issue with Workspace ONE Tunnel connecting to the Unified Access Gateway or an issue with Device Traffic Rules.
    • The remainder of this section details how to troubleshoot Tunnel connectivity.

3. Validate Per-App VPN Profile

LC-DEP-MBP-8G8WM-10.15.1
  1. Click System Preferences.
  2. Double-click Profiles.
  3. Scroll through the left panel.
  4. Click the Per-App VPN profile that was created.
  5. Ensure that the VPN App Layer Service details are correct, especially the VPN Remote Address and the OnDemand Enabled value.
    • If the profile is missing or misconfigured, check the profile configuration and re-push the profile to the device from within the UEM Console's Device Details view (on the Profiles tab).

4. Validate Advanced Tunnel Information

LC-DEP-MBP-8G8WM-10.15.1
  1. Open the Workspace ONE Tunnel client and click the VMware Tunnel menu.
  2. Click Whitelisted Applications.
  3. Verify that the list of whitelisted applications matches the settings configured in the Device Traffic Rules.
  4. From the VMware Tunnel menu (#1), click Diagnostics.
  5. Click Enable Debug to get verbose information.
  6. Review Diagnostics information.
  7. Click Disable Debug when troubleshooting is complete.

Deploying Workspace ONE Tunnel for Windows 10

Introduction

Per-App Tunneling helps users to access critical information using applications on their devices from their devices Mobile flows helps users perform business-critical tasks from a single app — streamlining the user experience.

Leveraging Per-App Tunnel allows you to control which applications on a device and what internal resources the applications have access to by automatically enabling or disabling Per-App VPN access, based on which applications are active. By enabling remote access, you no longer need to provide a device-wide VPN on your devices, which can allow unintended or unauthorized apps or processes to access your VPN. In this tutorial, you configure and deploy VMware Workspace ONE Tunnel to enable the Per-App Tunnel component on managed devices.

These exercises involve the following components:

  • Workspace ONE Tunnel – The app used on the device to securely connect to the Unified Access Gateway to provide Per-App Tunnel functionality, also referred to as Tunnel Client.
  • Unified Access Gateway – The virtual appliance where the VMware Tunnel edge service is installed, and to which the tunnel client connects.
  • Per-App Tunnel – Component of VMware Tunnel edge service for connecting to a secure tunnel channel on a per-application basis, which is controlled and configured by the VPN profile payload and Device Traffic Rules.
  • Per-App VPN Profile and Device Traffic Rules – The Workspace ONE UEM configuration that is pushed to the device that contains the Per-App Tunnel configurations. Every time a specified application is opened, the Workspace ONE Tunnel client evaluates the Device Traffic Rules assigned to it before making any routing decisions, and establish a Per-App tunnel connection with the Unified Access Gateway based on the Per-App VPN Profile configuration.

High-Level Architecture

Workspace ONE Tunnel Desktop Application diagram

The device contains the applications required by the end-user to perform their daily job. Some applications require access to internal resources to function. Those applications, based on Per-App VPN configuration, use Workspace ONE Tunnel which communicates with the Tunnel Service on Unified Access Gateway hosted on the DMZ, to validate if the device requesting access is in compliance or not before authorizing access through the internal resource.

Prerequisites

Before you can perform the steps in this exercise, you must have the following components installed and configured:

Note: See VMware Workspace ONE Tunnel for Windows Release Notes for updates to the client.

Configuring Device Traffic Rules for Windows 10

This activity outlines how to configure device traffic rules for Windows 10.

For this example, the user must access internal websites, internal network file shares, and a remote desktop session. To allow secure access, you configure Workspace ONE Tunnel to allow only the applications required.

In this activity, you configure the following:

  • Internal web browser access - defining Chrome as the application
  • Internal network file shares - allowing system access
  • Remote Desktop Session Connection - defining Microsoft Remote Desktop client as the application

Note: Domain values used in this section are examples only. Your values will differ.

1. Access Configurations

Devices > Dashboard

In the Workspace ONE UEM Console:

  1. Click Groups & Settings.
  2. Click Configurations.

2. Select Tunnel Settings

Groups & Settings > Configurations
  1. Scroll through the list of Configurations if necessary.
  2. Select Tunnel.

3. Edit Device Traffic Rules

Groups & Settings > Configurations

From within the Device Traffic Rules information block on the Tunnel Configuration page, click Edit.

4. Add Windows 10 Application to Rule Builder

In this section, you must define the applications previously listed.

Groups & Settings > Configurations

Click Add Windows or macOS Application.

5. Define the Application - Overview

  1. Select Windows as the Platform.
  2. Enter the friendly name of the application. The friendly name is displayed in the Device Traffic Rule.
  3. Select the App Type, for example, Desktop App. The App Type can be a traditional Windows application or a Windows Store application.
  4. Enter the App Identifier. For traditional Windows applications, use the File Path. For Store applications, you must enter in the Package Family Name or PFN. You can use the PowerShell command Get-AppxPackage to find the PFN. For more information, see Microsoft Docs: Find a package family name (PFN) for per-app VPN.

5.1. Add Chrome Web Browser Access

In this example, the Chrome application is defined under the Program Files (x86) path. The App Identifier value should contain the full path where the EXE file is located on the Windows machine.

The screenshot shows that the App Identifier used for Chrome is C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

After you have entered the application details, click Save.

5.2. Add the Remote Desktop (RDP) client

Adding the RDP client RDP

Next, add the Remote Desktop client. This allows end users to connect to Remote Desktop Hosts located behind the corporate firewall.

As the Remote Desktop Client is built into the Windows Operating system, the file path of the executable is different.

For example, in this screenshot, the App Identifier used for the RDP client is C:\Windows\System32\mstsc.exe

After you have entered the application details, click Save.

5.3. Add SMB for network drives and printers support

Adding Network Drives System App

Next, add support for tunneling SMB traffic from system to allow users to map network shares and network printers. This allows end users to connect to file shares and printers that are located behind the corporate firewall.

As the SMB protocol built into the Windows Operating system, the App Identifier is not a executable, instead you defined System as the App Identifier.

After you have entered the application details, click Save.

6. Add Device Traffic Rule

Groups & Settings > Configurations
  1. Observe (and optionally modify) the default action which applies to all Windows applications.
    • Tunnel – All apps on the device configured for Per-App Tunnel send network traffic through the tunnel. For example, set the Default Action to Tunnel to ensure all configured apps without a defined traffic rule use the Workspace ONE Tunnel for internal communications.
    • Block – Blocks all apps on the device configured for Per-App Tunnel from sending network traffic. For example, set the Default Action to Block to ensure that all configured apps without a defined traffic rule cannot send any network traffic regardless of destination.
    • Bypass – All apps on the device configured for Per-App Tunnel bypass the tunnel and connect to the Internet directly. For example, set the Default Action to Bypass to ensure all configured apps without a defined traffic rule bypass the Workspace ONE Tunnel to access their destination directly.
  2. Click Add Device Traffic Rule.

7. Build Device Traffic Rule

Build Device Traffic Rule

In the newly created Device Traffic Rule:

  1. Click the down arrow to display the Application list.
  2. Select one or more triggering applications to control with this rule. All Applications not applicale to Windows.
  3. Select the Appropriate Action for Workspace ONE Tunnel to perform on traffic from the selected apps - For this exercise, select Tunnel.
    • Tunnel – Sends app network traffic for specified domains through the tunnel to your internal network.
    • Block – Blocks all traffic sent to specified domains.
    • Bypass – Bypasses the Workspace ONE Tunnel so the application accesses specified domains directly.
    • Proxy – Redirect traffic to the specified HTTPS proxy for the listed domains. The proxy must be HTTPS and must follow the correct format: https://example.com:port.

    • Note: Proxy is not yet supported using Workspace ONE Tunnel Desktop Application.
  4. Enter one or more comma-separated fully qualified domain names as destinations to which Workspace ONE Tunnel should apply the Device Traffic Rule. A single asterisk (*) can be used as a wild card for subdomains.
  5. If necessary, adjust the Device Traffic Rules rank in the list. Lower-numbered rank is the highest priority.
  6. Click Save.

Note: For Windows Desktop devices, the domains added to the destination must also be added to the DNS Resolution via Tunnel Gateway section in the Windows Desktop device profile.

8. Add Additional Rules and Publish

  1. Click Add Device Traffic Rule and repeat  Build Device Traffic Rule for any additional required rules.
  2. Drag the rules to adjust your Device Traffic Rules priority.
  3. When the Device Traffic Rules are configured as necessary, click Save and Publish.

9. Review Summary

 Add Additional Rules and Publish

Review the summary of the Device Traffic Rule configurations:

  1. The Application list contains triggering applications Chrome, Remote Desktop, and System.
    • The applications appear in the following format: Application Friendly Name - UEM Organization Group - Platform
      • Google Chrome - ACME Corp - WinRT
      • RDP  - ACME Corp - WinRT
      • System - ACME Corp - WinRT
  2. The Appropriate Action for Workspace ONE Tunnel to perform is Tunnel.
    • Tunnel – Sends app network traffic for specified domains through the tunnel to your internal network
    • Destination - For this example, the domains are atl-intranet-corp.airwlab.com and atl-intranet-corp.airwlab.com
  3. Optional - You can also configure Device Traffic Rules to Block.
    • In this example, Chrome is set to block domains *cnn.com*facebook.comand *match.com.

Distributing Workspace ONE Tunnel for Windows 10

In this activity, you deploy the Workspace ONE Tunnel Desktop Application on Windows 10 devices.

Note: The Per-App VPN profile should already be configured as part of the Prerequisites.

1. Download the Workspace ONE Tunnel Desktop Installer

 Download the  Workspace ONE Tunnel Desktop Application exe Installer

To download the Workspace ONE Tunnel for Windows 10 EXE Installer file:

  1. Navigate to https://my.workspaceone.com/ and log in with your MyVMware credentials.
  2. Navigate to Products.
  3. Click All Products.

Tip: You can also navigate directly to https://my.workspaceone.com/products.

1.1. Select Workspace ONE Tunnel

 Download the Workspace ONE Tunnel Desktop Application exe Installer
  1. Scroll down to the bottom of the page.
  2. Select Workspace ONE Tunnel.

1.2. Select Platform and Version

  1. Select Windows as the platform.
  2. Select the Latest version for the Workspace ONE Tunnel Desktop Application.
  3. Filter by console version.
  4. Select Install and Upgrades tab for a link to the download.

After you have Accepted the Terms of Use, the download should begin immediately.

Tip: It is helpful to have all Installation files pre-downloaded on your local machine, ready to upload into Workspace ONE UEM.

To improve user experience, have the application icons and screenshots of the application ready for the Application catalog.

2. Upload Tunnel Application into Workspace ONE UEM

Upload Application into Workspace ONE UEM

In the Workspace ONE UEM Console:

  1. Click Apps and Books.
  2. Select Internal Application.
  3. Click Add Application and Upload.
  4. Browse for the Workspace ONE Tunnel EXE installer file and click Save.
  5. Select No for Is this a dependency app?.
  6. Click Continue.

3. Configure the Details Tab

  1. Ensure the Details tab is selected.
  2. Enter a Name, for example, Workspace ONE Tunnel.

4. Configure the Files Tab

  1. Navigate to the Files tab.
  2. Scroll down to find the App Uninstall Process section. For VMware Tunnel, enter in VMware Workspace ONE Tunnel 1.2 for Win10_Desktop.exe /uninstall /Passive as the Uninstall Command.

5. Configure the Deployment Options Tab

In this section, define settings in the Deployment Options tab.

5.1. Define When to Install

  1. Select the Deployment Options tab.
  2. Locate the When to Install section.
  3. Configure any minimum requirements for the following:
    • Data Contingencies - Use where criteria type needs to check for existing/non-existing Applications, Files or Registry Keys.
    • Disk Space Required - Which specifies the amount of disk space the device must have available to install the application.
    • Device Power Required - Which specifies the battery power, in percentage, that the device must have to install the application.
    • RAM Required - Which specifies the amount of RAM the device must have to install the application.

5.2. Find the Install Command Options

Some application installers may contain help options. Find help options by running the application file and adding /help or /? to the end of the file.

The following steps demonstrate how to run these commands.

right click file option
  1. Find the installer file.
  2. Hold SHIFT + Right-click the installer file.
  3. Hold Select Copy As Path.
command prompt
  1. Open Command Prompt.
  2. Paste in the installer file location, adding /help or /? to the end.
  3. This should show a dialog box to show supported installation commands.
Workspace ONE Tunnel Install parameters

The results of running the command are shown in the screenshot. This example shows the supported Workspace ONE Tunnel Desktop Application Install parameters.

5.3. Define How to Install

  1. Under Deployment Options Tab.
  2. Scroll down to find the How To Install section.
  3. For the Install Command, enter VMware Workspace ONE Tunnel 1.2 for Win10_Desktop.exe /Install /Passive.
  4. Ensure Admin Privileges is set to Yes.
  5. Change Device Restart if required. This example uses User Engaged Restart. This allows the user to reboot the machine to complete the install when the user is ready.
  6. For Installer Reboot Exit Code, the supported values are 3010 and 1641.
  7. For Installer Success Exit Code, the supported values are 0 and 3010.
Error code Value Description
ERROR_SUCCESS 0 The action completed successfully
ERROR_SUCCESS_REBOOT_INITIATED 1641 The installer has initiated a restart. This message is indicative of a success.
ERROR_SUCCESS_REBOOT_REQUIRED 3010 A restart is required to complete the install. This message is indicative of a success. This does not include installs where the ForceReboot action is run.

For more information on Installer codes, see Microsoft Docs: MsiExec.exe and InstMsi.exe Error Messages.

5.4. Define When To Call Install Complete

  1. Click Add.
  2. Select File Exists for the Criteria Type.
  3. Enter C:\Program Files\VMware\Workspace ONE Tunnel\VMwareTunnel.exe for the Path.
  4. Click Add.

6. Add the Application Icon

You can download the icon to use in your environment.

 Add the Application Icon
Add the Application Icon
  1. Select the Images tab.
  2. Select the Icon tab.
  3. Click the area labeled Click or drag files here.
  4. Navigate to the folder containing the Application logo, or download the provided image to use.

Your icon should now be uploaded.

7. Set Terms of Use

Set Terms of Use
  1. Select the Terms of Use tab.
  2. If you decide to have a Terms of Use that your users must accept before installing applications, you can configure that here.  For this exercise, select None.
  3. Click Save & Assign.

8. Add Assignment

Assign & Publish Windows Applications
  1. Select Assignments.
  2. Click Add Assignment.

9. Configure Assignment

Assign & Publish Windows Applications
  1. Select the Select Assignment Groups search box and select All Devices.
  2. Select On-Demand for the App Delivery Method.
  3. Select Show for Display in App Catalog.
  4. Select Enabled for Make App MDM Managed if User Installed.
  5. Select Add then click Save and Publish.

Confirm the Application Appears in the List View

 Confirm the Application Appears in the List View

On the Internal applications List View, confirm that the Workspace ONE Tunnel Desktop Application is displayed.  

You have successfully added the Workspace ONE Tunnel Desktop Application to Workspace ONE UEM for deployment.  

Creating Per-App VPN Profile for Windows 10

On Windows 10, VMware Tunnel can force selected applications to connect through your corporate VPN.

In this activity, you configure the Windows Desktop profile which configures the tunnel client on the device to allow only designated applications to access content on internal servers.

Log in to the Workspace ONE UEM Console to perform the next steps.

1. Add a New Profile

Add a New Profile
  1. Click Add.
  2. Click Profile.

2. Select the OS for the Profile

Select Windows.

3. Select Device Type

Select the OS for the Profile

Select Windows Desktop.

4. Select Context

Select the OS for the Profile

Select Device Profile.

5. Configure the General Properties of the Profile

 Configure the General Properties of the Profile
  1. Select the General tab.
  2. Enter a Name, for example, Per App VPN.
  3. Select Assignment type. This example uses Auto, so devices automatically receive the policy.
  4. Assign the policy to a Smart Group(s).

6. Add a VPN Payload

 Add a VPN Payload
  1. Click VPN from the Payload menu.
  2. Click Configure to access the VPN payload settings.

7. Configure the VPN Payload

 Configure the VPN Payload
  1. Enter a Connection Name for the policy, for example, Intranet VPN.
  2. Select Workspace ONE Tunnel from the Connection Type drop-down menu.
  3. Select Enable for Desktop Client - This enables the Workspace ONE Tunnel Desktop Application -
    Note: The UWP Tunnel client (Windows Store Application) is no longer supported.
  4. Configure Custom Configuration for using wild card/SAN public certs for Tunnel.
  5. Configure DNS Resolution via Tunnel Gateway - Domains entered are resolved through the VMware Tunnel Gateway. All other domains are resolved using the device's configured DNS.
  6. Click Save & Publish.

Tip: Configure Custom Configuration for using wild card/SAN public certs for Tunnel.

Add the following XML to the Custom Configuration XML text box on the profile:

<CustomConfiguration>

<ServerCertSN>{Subject CN name}</ServerCertSN>

</CustomConfiguration>

To retrieve the subject CN name:

  1. Open the certificate on a Windows machine.
  2. Select the Details tab.
  3. The Subject row contains the CN of the cert.

8. Publish the VPN Profile

Publish the VPN  Profile
Publish the VPN  Profile

Click Publish.

Testing Per-App Tunnel on Windows 10

Now that the enrolled device has received the settings configured in the Workspace ONE UEM Console, you are ready to begin testing the Per-App VPN functionality. The Workspace ONE Tunnel Desktop Application should be installed on your device.

In this activity, you learn how to:

  1. Launch an internal website with an authorized application.
  2. Launch an internal website with an unauthorized application.
  3. Launch a defined application and demonstrate Blocked domains.
  4. Launch an RDP session and connect to the machine on the internal network.
  5. Connect to an SMB share to access file shares inside the corporate network.

1. Launch Internal Website with an Authorized Application

 Testing Web Connections
  1. Launch Chrome as a browser. Chrome was the application specified to Tunnel traffic.
  2. The Workspace ONE Tunnel Desktop Application is connected and an internal web page is displayed.
  3. The address used – atl-intranet-corp.airwlab.com – is specified in the Device Traffic Rules in the previous exercise.

This web page is accessible only to applications (in this use case, Chrome) defined in the policy.

2. Launch Internal Website with an Un-authorized Application

 Launch internal website with un-authorized application

Next, open another web browser, such as Microsoft Edge, and navigate to an internal web page. For example, atl-intranet-corp.airwlab.com.

  1. Launch Chrome - this is the authorized application.
  2. Launch another browser - for example, Microsoft Edge.
  3. The Workspace ONE Tunnel Desktop Application is connected and an internal web page is displayed.
  4. The address atl-intranet-corp.airwlab.com can be resolved in Chrome, but not in Microsoft Edge.

3. Launch a Defined Application to Demonstrate Blocked Domains

VMware tunnel Web Filtering
  1. In the Application access rules, certain websites are blocked. These were listed in the Device Traffic Rules.
    • Websites blocked are cnn.com, facebook.com, and match.com.
  2. Open Chrome and navigate to one of these websites. This example uses facebook.com.
    • When trying to resolve the DNS name, the browser displays an error as this website is blocked.
  3. Launch another browser, in this case, Microsoft Edge. Facebook.com is accessible, as the policy is configured for Chrome only.

4. Test RDP Connections

 Testing RDP Connections with VMware Tunnel

Sometimes, you may need to RDP into desktop sessions that are located back in the office.

  1. In the Application access rules, confirm the domain configuration for Remote Desktop Client access.
    Note: The RDP application is not from the Windows Store.
  2. Launch the RDP application and enter the machine name. In this example, you connect to the machine atl-intranet-corp on the domain airwlab.com.
  3. Workspace ONE Tunnel Desktop Application resolves this address, and you should be prompted for authentication.

5. Test SMB Share Connections

 Testing SMB Share Connections

Workspace ONE Tunnel Desktop Application allows remote Windows 10 users to connect to file shares located behind the corporate firewall. This can be team shares, individual shares, or connecting to a specific machines' C drive, for example.

This example uses the host atl-intranet-corp and connects to its C: drive.

  1. In the search bar, enter Run and press the return key.
  2. Enter the address of the file share you would like to connect to. For example, \\atl-intranet-corp.airwlab.com\c$.
  3. In the Application access rules, confirm the domain configuration for System resource access.
  4. Launch the SMB share. VMware Tunnel will resolve this address, and you should be prompted for authentication to the SMB share.

6. Review Summary

In this section, you have successfully:

  1. Launched an internal website with an authorized application to confirm it works.
  2. Launched an internal website with an unauthorized application to confirm Tunnel access.
  3. Launched a defined application and confirmed blocked domains.
  4. Launched an RDP session and connected to a machine on the internal network.
  5. Connected to an SMB share to access file shares inside the corporate network.

Troubleshooting Per-App Tunnel on Windows 10

If a Per-App Tunnel problem occurs on Windows 10, you can check a number of places to troubleshoot. This section of the operational tutorial covers where to troubleshoot on Windows 10 at a high level. Depending on the problem, there may be steps that should be performed on the Unified Access Gateway. However, troubleshooting the Unified Access Gateway is outside the scope of this tutorial. Workspace ONE UEM administrators should contact VMware Support for assistance when troubleshooting  Per-App Tunnel, Workspace ONE Tunnel, or the Unified Access Gateway.

This section is divided into two and covers the following high-level set of initial troubleshooting steps.

  1. Workspace ONE Tunnel Desktop Application Installation Troubleshooting.
    • Checking Workspace ONE UEM console for application install status.
    • Locating Workspace ONE Tunnel desktop application installer logs.
    • Checking device registry for Workspace ONE Tunnel desktop application install status.
    • Checking Workspace ONE UEM console for Policy install status.
    • Checking device registry for Per-App VPN Profile.
  2. Workspace ONE Tunnel Desktop Application Connectivity Troubleshooting.
    • Confirming the Workspace ONE Tunnel status when Tunnel is connected.
    • Confirming the Workspace ONE Tunnel status when Profile is not installed.
    • Confirming Application Access and Tunnel Service.
    • Checking the Workspace ONE Tunnel certificate.
    • Enabling Workspace ONE Tunnel debug logging.
    • Locating Workspace ONE Tunnel logs.
    • Confirming Workspace ONE Tunnel DNS Resolution.

1. Troubleshoot Workspace ONE Tunnel Installation

In this section, check issues that may arise from the Workspace ONE Tunnel desktop application installation.

1.1. Check Workspace ONE UEM Console for Application Install Status

 Checking Workspace ONE UEM console for application install status
  1. In the Workspace ONE UEM console, navigate to the Details View of that device.
  2. Select the Apps tab.
  3. Confirm that the App Status for the Tunnel Installer is Installed.
  4. Confirm that the App Status for Workspace ONE Tunnel shows the correct version. In this example, Workspace ONE Tunnel 1.2.0.18 is installed.

1.2. Locate Workspace ONE Tunnel Desktop Application Installer logs

Workspace ONE Tunnel Installer logs

By default, the Workspace ONE Tunnel Desktop Application Installer logs are found in %TEMP%.

Two logs should exist:

  1. Workspace_ONE_Tunnel_<date>.log
    • This is the Bootstrapper log which usually does not yield very important errors unless any dependency programs fail on install, for example, .NET.
  2. Workspace_ONE_Tunnel_<date>_000_VMwareTunnelClientInstaller.log
    • This is the Tunnel Installer log which shows any failures during the Workspace ONE Tunnel desktop application installation.

1.3. Check Device Registry for Workspace ONE Tunnel Install Status

 Further Application Installation Troubleshooting

Check the location of the registry installation settings for the Workspace ONE Tunnel desktop application. These values should match the values in the Workspace ONE UEM console.

On the computer that should have the Workspace ONE Tunnel desktop application installed, open the Windows Registry or run regedit.msc.

  1. Click Computer.
  2. Click HKEY_LOCAL_MACHINE.
  3. Click SOFTWARE.
  4. Click AirWatchMDM.
  5. Click AppDeploymentAgent.
  6. Click S-1-5-18.
  7. Click the GUID of the application. For example, {3A7FE2DB-8AE4-4DBA-A9D3-042C88F53A50}.
  8. Click the Registry key to show IsInstalled.

Tip: The Application GUID should match the value in the Workspace ONE UEM Console.

1.4. Confirm Application ID in the Workspace ONE UEM Console

 Further Application Installation Troubleshooting
  1. In the Workspace ONE UEM console, navigate to Apps and Books and select the Workspace ONE Tunnel Application.
  2. In the App Details View, the Application ID (GUID) should match the registry value in the previous screenshot.

For more information on troubleshooting Windows Applications, see Troubleshooting Windows 10: VMware Workspace ONE Operational Tutorial.

1.5. Check Workspace ONE UEM Console for Policy Install Status

 Checking Workspace ONE UEM console for Policy install status

After you have confirmed that the application is installed, make sure the policy is installed on the device.

  1. In the Workspace ONE UEM console, navigate to the Details View of that device.
  2. Select the Profiles tab.
  3. Confirm that the Status of the Per App VPN Profile is successful.

1.6. Check Device Registry for Per-App VPN Profile

 Checking device registry for per-App VPN Policy

On the computer that should have the Tunnel policy installed, open the Windows Registry or run regedit.msc. Then navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tunnel.

  1. Click Computer.
  2. Click HKEY_LOCAL_MACHINE.
  3. Click SOFTWARE.
  4. Click VMware, Inc.
  5. Click VMware Tunnel.
  6. Click TunnelConfiguration.
  7. This displays the Tunnel Policy applied to that machine.

Tip: If no policy is shown in the registry, re-push the policy from the Workspace ONE UEM console and perform a Device Query on that device from the Workspace ONE UEM console.

2. Troubleshoot Workspace ONE Tunnel Client Connectivity

After you have successfully installed the Workspace ONE Tunnel, the next step is to test the Per-App Tunnel connectivity by attempting to access one of the internal resources through the domains defined on the Device Traffic Rules.

2.1. Confirm the Workspace ONE Tunnel Status When Tunnel is Connected

 Tunnel Status UI when Tunnel is Connected

When the Tunnel Client has reached a successful connection, the tunnel client UI displays Connected as per the screenshot.

2.2. Confirm Workspace ONE Tunnel Status When Profile is Not Installed

 Tunnel Status UI when Profile is not properly installed

If the Workspace ONE Tunnel Client has installed, but the configuration settings have not, the Tunnel client status is Not Configured.

Tip: To resolve, ensure the Per-App VPN profile is assigned to the device, and ensure it is successfully installed.

2.3. Confirm Application Access and Tunnel Service

 Tunnel Status UI when Tunnel is Disconnected

Problem: The Workspace ONE Tunnel Client status is Disconnected.

Solution: Confirm that the Application is defined in Application Access and that the application is running.

Problem: The Workspace ONE Tunnel Client status is Disconnected.

Solution: Confirm that the VMware Workspace ONE Tunnel Service is running in Windows Services. If the service is not started, start the service.

 Tunnel Status UI when Tunnel is Disconnected
  1. On the Windows machine, open Services and locate the VMware Workspace ONE Tunnel Service.
  2. Ensure that the Startup type is set to Automatic.
  3. Ensure that the Service is running.

2.4. Check the Workspace ONE Tunnel Desktop Application Certificate

 Checking the Tunnel Client certificate

Authentication for the Tunnel Client can be configured to use Enterprise Certificates or internally-signed certificates. If no certificate is present, the Tunnel UI status displays Not Configured -  Authentication Certificates are not present.

If there is no certificate present, you may want to re-push the policy again to the device. By re-pushing the policy, the Tunnel certificate should be installed.

To check the certificates:

  1. On the Windows machine, search MMC, and open the Certificates snap in.
  2. Navigate to Local Computer > Personal > Certificates.
  3. Confirm that the certificate for certificate authentication to the Tunnel service is listed.
 Checking the Tunnel Client certificate

Retrieve the device UDID from the Workspace ONE UEM console.

Navigate to Devices > List View > Summary and confirm that the device UDID matches the Certificate request as shown in the previous screenshot.

2.5. Enable Workspace ONE Tunnel Debug Logging

 How to turn on debugging mode
  1. On the Windows machine, navigate to the system tray. You should see the Tunnel icon.
  2. Right-click the Tunnel client.
  3. Select Enable debug logging.

Debug logging levels are from 0-4 - Enabling debug logging will set the log level to 4.

 

 How to turn on debugging mode

You can also check the Workspace ONE Tunnel log level in the device registry.

On the computer that should have the Tunnel installed, open the Windows Registry or run regedit.msc.

  1. Navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tunnel.
  2. Under the LogLevel entry, you should see a value from 0-4. In this example, the value is 0.

You cannot change the value in the registry. You must follow the steps to Enable Workspace ONE Tunnel Debug Logging.

2.6. Locate Workspace ONE Tunnel Logs

 Find Tunnel Client logs

By default, the Workspace ONE Tunnel Client Installer logs are located in C:\ProgramData\VMware\VMware Tunnel.

Two logs should exist:

  1. win_tunnel   This log file shows connectivity issues with the Workspace ONE Tunnel desktop application.
  2. win_tunnelui This log file shows User Interface changes within the Workspace ONE Tunnel desktop application.
 Locating Workspace ONE Tunnel Desktop Application logs

This screenshot depicts a sample log file for the win_tunnel log.

 Locating Workspace ONE Tunnel Desktop Application logs

This screenshot depicts a sample log file for the win_tunnelui log.

2.7. Confirm Workspace ONE Tunnel Desktop Application DNS Resolution

 DNS Resolution Failing

After you have confirmed Tunnel connectivity, check the DNS resolution.

Sometimes, the Workspace ONE Tunnel Client may be in good working order. For example, the profile is installed, the application is installed, the service is running, and the status is Connected. But the DNS resolution is still failing. In this case, general networking troubleshooting can assist greatly.

You can check the Name Resolution Policy Table (NRPT).

On the Windows machine, open PowerShell and enter Get-DnsClientNrptRule. This command retrieves the Name Resolution Policy Table (NRPT) for the device.

Deploying Workspace ONE Tunnel for Android

Introduction

Per-App Tunneling helps users to access critical information using applications on their devices from their devices Mobile flows helps users perform business-critical tasks from a single app — streamlining the user experience.

Leveraging Per-App Tunnel allows you to control which applications on a device and what internal resources the applications have access to by automatically enabling or disabling Per-App VPN access, based on which applications are active. By enabling remote access, you no longer need to provide a device-wide VPN on your devices, which can allow unintended or unauthorized apps or processes to access your VPN. In this tutorial, you configure and deploy VMware Workspace ONE Tunnel to enable the Per-App Tunnel component on managed devices.

These exercises involve the following components:

  • Workspace ONE Tunnel – The app used on the device to securely connect to the Unified Access Gateway to provide Per-App Tunnel functionality, also referred to as Tunnel Client.
  • Unified Access Gateway – The virtual appliance where the VMware Tunnel edge service is installed, and to which the tunnel client connects.
  • Per-App Tunnel – Component of VMware Tunnel edge service for connecting to a secure tunnel channel on a per-application basis, which is controlled and configured by the VPN profile payload and Device Traffic Rules.
  • Per-App VPN Profile and Device Traffic Rules – The Workspace ONE UEM configuration that is pushed to the device that contains the Per-App Tunnel configurations. Every time a specified application is opened, the Workspace ONE Tunnel client evaluates the Device Traffic Rules assigned to it before making any routing decisions, and establish a Per-App tunnel connection with the Unified Access Gateway based on the Per-App VPN Profile configuration.

High-Level Architecture

The device contains the applications required by the end-user to perform their daily job. Some applications require access to internal resources to function. Those applications, based on Per-App VPN configuration, use Workspace ONE Tunnel which communicates with the Tunnel Service on Unified Access Gateway hosted on the DMZ, to validate if the device requesting access is in compliance or not before authorizing access through the internal resource.

Prerequisites

Before you can perform the steps in this exercise, you must have the following components installed and configured:

  • Workspace ONE UEM version 1909 and later
  • Android 8.0+ enrolled in Workspace ONE UEM
  • The latest version of Workspace ONE Tunnel app from Google Play Store
    • Deploy Workspace ONE Tunnel using Android Enterprise.

Configuring Device Traffic Rules for Android

In this activity, you configure Device Traffic Rules for Android.

Note: Domain values used in this section are examples only. Your values will differ.

1. Access Configurations

Configurations settings in the Workspace ONE UEM Console.

In the Workspace ONE UEM Console:

  1. Click Groups & Settings.
  2. Click Configurations.

2. Select Tunnel Settings

Remote access settings for Workspace ONE tunnel configurations.
  1. Scroll through the list of Configurations if necessary.
  2. Select Tunnel.

3. Edit Device Traffic Rules

Device Traffic Rules in Workspace ONE UEM Console.

From within the Device Traffic Rules information block on the Tunnel Configuration page, click Edit.

4. Add Device Traffic Rule

Groups & Settings > Configurations
  1. Observe (and optionally modify) the default action which applies to all Android applications:
    • Tunnel – All apps on the device configured for Per-App Tunnel send network traffic through the tunnel. For example, set the Default Action to Tunnel to ensure all configured apps without a defined traffic rule use the Workspace ONE Tunnel for internal communications.
    • Block – Blocks all apps on the device configured for Per-App Tunnel from sending network traffic. For example, set the Default Action to Block to ensure that all configured apps without a defined traffic rule cannot send any network traffic regardless of destination.
    • Bypass – All apps on the device configured for Per-App Tunnel bypass the tunnel and connect to the Internet directly. For example, set the Default Action to Bypass to ensure all configured apps without a defined traffic rule bypass the Workspace ONE Tunnel to access their destination directly.
  2. Click Add Device Traffic Rule.

5. Build Device Traffic Rule

In the newly created Device Traffic Rule:

  1. Click the down arrow to display the  Application list.
  2. Select one or more triggering applications to control with this rule. Alternatively, on the drop-down select All Applications to apply the rule to all Android applications listed in the drop-down, which are the ones that you assigned the Per-App VPN profile.
  3. Enter one or more comma-separated fully qualified domain names as destinations to which Workspace ONE Tunnel should apply the Device Traffic Rule. A single asterisk (*) can be used as a wildcard for subdomains.  
  4. Select the Appropriate Action for Workspace ONE Tunnel to perform on traffic from the selected apps:
    • Tunnel – Sends app network traffic for specified domains through the tunnel to your internal network.
    • Block – Blocks all traffic sent to specified domains.
    • Bypass – Bypasses the Workspace ONE Tunnel so the application accesses specified domains directly.
    • Proxy – Redirect traffic to the specified HTTPS proxy for the listed domains. The proxy must be HTTPS and must follow the correct format: https://example.com:port.
  5. If necessary, adjust the Device Traffic Rules rank in the list. Lower-numbered rank is the highest priority.
  6. Click Save.

The example shown blocks access to Facebook, Tinder, and Utorrent domains for all applications available on the Android device.

Note: Wildcards must follow one of these formats:

  • *.<domain>.*
  • *<domain>.*
  • *.* — You cannot use this wildcard for Safari rules.
  • * — You cannot use this wildcard for Safari rules.

6. Add Additional Rules and Publish

Groups & Settings > Configurations
  1. Click Add Device Traffic Rule and repeat  Build Device Traffic Rule for any additional required rules.
  2. Drag the rules to adjust your Device Traffic Rules priority.
  3. When the Device Traffic Rules are configured as necessary, click Save and Publish.

The example shown defines a traffic rule that will enable access to the internal server atl-intranet-corp.airwlab.com through Remote Desktop and Workspace ONE Web apps.

Distributing Workspace ONE Tunnel for Android

In this activity, you deploy an application configured to use the Per-App VPN tunnel on Android.

1. Add Workspace ONE Tunnel as a Public App

  1. Click Add.
  2. Click Public Application.

2. Search for Workspace ONE Tunnel

  1. Select Android for the Platform.
  2. Enter an application Name. For example, Workspace ONE Tunnel.
  3. Click Next.

3. Select Workspace ONE Tunnel

Select the Tunnel - Workspace ONE result.

4. Approve Workspace ONE Tunnel

Click Approve for Tunnel - Workspace ONE app.

Select Approve for any following requests.

5. Save and Assign Workspace ONE Tunnel

Click Save & Assign.

6. Add Assignment for Workspace ONE Tunnel

Click Add Assignment.

7. Configure Workspace ONE Tunnel Assignment Settings

  1. Click the Selected Assignment Groups field to display the list of created Assignment Groups. Enter All Devices, and select the All Devices (your@email.shown.here) group.
  2. Select Auto for the App Delivery Method.

8. Configure Policies for Workspace ONE Tunnel

  1. Scroll down to find the Policies section.
  2. Select Enabled for Managed Access.
  3. Click Add.

9. Confirm Assignment and Save

  1. Verify that the assignment you created is displayed.
  2. Click Save & Publish.

10. Preview Assigned Devices and Publish

Click Publish.

Android Considerations

Note the following for Workspace ONE Tunnel on Android:

  • After installing VMware Workspace ONE Tunnel for Android, end users must run the application at least once and accept the connection request.
  • The key icon in the notification center displays on the device because there is an application installed that uses the Per-App Tunnel functionality. This icon does not indicate an active connection or session with the VMware Tunnel Service. The key icon displays even if you are not actively browsing.
  • Certain Android devices allow end users to disable the VPN on an OS level. This prevents the VMware Tunnel from working on the device.

Creating Per-App VPN Profile for Android

Per-App VPN profile allows you to force selected applications to connect through your corporate VPN. Your VPN provider must support this feature, and you must publish the applications as managed applications.

In this activity, you create the Android profile which configures the Workspace ONE Tunnel client on the device to allow only designated applications to access content on internal servers.

1. Add a New Profile

Add a New Profile
  1. Click Add.
  2. Click Profile.

2. Select the OS for the Profile

Select Android.

3. Configure the General Properties of the Profile

  1. Enter the Name, for example, Per-App VPN.
  2. Select the name of your device's assignment group, and select that group. For example, select All MDM Enrolled Devices (ACME Corp) as the Assigned Smart Group.

4. Add a VPN Payload

  1. Click VPN from the Payload menu.
  2. Click Configure to access the VPN payload settings.

5. Configure the VPN Payload

  1. Select Workspace ONE Tunnel from the Connection Type drop-down menu.
  2. Click Save & Publish.

6. Publish the VPN Profile

Click Publish.

Configuring Workspace ONE Web for Per-App Tunnel

Workspace ONE Web is part of the secure productivity app suite from VMware. Administrators can deploy Workspace ONE Web when data loss and copy/paste restrictions are critical to the business use case.

In this activity, you distribute and configure Workspace ONE Web for Per-App Tunnel on Android.

 

1. Adding Application

Applications > Native
  1. Select on App & Books.
  2. Select Native under Applications.
  3. Click Add Applicaton.

1.1. Searching for Workspace ONE Web on Google Play Store

Applications > Native
  1. Select Android.
  2. Add Workspace ONE Web on Name.
  3. Click Next.

1.2. Select Workspace ONE Web

Applications > Native

Select Workspace ONE Web App, and approve.

1.3. Save & Assign the App

Applications > Native

Click Save & Assign.

1.4. Add Assignments

Workspace ONE UEM Console

Click Add Assignment.

1.5. Assign Per-App VPN profile to Workspace ONE Web

Workspace ONE UEM Console
  1. Select All Devices on Assignment Groups.
  2. Select Auto for App Delivery Method.
  3. Enable Managed Access.
  4. Enable App Tunneling
  5. On Android select the Per-App VPN Profile that you previous create.
  6. Click Add.

1.6. Save and Publish the Assignment

Workspace ONE UEM Console

Click Save and Publish.

Testing Per-App Tunnel on Android

Now that the enrolled device has received the settings configured in the Workspace ONE UEM Console, you are ready to begin testing the Per-App Tunnel functionality. The applications assigned in the previous exercises should push down during enrollment. The VMware Tunnel and Workspace ONE Web applications should be installed on your device.

In this activity, launch Workspace ONE Web and access the internal website. Then verify that, although the VPN connection is active, other applications on the device are not able to access the tunnel or internal resources.

1. Open Workspace ONE Tunnel

Launch Tunnel client for Android - Workspace ONE

Press the Home button on your device to return to the Launchpad. Swipe right to see the downloaded applications, if needed.

Tap the Workspace ONE Tunnel icon to launch the application. If prompted, select OK to allow Workspace ONE Web to send your device push notifications.

Note: On Android, the Workspace ONE Tunnel Client must be launched once to silently route traffic for future occurrences.

 Open Workspace ONE Tunnel

After the application has been opened, accept the privacy prompts and tap Continue.

2. Accept the Privacy Prompt

 Accept the Privacy Prompt

Tap I understand to accept the Privacy prompt.

3. Agree to the Data Sharing Prompt

 Agree to the Data Sharing Prompt

Tap I agree to accept the Data Sharing Prompt.

4. Confirm Tunnel Connectivity

 Confirm Tunnel Connectivity

After the Tunnel Client has been opened, you can see three areas.

  1. Device VPN Configuration
    • The Profile or Policy that is delivered from Workspace ONE UEM. It shows a list of apps that will use the VPN Tunnel.
  2. Internet 
    • Displays whether the device has internet connectivity or not.
  3. Enterprise Server
    • Displays whether the device has connectivity to the VMware Tunnel edge service.

5. Launch Workspace ONE Web

 Launch Workspace ONE Web

Press the Home button on your device to return to the Launchpad. Swipe right to see the downloaded applications, if needed.

Tap the Workspace ONE Web icon to launch the application. If prompted, tap OK to allow the Web to send your device push notifications.

6. Access the Internal Website with Workspace ONE Web

 Access the Internal Website with Workspace ONE Web
  1. After the application launches, enter the URL for your intranet website, such as https://atl-intranet-corp.airwlab.com.
  2. Confirm that the VPN icon appears, indicating the connection is active. The application now connects to Workspace ONE UEM and retrieves the settings for your Organization Group.
  3. The website should load. In this example, it displays a Welcome message.
  4. Select and copy the internal URL. In the next step, you test entering this URL into another browser.

7. Paste the URL In to Another Browser

 Paste the URL Into the another Browser
  1. Open another browser, such as Chrome.
  2. Copy and paste the URL from the previous step.
  3. Confirm that only the defined applications can access internal resources.

Note: This example used a Work Managed Device. Work Managed devices provide separation from personal and corporate data. With Per-App Tunnel, you can isolate traffic to only those applications that need it rather than all corporate resources. This example shows Chrome inside the Work Profile attempting to access internal resources.

Troubleshooting Per-App Tunnel on Android

If a Per-App Tunnel problem occurs on Android, you can check a number of places to troubleshoot. This section of the operational tutorial covers where to troubleshoot the Workspace ONE Tunnel client for Android at a high level.  

Depending on the problem, there may be steps that should be performed on the Unified Access Gateway. However, troubleshooting the Unified Access Gateway is outside the scope of this tutorial. 

Workspace ONE UEM administrators should contact VMware Support for assistance when troubleshooting Per-App VPN, Workspace ONE Tunnel, or the Unified Access Gateway.

This section is divided into three parts and guides you through high-level steps to troubleshoot the Workspace ONE Tunnel installation and connectivity.

  1. Troubleshooting Device Connectivity
    • This section displays where to search for Tunnel Client connectivity issues.
  2. Collecting logs automatically
    • This step is useful for recreating issues and retrieving the Workspace ONE Tunnel Client log file.
  3. Advanced: Collecting logs manually on an Android Device
    • This step is for advanced cases where you may need to see how the devices VPN stack is behaving. This step should be used only for test devices; it is not recommended to leave Developer Options turned on.

1. Troubleshoot Device Connectivity

 Device Connectivity Troubleshooting

Open the Tunnel Application and tap the Diagnostics menu option.

 Device Connectivity Troubleshooting
  1. Any issues related to connectivity issues with the Tunnel server or a Proxy server are shown on the UI.
  2. Tap the email option in the upper-right corner to send these logs to your administrator.

2. Collect Logs Automatically

Open the Tunnel Application and tap the Diagnostics menu option.

 Steps for collecting logs automatically
  1. Toggle the Enable debug logs switch to enable.
  2. After the issue is reproduced, go to your internal storage and open the AirWatchLogs folder.
  3. This folder contains a set of log files that, if required, can be shared with the Workspace ONE support teams.

3. Advanced: Collect Logs Manually on an Android Device

  1. To collect logs manually, you must enable developer options on the mobile device.
    • Navigate to Settings > About page on the device and tap the build number more than 7 times to enable developer options.
  2. Enable USB debugging in the Settings > Developer Options.
  3. Connect the device via USB cable to a laptop and install the device drivers.
    • Check whether the device is getting detected in the laptop by running adb devices in the command prompt. The device should be listed with a Unique id.
    • adb is a tool part of the android-sdk which you must download from http://developer.android.com.
  4. After the device is detected (keep the device connected) run adb logcat –v threadtime > TunnelLogs.log. Logs will continuously dump to the file. 
  5. After the issue is reproduced, logging can be stopped either by disconnecting the device or using Ctrl + c command.
  6. If required, share the TunnelLogs.log with the Workspace ONE support teams.

Summary and Additional Resources

Conclusion

This operational tutorial provided steps to leverage native Per-App Tunnel capabilities across mobile platforms, Android and iOS, and desktop platforms, macOS and Windows 10. 

By publishing Per-App VPN profiles to your devices, you can ensure that only authorized apps are accessing your VPN. This eliminates the user requirement to manually start and end VPN connections based on the apps they are accessing. 

It also provides an extra layer of security to your corporate resources by ensuring that non-authorized apps are unable to connect to your VPN, creating the beginnings of a Zero Trust model for application access.

Terminology Used in This Tutorial

The following terms are used in this tutorial:

application store A user interface (UI) framework that provides access to a self-service catalog, public examples of which include the Apple App Store, the Google Play Store, and the Microsoft Store.
auto-enrollment Auto-enrollment simplifies the enrollment process by automatically enrolling registered devices following the Out-of-Box-Experience.
catalog A user interface (UI) that displays a personalized set of virtual desktops and applications to users and administrators. These resources are available to be launched upon selection.
cloud Asset of securely accessed, network-based services and applications. A cloud can also host data storage. Clouds can be private or public, as well as hybrid, which is both private and public.
device enrollment The process of installing the mobile device management agent on an authorized device. This allows access to VMware products with application stores, such as Workspace ONE Access (formerly VMware Identity Manager).
identity provider (IdP) A mechanism used in a single-sign-on (SSO) framework to automatically give a user access to a resource based on their authentication to a different resource.
mobile device management
(MDM) agent
Software installed on an authorized device to monitor, manage, and secure end-user access to enterprise resources.
one-touch login A mechanism that provides single sign-on (SSO) from an authorized device to enterprise resources.
service provider (SP) A host that offers resources, tools, and applications to users and devices.
virtual desktop The user interface of a virtual machine that is made available to an end user.
virtual machine A software-based computer, running an operating system or application environment, that is located in the data center and backed by the resources of a physical computer.

For more information, see the VMware Glossary.

Additional Resources

For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level-up in your Workspace ONE knowledge. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.

Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon. 

 

Change Log

The following updates were made to this guide.

Date Description of Changes
2020-03-26
  • Added Windows, Android and macOS Platforms. 
  • Edited iOS Platform.

About the Authors

This tutorial was written by:

  • Andreano Lanusse, End-User-Computing Staff Architect, Technical Marketing, VMware.
  • Darren Weatherly, End-User-Computing Senior Architect, Technical Marketing, VMware.
  • Robert Terakedis, End-User-Computing Senior Architect, Technical Marketing, VMware.

Feedback

The purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.

Filter Tags

  • Workspace ONE
  • Overview
  • Operational Tutorial
  • Document
  • Workspace ONE UEM
  • Tunnel
  • iOS
  • Manage