Deploying VMware Workspace ONE Tunnel: Workspace ONE Operational Tutorial

The remainder of this section assumes that Tunnel Service is properly configured and running on the Unified Access Gateway or on the VMware Secure Access. For more details, see Configuring the VMware Tunnel Edge Service: VMware Workspace ONE Operational Tutorial.

Per-App Tunnel restricts tunnel traffic only to authorized applications and destinations (domain) specified by the UEM administrator when configuring the Device Traffic Rules.

On Full Device Tunnel configuration, traffic is restricted based on the authorized destinations (domains or IPs), regardless of the application. Full Device mode requires Workspace ONE UEM 2102+,  Workspace ONE Desktop Tunnel 2.1+, and it is available only on Windows 10.

For more information, see Supported Platforms for VMware Workspace ONE Tunnel.

For more information on Standalone requirements, see Configuring VMware Tunnel Client for Standalone enrollment.

To enable Tunnel for SDK-based apps, navigate to Groups and Settings > Apps > Settings and Policies > Security Policies in the Workspace ONE UEM Console.

1. Select Enabled to enable the AirWatch App Tunnel.
2. Select VMware Tunnel for the App Tunnel Mode.

After that, define the Device Traffic Rules for the iOS and Android SDK-enabled applications which will be covered later as part of this tutorial.

As a reminder, when using the MAM workflow and registered mode using the Workspace ONE Intelligent Hub, the SDK-enabled apps must be deployed through the Intelligent Hub catalog, and the Workspace ONE Tunnel app is not required.

Workspace ONE Tunnel app can be deployed as standalone app and perform enrollment without Workspace ONE Intelligent Hub or any device management. In this scenario Workspace ONE UEM will only contain the device record.

The Server Traffic Rules enable you to manage how application traffic is routed throughout your network after traversing the Tunnel Service on Unified Access Gateway infrastructure. Specifically, if you require the use of proxies in your network or for external access, these proxies can be defined and configured as part of Server Traffic Rules.

Configuration of Service Traffic Rules will not be covered in this tutorial. For additional information, see Configure Server Traffic Rules in VMware Docs.

The Device Traffic Rules define how traffic from specified applications (Per Application) or devices (Full Device) is routed by the Workspace ONE Tunnel application. The device traffic rules serve as a locally enforced Access Control List, defining which apps and destinations should be blocked, tunneled, proxied, or bypass the tunnel completely.

Under Manage Traffic Assignments, administrators can create multiple Device Traffic Rule sets to segment traffic to internal resources, such as rules for employees' devices that are less restricted than access to contractor devices.

• Each traffic assignment (Device Traffic Rule Set) contains multiple rules.
• A profile can only have a single traffic assignment (Device Traffic Rule Set).
• A device can only apply a single VPN profile at any one time.

Manage Traffic Assignments requires Workspace ONE UEM 2011, otherwise, a single Device Traffic Rule set can be created.

For each device traffic rule, you must set a Tunnel Mode to determine if traffic will be tunneled Per-Application or Full Device, then defined rules are ranked in order of execution. Multiple device traffic rules can be created and assigned to a profile that uses smart groups to determine the device assignment of the rules.

As an example in device traffic rules set for Per-Application tunnel mode, every time a specified application is opened, the Tunnel client evaluates the Device Traffic Rule assigned to it before making any routing decisions. If no set rules match the situation, the Tunnel applies the default action. The default action behavior can vary per platform:

• On the iOS platform, the default action set for all managed applications with tunnel profile associated except for Safari and applies to domains not mentioned in a rule. If no rules are specified, the default action applies to all domains and all managed applications associated with VPN Profile.
• On the macOS platform, the default action set for all macOS applications specified on the DTR rules applies to domains not mentioned in a rule. At least one rule must be defined and when it doesn’t match any rule the default action applies to all domains and all macOS applications mentioned above in the Rank.
• On the Windows 10 platform, the default action set for all Windows applications specified on the DTR rules applies to domains not mentioned in a rule. At least one rule must be defined and when it doesn't match any rule the default action applies to all domains and all Windows applications mentioned above in the Rank.
• On the Android platform, the default action set for all Android managed applications with tunnel profile associated and applies to domains not mentioned in a rule. If no rules are specified, the default action applies to all domains and all managed applications associated with VPN Profile.

More information about the specifics of device traffic rules per platform will be covered as part of this tutorial in the following chapters.

The device traffic rules help to separate personal and corporate traffic. Think of a scenario where the end-user can check their personal email, visit social media, and so on, without having their personal traffic inspected. We provide privacy where a traditional VPN cannot.

You can use wildcard characters for your hostnames. Wildcards must follow the format:

• *.<domain>.*
• *<domain>.*
  
  • Includes primary domain and subdomains - for example, www.example.com, example.com, store.example.com
• *.* — You cannot use this wildcard for Safari domain rules (iOS and macOS specific)
• * — You cannot use this wildcard for Safari domain rules (iOS and macOS specific)

Use of IPs and port ranges are only supported for Device Traffic Rules on Windows 10 devices. The following list contains supported formats for the IPv4 & Port range when applying the Device Traffic Rules (DTR).

1. Single IP
   
   1. 10.10.0.1 or 10.10.10.1/32
2. IP range or subnet
   
   1. 10.10.10.1/24
   2. 10.10.0.0/16
3. Single Port
   
   1. *.example.com:80, 10.10.10.1:80,10.10.11.1/32:80
   2. *.example.com:[443], 10.10.11.1/24:[443]
4. Port Range
   
   1. *.example.com:[80-443], 10.10.10.1:[80-443],10.10.11.1/32:[80-443]
   2. 10.10.11.1/24:[80-443]
5. List of Ports
   
   1. *.example.com:[80,443], 10.10.10.1:[80,443],10.10.11.1/32:[80,443]
   2. 10.10.11.1/24:[80,443]
6. List of Ports and Ranges
   1. *.example.com:[80,443, 8080-8085], 10.10.10.1:[80,443,8080-8085],10.10.11.1/32:[80,443,8080-8085]
   2. 10.10.11.1/24:[80,443,8080-8085]

When the administrator changes the Device Traffic Rules and clicks Save and Publish, an updated version of the VPN profile mapped to the Device Traffic Rules will be created and queued for all the assigned devices. That process will reissue the client certificate as part of the profile to the device with a new thumbprint.

The Tunnel client app might not be able to establish a connection with Tunnel Service until the new VPN profile gets installed on the device. Forcing a sync on the device can speed up the profile installation but in environments with a large number of devices, this process can take additional time.

The Save and Publish option is only available on the default Device Traffic Rules set.

When the administrator changes the Device Traffic Rules set and clicks Save, the Device Traffic Rules get mapped to the profile, but the updated Device Traffic Rules are not replaced for the devices where the VPN profile is already installed. Device Traffic Rules are only updated for the newly enrolled devices or for the devices that have the VPN profile reinstalled.

Save is the only option available for a non-default Device Traffic Rules set - this means that after you change the device traffic rule set and hit save, you must push a new version of the VPN profile to current devices where the profile was already deployed.

As mentioned previously, publishing a device traffic rule or changes on the VPN Profile will create a new profile version and queue it to all assigned devices. The tunnel client might not be able to establish a connection with the Tunnel Service until the new profile comes down to the device. The administrator can monitor the deployment status of the new VPN profile with the following steps:

Locate the VPN profile under the Resources / Profiles & Base Lines / Profiles and click the View link to identify the total number of profiles not installed, installed and assigned. Click the Not Installed hyperlink to push the profile manually.

Locate the device under the Devices / List View, select the Profile page and point to the Profile Status. Selecting the profile allows you to send a command to remove or install the profile on the respective device.

When using DNS suffix, Workspace ONE Tunnel compares the DNS suffix defined on the device against the list of trusted networks configured on the Trusted Network Detection field to determine if the device is on the trusted network or not.

Administrators can add a list of domains separated by a comma into the Trusted Network Detection field (see the following screenshot) and that will leverage DNS suffix. Workspace ONE Tunnel fails to connect when the device is on a trusted network.

When using Probe URL (recommend method), Workspace ONE Tunnel will make HTTP calls against the list of private URLs defined in the custom configuration probe URLs to determine if the device is on the trusted network or not.

Administrators can add a list of domains separated by a comma into the Custom Configuration XML field (see the following screenshot) using the TrustedNetworkProbeUrl XML tag. Workspace ONE Tunnel fails to connect when the device is on a trusted network.

In the Workspace ONE UEM Console:

1. Click Groups & Settings.
2. Click Configurations.

1. Scroll through the list of Configurations if necessary.
2. Select Tunnel.

From within the Device Traffic Rules information block on the Tunnel Configuration page, click Edit.

Administrators can create multiple Device Traffic Rules that will be assigned to the Per-APP VPN profile and will deploy to the devices based on the smart group assigned to the Profile. The first device traffic rule assignment created will be set as default.

1. Click Add or the Default assignment to manage the device traffic rules.

1. Update the Assignment Name with the name you want to.
2. Observe (and optionally modify) the default action which applies to all iOS applications selected to use Per-App VPN except Safari:
   • Tunnel – All apps, except Safari, on the device configured for Per-App Tunnel send network traffic through the tunnel. For example, set the Default Action to Tunnel to ensure all configured apps without a defined traffic rule use the Workspace ONE Tunnel for internal communications.
   • Block – Blocks all apps, except Safari, on the device configured for Per-App Tunnel from sending network traffic. For example, set the Default Action to Block to ensure that all configured apps without a defined traffic rule cannot send any network traffic regardless of destination.
   • Bypass – All apps, except Safari, on the device configured for Per-App Tunnel bypass the tunnel and connect to the Internet directly. For example, set the Default Action to Bypass to ensure all configured apps without a defined traffic rule bypass the Workspace ONE Tunnel to access their destination directly.
   • Proxy – Redirect traffic to the specified HTTPS proxy for the listed domains. The proxy must be HTTPS and must follow the correct format: https://example.com:port.
3. Click ADD RULE.

1. Click the drop-down for the Applications list. Alternatively, on the drop-down select All Applications to apply the rule to all iOS applications listed in the drop-down, which are the ones that you assigned the Per-App VPN profile.
2. Select one or more iOS apps for which this rule applies.
3. Enter one or more destinations to control via Workspace ONE Tunnel.
4. Select the Action to apply for the selected apps when they attempt to access the specified destinations.

For more information on the formats (wildcards, IP, ports) allowed into the Destination field, see the Device Traffic Rules Destination formats supported chapter.

Tip:  iOS apps are automatically added to the Applications selection list after you enable an application for Per-App Tunnel when creating assignments in Apps and Books.

Note: Wildcards must follow one of these formats:

• *.<domain>.*
• *<domain>.*
• *.* — You cannot use this wildcard for Safari rules.
• * — You cannot use this wildcard for Safari rules.

1. Click Add Rule and repeat Build Device Traffic Rule for any additional required rules.
2. Drag the rules to adjust your Device Traffic Rules priority.
3. After the Device Traffic Rules are configured as necessary, click Save and Publish.

1. Click Add.
2. Click Profile.

Select Apple iOS.

Select Device Profile.

1. Enter the name, such as Per-App VPN in this example screenshot.
2. Select the name of your device's smart group, and select that group. For example, select All Devices (your@group.shown.here) as the assigned Smart Group.
3. Click VPN then click Configure.

1. Select Workspace ONE Tunnel from the Connection Type drop-down menu.
2. Select Default as the Device Traffic Rules that will be assigned to this profile.
3. Ensure the Enable VMware Tunnel is selected.
4. Add any Mail, Contacts, and Calendar Domains. Do not configure Safari Domains - these are configured in the VMware Tunnel Configuration later in this guide.
5. Click Save & Publish then click Publish.

Note: Safari Domains should be configured in the Device Traffic Rules for Workspace ONE Tunnel.  

In Apple Business Manager (or Apple School Manager):

1. Click Apps and Books.
2. Search for Workspace ONE Web in the search text box.
3. Select Web - Workspace ONE for iOS.
4. Choose the location for which you have uploaded the sToken into Workspace ONE UEM.
5. Enter the quantity of licenses you want to purchase.
6. Click Get. The button changes to Purchasing and when the purchase is complete, it changes back to Get.

In the Workspace ONE UEM console:

1. Click Apps & Books.
2. Expand Applications and click Native.
3. Click Purchased.
4. Click Sync Assets.
5. Click OK on the dialog box.
6. Wait a few moments and click Refresh to update the app list.
7. Click the Web - Workspace ONE app for iOS in the app list.

1. Click Enable Device Assignment.
2. Click OK to confirm device-based licensing.
3. Click Save & Assign.

Click Add Assignment.

1. Click Add Assignment.
2. Select an Assignment Group (or alternatively, create a new smart group containing the targeted devices).
3. Enter a number of licenses to allocate. Allocate up to the total number of unallocated licenses.
4. Select Auto for Assignment Type.
5. Select Enabled for Remove on Unenroll.
6. Select Enabled for Prevent Application Backup.
7. Select Enabled for Make App MDM Managed if User Installed.
8. Select Enabled and then select the Per-App VPN profile created in Creating Per-App VPN Profile for iOS.
9. Click Save.

1. If more assignments are necessary, click Add Assignment and repeat the steps in Edit Assignment.
2. Click Save and Publish, then click Publish when all assignments have been added.

Tap Settings.

1. Tap General.
2. Scroll down to find the VPN section.
3. Tap VPN.

Tap VPN Configuration from your Per-App VPN profile.

All managed applications from the Workspace ONE UEM Console that are enabled to use Per-App VPN and have an associated Device Traffic Rule appear in this list. Note that Safari is displayed to show that domains are configured for tunneling in Safari.

Return to the Launchpad by pressing the Home button on your device.

Tap the Safari icon. The VPN icon should not be displayed in the toolbar.

1. Enter the URL for a website that is accessible only through VPN.
2. Confirm that the VPN indicator is displayed when iOS launches the VPN and connects.
3. Confirm that the internal page loads.

Press the Home button on your device to return to the Launchpad. Swipe right to see the downloaded applications, if needed.

Tap the Workspace ONE Web icon to launch the application. If prompted, select OK to allow the Web to send your device push notifications.

1. If prompted, create a passcode for Workspace ONE Web.
2. Click Next.
3. Confirm the passcode by entering it again.
4. Click Confirm.

Tap I understand to accept the Privacy prompt.

Tap I agree to accept the Data Sharing Prompt.

1. When the application launches, enter the URL for your intranet website.
2. Confirm that the VPN icon appears, indicating the connection is active. The application now connects to Workspace ONE UEM and retrieves the settings for your Organization Group.
3. Confirm that the website loads. In this example, it displays a Welcome message.

Note: Depending on the Workspace ONE Web and SDK settings configured at your particular organization group level, the address bar may not be editable. This configuration is called Kiosk Mode. To work around this, there are two options which can be configured at  Groups & Settings > Configurations > Workspace ONE Web:

• Click the Bookmarks tab, click Override (if necessary), click Add Bookmark, enter a name and URL for the testing URL, and click Save.
• Scroll the settings to Kiosk Mode and click Disabled. Click Save.

These changes affect the Default settings for Workspace ONE Web in this Organization Group and all inherited organization groups unless otherwise configured.  

On an enrolled iOS device, tap Tunnel.

Tap Continue.

Tap I understand to accept the Privacy prompt.

Tap I agree to accept the Data Sharing Prompt.

1. Ensure the device and Internet connectivity are OK (showing a green checkmark symbol).
2. Tap the logging icon.

Adjust the slider to Enable Debug.

Tip: With Enable Debug turned on, Workspace ONE administrators can view logging information for the iOS device as follows:

1. Plug the iOS device into a device running macOS.
2. Ensure the iOS device trusts the connection to macOS.
3. Connect to Console, by either:
   1. Open Apple Configurator 2 and double-click the test iOS device. Click Console to view the output from the device.
   2. Open Console.app and select the iOS device from the left side.
4. Search for tunnel or iOSAppProxyProvider.

In the Workspace ONE UEM Console:

1. Click Groups & Settings.
2. Click Configurations.

1. Scroll through the list of Configurations if necessary.
2. Select Tunnel.

From within the Device Traffic Rules information block on the Tunnel Configuration page, click Edit.

Introduced in Workspace ONE UEM 2011, Device Traffic Rule Sets expand the functionality of device traffic rules allowing for granular assignment of rule sets to different groups of users and devices. Device Traffic Rule Sets are assigned when creating the per-app VPN profile in a later step.

To get started with Device Traffic Rule Sets, perform the following in the Manage Traffic Assignments screen:

1. If no other Device Traffic Rule Sets exist (or a new rule set is required), click Add to create a new Device Traffic Rule Set.
2. If modifications to an existing rule set are required, click the Device Traffic Rule Set name.

Enter a name for the Device Traffic Rule Set (or if necessary, modify the name of an existing rule set).

Click Manage Applications.

Click Add.

1. Select macOS for Platform.
2. Enter the friendly name of the application, for example, Firefox Browser. The friendly name is displayed in the Device Traffic Rule.
3. Enter the application's package id, which is the Identifier value displayed by running the command:
   codesign -dv --entitlements - /path/to.app
4. Enter the application's designated requirement, which is displayed to the right of the  => sign of the following command: codesign -d -r- /path/to.app
5. For macOS 10.15 (Catalina) and later, enter a path if creating a device traffic rule for a binary or command-line utility bundled within an application. For example, the executable vmware-remotemks must be allowlisted with path details along with the VMware Horizon Client application.
6. Click Save.

Using Firefox as an example, a Workspace ONE administrator would see the commands and values as follows:

techzone@testmac ~ % codesign -dv --entitlements - /Applications/Firefox.app
Executable=/Applications/Firefox.app/Contents/MacOS/firefox
Identifier=org.mozilla.firefox
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20500 size=415 flags=0x10000(runtime) hashes=4+5 location=embedded
Signature size=9018
Timestamp=Oct 1, 2019 at 9:08:41 PM
Info.plist entries=26
TeamIdentifier=43AQ936H96
Runtime Version=10.11.0

<<< trimmed for length >>>

techzone@testmac ~ % codesign -d -r- /Applications/Firefox.app
Executable=/Applications/Firefox.app/Contents/MacOS/firefox
designated => anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "43AQ936H96"

As highlighted in the terminal output, the necessary information is as follows:

• Package ID: org.mozilla.firefox
• Designated Requirement: anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "43AQ936H96"

Caution: Some apps spawn helper applications to assist with background tasks. One particular example of this is Google Chrome, which performs network functions outside the Google Chrome.app process in a Google Chrome Helper process. In this case, the helper application must be added to the Device Traffic Rule, otherwise, specific settings must be changed client-side.  

In the case of Google Chrome, perform the following:

1. In the URL field, type chrome://flags
2. Search for network in the Search Flags text box.
3. Set Runs network service in-process to Enabled and relaunch Google Chrome before proceeding with testing.

1. If more applications are needed for the rule set, click Add and repeat starting at Define the Application.
2. If all the required applications have been defined, click the [X] to close the Manage Applications window.

1. Observe (and optionally modify) the default action which applies to all macOS applications except Safari:
   • Tunnel – All apps, except Safari, on the device configured for Per-App Tunnel send network traffic through the tunnel. For example, set the Default Action to Tunnel to ensure all configured apps without a defined traffic rule use the Workspace ONE Tunnel for internal communications.
   • Block – Blocks all apps except Safari, on the device configured for Per-App Tunnel from sending network traffic. For example, set the Default Action to Block to ensure that all configured apps without a defined traffic rule cannot send any network traffic regardless of destination.
   • Bypass – All apps, except Safari, on the device configured for Per-App Tunnel bypass the tunnel and connect to the Internet directly. For example, set the Default Action to Bypass to ensure all configured apps without a defined traffic rule bypass the Workspace ONE Tunnel to access their destination directly.
   • Proxy - Redirect traffic to the specified HTTPS proxy for the listed domains. The proxy must be HTTPS and must follow the correct format: https://example.com:port.
2. Click Add Rule.

In the newly created Device Traffic Rule:

1. Click the down arrow to display the Application list.
2. Select one or more triggering applications to control with this rule. In case you select All Applications, the rule will be applied only to Safari and macOS applications selected in additional rules defined as part of the Device Traffic Rules.
3. Enter one or more comma-separated fully qualified domain names as destinations to which Workspace ONE Tunnel should apply the Device Traffic Rule. A single asterisk (*) can be used as a wildcard for subdomains.
4. Select the Appropriate Action for Workspace ONE Tunnel to perform on traffic from the selected apps:
   • Tunnel – Sends app network traffic for specified domains through the tunnel to your internal network.
   • Block – Blocks all traffic sent to specified domains.
   • Bypass – Bypasses the Workspace ONE Tunnel so the application accesses specified domains directly.
   • Proxy – Redirect traffic to the specified HTTPS proxy for the listed domains. The proxy must be HTTPS and must follow the correct format: https://example.com:port.
5. If necessary, adjust the Device Traffic Rules rank in the list. Lower-numbered rank is the highest priority.
6. If necessary, click Add Rule and repeat Build Device Traffic Rule until you have added all the necessary Device Traffic Rules for your organization.
7. Click Save and Publish to send the updated DTR's to all devices to which the DTR is assigned.

For more information on the formats (wildcards, IP, ports) allowed into the Destination field, see the Device Traffic Rules Destination formats supported chapter.

In Apple Business Manager (or Apple School Manager):

1. Click Apps and Books.
2. Search for workspace tunnel in the search text box.
3. Select Tunnel - Workspace ONE for macOS.
4. Choose the location for which you have uploaded the sToken into Workspace ONE UEM.
5. Enter the quantity of licenses you want to purchase.
6. Click Get. The button changes to Purchasing and when the purchase is complete changes back to Get.

In the Workspace ONE UEM console:

1. Click Resources.
2. Expand Applications and click Native.
3. Click Purchased.
4. Click Sync Assets.
5. Click OK on the dialog box.
6. Wait a few moments and click Refresh to update the app list.
7. Click the Workspace ONE Tunnel app in the app list.

1. Click Enable Device Assignment and click OK for the Are you sure? prompt.
2. Click Save & Assign.

Click Add Assignment.

1. Enter a name for the Distribution
2. Select an Assignment Group (or alternatively, create a new smart group containing the targeted devices).
3. Enter a number of licenses to allocate. Allocate up to the total number of unallocated licenses.
4. Select Auto for Assignment Type.
5. Click Create.

1. If more assignments are necessary, click Add Assignment and repeat the steps in Edit Assignment.
2. Click Save and then Publish when all assignments have been added.

1. Click Add.
2. Click Profile.

Select macOS.

Select User Profile.

1. Enter a name for the profile, for example, Per-App VPN.
2. Select Auto as the assignment type.
3. Select one or more Smart Groups to assign the VPN profile (or create a new smart group).
4. Click the VPN payload.

Click Configure.

1. Enter a name for the Per-App VPN Connection, for example, VMware Per-App VPN.
2. Select Workspace ONE Tunnel as the Connection Type.
3. Choose the Device Traffic Rule Set (as configured in Configuring Device Traffic Rules for macOS) to be assigned via this Profile Payload.
4. If required, select the check boxes for Enable Mail Domains, Enable Contacts Domains, and Enable Calendar Domains.
5. For each check box, enter a domain that should be tunneled.
6. If multiple domains are required, click Add to enter an additional domain. Repeat as necessary.
7. Click Save and Publish.

Click Publish.

1. Open an app specified in a Device Traffic Rule and ensure the application attempts to connect to the mapped domain name(s).
2. Open an app that is not specified in a Device Traffic Rule, such as Safari (which will not adhere to the default Device Traffic Rule due to the wildcard mapping). Ensure the same mapped domain name does not work.

In the section of this tutorial where device traffic rules were created for macOS, Firefox was the allowed application. In the screenshot, note that Firefox is launched and attempted connection to an approved (wildcard) destination (#1). Also, observe that Safari (which was not granted access to the tunnel) cannot connect to the endpoint.

1. Press CMD+SpaceBar (⌘+Space) and enter terminal into the Finder window.
2. Select Terminal to open Terminal.app.
3. Enter klist and press Return on the keyboard.
4. Ensure that there are no Kerberos Tickets and the command returns No credentials cache file found.

1. Launch an application which should be Kerberos-enabled. If using a website, browse to the Kerberos-enabled website.
2. Note that authentication either fails (as there are no Kerberos tickets) or reverts to a non-Kerberos authentication type (such as certificate authentication or username/password).

To connect the SSO Kerberos Extension over Per-App Tunnel, you must add the appropriate device traffic rules to the Tunnel configuration to support this. This section covers how to add the appropriate device traffic rules.

Next, create the Kerberos profile and configure the SSO extension payload.

Finally, log in to Kerberos and confirm that the Kerberos credentials are obtained over Per-App VPN by the Kerberos SSO Extension.

1. Click the Launchpad on the Dock.
2. Click VMware Tunnel.

1. Ensure that the Device Configured status shows Configured. This indicates that Workspace ONE Tunnel has received configuration data from Workspace ONE UEM. If the status is not configured, try one of the following:
   • Check the Device Traffic Rules and Save and Publish the rules again.
   • Check the last seen value for the device in the Workspace ONE UEM console. Is the device communicating with Workspace ONE UEM?
   • Validate that other MDM commands are being sent to the device. Create an assignment (smart) group containing the single device and attempt to send it a new profile payload.
2. Ensure that the Internet status shows Connected. If Tunnel cannot connect to the Internet, it probably cannot connect to the Unified Access Gateway.
   • Validate that the device has a working Ethernet or Wi-Fi connection (IP address, subnet mask, gateway, and DNS addresses are present).
   • Validate DNS resolution: Open Terminal and enter nslookup uag.fully.qualified.domain to ensure that an IP address is resolved.
   • Validate Connectivity to UAG: Within Terminal, enter nc -vz uag.fully.qualified.domain uagport (such as nc -vz uag.company.com 443).
3. Ensure that the Enterprise Network status shows Connected. If Workspace ONE Tunnel is disconnected from the Enterprise network, apps cannot use Per-App Tunnel. This might indicate an issue with Workspace ONE Tunnel connecting to the Unified Access Gateway or an issue with Device Traffic Rules.
   • The remainder of this section details how to troubleshoot Tunnel connectivity.

1. Click System Preferences.
2. Double-click Profiles.
3. Scroll through the left panel.
4. Click the Per-App VPN profile that was created.
5. Ensure that the VPN App Layer Service details are correct, especially the VPN Remote Address and the OnDemand Enabled value.
   • If the profile is missing or misconfigured, check the profile configuration and re-push the profile to the device from within the UEM Console Device Details view (on the Profiles tab).

1. Open the Workspace ONE Tunnel client and click the VMware Tunnel menu.
2. Click Whitelisted Applications.
3. Verify that the list of allowlisted applications matches the settings configured in the Device Traffic Rules.
4. From the VMware Tunnel menu (#1), click Diagnostics.
5. Click Enable Debug to get verbose information.
6. Review Diagnostics information.
7. Click Disable Debug when troubleshooting is complete.

1. Press CMD+SpaceBar (⌘+Space) and enter console into the Finder window.
2. Select the Console application.
3. Enter process:macOSAppProxyProvider into the search bar and press Return on the keyboard.
4. Without clearing the contents of the search bar, add an additional filter parameter by adding process:VMware Tunnel into the search bar and press Return on the keyboard.
5. Click the Action menu and confirm that Include Info Messages and Include Debug Messages are selected.
6. Review the logging produced within the Console application.

Tip: If the console filters do not provide any meaningful data, you can optionally attempt to view information and debug messages from entire subsystems. Some filters that may help include:

• process:macOSAppProxyProvider
• any:com.vmware.macos-tunnel

Also, if troubleshooting Kerberos over the Per-App Tunnel, you can include the following console filters:

• subsystem:com.apple.appsso
• subsystem:com.apple.appssokerberosextension

The following Terminal command might provide meaningful output:   log stream --debug --predicate '(subsystem == "com.apple.Heimdal") OR (subsystem == "com.apple.AppSSO") OR (subsystem == "org.h5l.gss") OR (subsystem == "com.apple.network") OR (process == "VMware Tunnel") '

Per Apple's Developer Website (requires login), you can use the following commands to gather additional data from the VPN (Network Extension):

• sudo defaults write /Library/Preferences/com.apple.networkextension.control.plist  LogToFile -boolean true 
• sudo defaults write /Library/Preferences/com.apple.networkextension.control.plist  LogLevel -int 7

Reproduce the issue and then enter this command in Terminal.app:

• /System/Library/Frameworks/SystemConfiguration.framework/Resources/get-mobility-info

You should find additional information in the resulting get-mobility-info output file.

You can later deactivate the logging by issuing the following commands:

• sudo defaults delete /Library/Preferences/com.apple.networkextension.control.plist  LogToFile 
• sudo defaults delete /Library/Preferences/com.apple.networkextension.control.plist  LogLevel

In the Workspace ONE UEM Console:

1. Click Groups & Settings.
2. Click Configurations.

1. Scroll through the list of Configurations if necessary.
2. Select Tunnel.

From within the Device Traffic Rules information block on the Tunnel Configuration page, click Edit.

Introduced in Workspace ONE UEM 2011, Device Traffic Rule Sets expand the functionality of device traffic rules allowing for granular assignment of rule sets to different groups of users and devices.   Device Traffic Rule Sets are assigned when creating the per-app VPN profile in a later step.

To get started with Device Traffic Rule Sets, perform the following in the Manage Traffic Assignments screen:

1. If no other Device Traffic Rule Sets exist (or a new rule set is required), click Add to create a new Device Traffic Rule Set
2. If modifications to an existing rule set are required, click the Device Traffic Rule Set name.

1. Enter a name for the Device Traffic Rule Set (or if necessary, modify the name of an existing rule set).
2. Set the Tunnel Mode to Per Application.

This first tutorial on Windows shows you how to configure device traffic rules based on Per-Application Tunnel Mode. After completing the Windows tutorial return and switch the Tunnel Mode for this rule to Full Device. The Application fields will be removed and you will be required to specify only the actions and destination domains.

Click Manage Applications.

Click Add.

1. Select Windows as the Platform.
2. Enter the friendly name of the application. The friendly name is displayed in the Device Traffic Rule.
3. Select the App Type, for example, Desktop App. The App Type can be a traditional Windows application or a Windows Store application.
4. Enter the App Identifier. For traditional Windows applications, use the File Path. For Store applications, you must enter the Package Family Name or PFN. You can use the PowerShell command Get-AppxPackage to find the PFN. For more information, see Microsoft Docs: Find a package family name (PFN) for per-app VPN.

1. If more applications are needed for the ruleset, click Add and repeat starting at Define the Application.
2. If all the required applications have been defined, click X to close the Manage Applications window.

1. Observe (and optionally modify) the default action which applies to all Windows applications.
   • Tunnel – All apps on the device configured for Per-App Tunnel send network traffic through the tunnel. For example, set the Default Action to Tunnel to ensure all configured apps without a defined traffic rule use the Workspace ONE Tunnel for internal communications.
   • Block – Blocks all apps on the device configured for Per-App Tunnel from sending network traffic. For example, set the Default Action to Block to ensure that all configured apps without a defined traffic rule cannot send any network traffic regardless of destination.
   • Bypass – All apps on the device configured for Per-App Tunnel bypass the tunnel and connect to the Internet directly. For example, set the Default Action to Bypass to ensure all configured apps without a defined traffic rule bypass the Workspace ONE Tunnel to access their destination directly.
2. Click Add Device Traffic Rule.

In the newly created Device Traffic Rule:

1. Click the down arrow to display the Application list.
2. Select one or more triggering applications to control with this rule. All Applications not applicable to Windows.
3. Select the Appropriate Action for Workspace ONE Tunnel to perform on traffic from the selected apps - For this exercise, select Tunnel.
   • Tunnel – Sends app network traffic for specified domains through the tunnel to your internal network.
   • Block – Blocks all traffic sent to specified domains.
   • Bypass – Bypasses the Workspace ONE Tunnel so the application accesses specified domains directly.
   • Proxy – Redirect traffic to the specified HTTPS proxy for the listed domains. The proxy must be HTTPS and must follow the correct format: https://example.com:port.
   • Note: Proxy is not yet supported using the Workspace ONE Tunnel Desktop Application.
4. Enter one or more comma-separated fully qualified domain names as destinations to which Workspace ONE Tunnel should apply the Device Traffic Rule. A single asterisk (*) can be used as a wild card for subdomains.
5. If necessary, adjust the Device Traffic Rules rank in the list. Lower-numbered rank is the highest priority.
6. If necessary, click Add Rule and repeat Build Device Traffic Rule until you have added all the necessary Device Traffic Rules for your organization.
7. Click Save.

For more information on the formats (wildcards, IP, ports) allowed into the Destination field, see the Device Traffic Rules Destination formats supported chapter.

Note: For Windows Desktop devices, if Enhanced Domain Resolution is not enabled on the Per-App VPN profile, the domains added to the destination must also be added to the list of domains part of the DNS Resolution via Tunnel Gateway.

Review the summary of the Device Traffic Rule configurations:

1. The Application list contains triggering applications Chrome, Remote Desktop, and System.
   • The applications appear in the following format: Application Friendly Name - UEM Organization Group - Platform
     • Google Chrome - ACME Corp - WinRT
     • RDP  - ACME Corp - WinRT
     • System - ACME Corp - WinRT
2. The Appropriate Action for Workspace ONE Tunnel to perform is Tunnel.
   • Tunnel – Sends app network traffic for specified domains through the tunnel to your internal network
   • Destination - For this example, the domains are *.corp.local and *.airwlab.com
3. Optional - You can also configure Device Traffic Rules to Block.
   • In this example, Chrome is set to block domains *.cnn.com, *.facebook.com, and *.match.com.

To download the Workspace ONE Tunnel for Windows 10 EXE Installer file:

1. Navigate to https://my.workspaceone.com/ and log in with your MyVMware credentials.
2. Navigate to Products.
3. Click All Products.

Tip: You can also navigate directly to https://my.workspaceone.com/products.

In the Workspace ONE UEM Console:

1. Click Apps and Books.
2. Select Internal Application.
3. Click Add Application and Upload.
4. Browse for the Workspace ONE Tunnel EXE installer file and click Save.
5. Select No for Is this a dependency app?.
6. Click Continue.

1. Ensure the Details tab is selected.
2. Enter a Name, for example, Workspace ONE Tunnel.

1. Navigate to the Files tab.
2. Scroll down to find the App Uninstall Process section. For VMware Tunnel, enter in VMware Workspace ONE Tunnel 1.2 for Win10_Desktop.exe /uninstall /Passive as the Uninstall Command.

In this section, define settings in the Deployment Options tab.

You can download the icon to use in your environment.

1. Select the Images tab.
2. Select the Icon tab.
3. Click the area labeled Click or drag files here.
4. Navigate to the folder containing the Application logo, or download the provided image to use.

Your icon should now be uploaded.

1. Select the Terms of Use tab.
2. If you decide to have a Terms of Use that your users must accept before installing applications, you can configure that here.  For this exercise, select None.
3. Click Save & Assign.

1. Select Assignments.
2. Click Add Assignment.

In this section, create and configure the application assignment.

On the Internal applications List View, confirm that the Workspace ONE Tunnel Desktop Application is displayed.  

You have successfully added the Workspace ONE Tunnel Desktop Application to Workspace ONE UEM for deployment.  

1. Click Add.
2. Click Profile.

Select Windows.

Select Windows Desktop.

Select Device Profile.

1. Select the General tab.
2. Enter a Name, for example, Per App VPN.
3. Select Assignment type. This example uses Auto, so devices automatically receive the policy.
4. Assign the policy to a Smart Group(s).

1. Click VPN from the Payload menu.
2. Click Configure to access the VPN payload settings.

1. Enter a Connection Name for the policy, for example, Corp VPN.
2. Select Workspace ONE Tunnel from the Connection Type drop-down menu.
3. Choose the Device Traffic Rule Set (as configured in Configuring Device Traffic Rules for Windows 10) to be assigned via this Profile Payload.
4. Select Enable for Desktop Client - This enables the Workspace ONE Tunnel Desktop Application, otherwise it will use the Windows UWP client, no longer recommended.
5. Configure Custom Configuration XML as needed. Refer to Custom Configuration XML for Windows Desktop Client for additional details on the list of  Custom Configuration parameters available.
6. Select Enable for the Enhanced Domain Resolution located under DNS Resolution via Tunnel Gateway.
7. Click Save & Publish.

Click Publish.

1. Launch Chrome as a browser. Chrome was the application specified to Tunnel traffic.
2. The Workspace ONE Tunnel Desktop Application is connected and an internal web page is displayed.
3. The address used – atl-intranet-corp.airwlab.com – is specified in the Device Traffic Rules in the previous exercise.

This web page is accessible only to applications (in this use case, Chrome) defined in the policy.

Next, open another web browser, such as Microsoft Edge, and navigate to an internal web page. For example, atl-intranet-corp.airwlab.com.

1. Launch Chrome - this is the authorized application.
2. Launch another browser - for example, Microsoft Edge.
3. The Workspace ONE Tunnel Desktop Application is connected and an internal web page is displayed.
4. The address atl-intranet-corp.airwlab.com can be resolved in Chrome, but not in Microsoft Edge.

1. In the Application access rules, certain websites are blocked. These were listed in the Device Traffic Rules.
   • Websites blocked are cnn.com, facebook.com, and match.com.
2. Open Chrome and navigate to one of these websites. This example uses facebook.com.
   • When trying to resolve the DNS name, the browser displays an error as this website is blocked.
3. Launch another browser, in this case, Microsoft Edge. Facebook.com is accessible, as the policy is configured for Chrome only.

Sometimes, you may need to RDP into desktop sessions that are located back in the office.

1. In the Application access rules, confirm the domain configuration for Remote Desktop Client access.
   Note: The RDP application is not from the Windows Store.
2. Launch the RDP application and enter the machine name. In this example, you connect to the machine atl-intranet-corp on the domain airwlab.com.
3. Workspace ONE Tunnel Desktop Application resolves this address, and you should be prompted for authentication.

Workspace ONE Tunnel Desktop Application allows remote Windows 10 users to connect to file shares located behind the corporate firewall. This can be team shares, individual shares, or connecting to a specific machines' C drive, for example.

This example uses the host atl-intranet-corp and connects to its C: drive.

1. In the search bar, enter Run and press the return key.
2. Enter the address of the file share you would like to connect to. For example, \\atl-intranet-corp.airwlab.com\c$.
3. In the Application access rules, confirm the domain configuration for System resource access.
4. Launch the SMB share. VMware Tunnel will resolve this address, and you should be prompted for authentication to the SMB share.

In this section, check issues that may arise from the Workspace ONE Tunnel desktop client application installation.

After you have successfully installed the Workspace ONE Tunnel, the next step is to test the Per-App Tunnel connectivity by attempting to access one of the internal resources through the domains defined on the Device Traffic Rules.

In the Workspace ONE UEM Console:

1. Click Groups & Settings.
2. Click Configurations.

1. Scroll through the list of Configurations if necessary.
2. Select Tunnel.

From within the Device Traffic Rules information block on the Tunnel Configuration page, click Edit.

Administrators can create multiple Device Traffic Rules that will be assigned to the Per-App VPN profile. This profile is deployed to devices based on the smart group assigned to the profile. The first device traffic rule assignment created is set as the default.

Click Add to create a new assignment or clicking on the hyperlink for the Assignment Name to edit and manage the respective device traffic rules.

1. Observe (and optionally modify) the default action which applies to all Android applications:
   • Tunnel – All apps on the device configured for Per-App Tunnel send network traffic through the tunnel. For example, set the Default Action to Tunnel to ensure all configured apps without a defined traffic rule use the Workspace ONE Tunnel for internal communications.
   • Block – Blocks all apps on the device configured for Per-App Tunnel from sending network traffic. For example, set the Default Action to Block to ensure that all configured apps without a defined traffic rule cannot send any network traffic regardless of destination.
   • Bypass – All apps on the device configured for Per-App Tunnel bypass the tunnel and connect to the Internet directly. For example, set the Default Action to Bypass to ensure all configured apps without a defined traffic rule bypass the Workspace ONE Tunnel to access their destination directly.
2. Click Add Device Traffic Rule.

In the newly created Device Traffic Rule:

1. Click ADD RULE.
2. Click the down arrow to display the  Application list.
3. Select one or more triggering applications to control with this rule. Alternatively, on the drop-down select All Applications to apply the rule to all Android applications listed in the drop-down, which are the ones that you assigned the Per-App VPN profile.
4. Enter one or more comma-separated fully qualified domain names as destinations to which Workspace ONE Tunnel should apply the Device Traffic Rule. A single asterisk (*) can be used as a wildcard for subdomains.  
5. Select the Appropriate Action for Workspace ONE Tunnel to perform on traffic from the selected apps:
   • Tunnel – Sends app network traffic for specified domains through the tunnel to your internal network.
   • Block – Blocks all traffic sent to specified domains.
   • Bypass – Bypasses the Workspace ONE Tunnel so the application accesses specified domains directly.
   • Proxy – Redirect traffic to the specified HTTPS proxy for the listed domains. The proxy must be HTTPS and must follow the correct format: https://example.com:port.
6. If necessary, adjust the Device Traffic Rules rank in the list. Lower-numbered rank is the highest priority.
7. Click Save.

The example shown blocks access to Facebook, Tinder, and Utorrent domains for all applications available on the Android device.

For more information on the formats (wildcards, IP, ports) allowed into the Destination field, see the Device Traffic Rules Destination formats supported chapter.

1. Click ADD RULE and repeat  Build Device Traffic Rule for any additional required rules.
2. Drag the rules to adjust your Device Traffic Rules priority.
3. When the Device Traffic Rules are configured as necessary, click Save and Publish.

The example shown defines a traffic rule that will enable access to the internal server atl-intranet-corp.airwlab.com through the Workspace ONE Web app.

1. Click Add.
2. Click Public Application.

1. Select Android for the Platform.
2. Enter an application Name. For example, Workspace ONE Tunnel.
3. Click Next.

Select the Tunnel - Workspace ONE result.

Click Approve for Tunnel - Workspace ONE app.

Select Approve for any following requests.

Click Save & Assign.

Click Add Assignment.

1. Click the Selected Assignment Groups field to display the list of created Assignment Groups. Enter All Devices, and select the All Devices (your@email.shown.here) group.
2. Select Auto for the App Delivery Method.

1. Scroll down to find the Policies section.
2. Select Enabled for Managed Access.
3. Click Add.

1. Verify that the assignment you created is displayed.
2. Click Save & Publish.

Click Publish.

Note the following for Workspace ONE Tunnel on Android:

• After installing VMware Workspace ONE Tunnel for Android, end users must run the application at least once and accept the connection request.
• The key icon in the notification center displays on the device because there is an application installed that uses the Per-App Tunnel functionality. This icon does not indicate an active connection or session with the VMware Tunnel Service. The key icon displays even if you are not actively browsing.
• Certain Android devices allow end users to disable the VPN on an OS level. This prevents the VMware Tunnel from working on the device.

1. Click Add.
2. Click Profile.

Select Android.

1. Enter the Name, for example, Per-App VPN.
2. Select the name of your device's assignment group, and select that group. For example, select All MDM Enrolled Devices (ACME Corp) as the Assigned Smart Group.

1. Click VPN from the Payload menu.
2. Click Configure to access the VPN payload settings.

1. Select Workspace ONE Tunnel from the Connection Type drop-down menu.
2. Select the Default traffic rule previously created for Device Traffic Rule Sets.
3. Click Save & Publish.

Click Publish.

1. Select on App & Books.
2. Select Native under Applications.
3. Click Add Applicaton.

Press the Home button on your device to return to the Launchpad. Swipe right to see the downloaded applications, if needed.

Tap the Workspace ONE Tunnel icon to launch the application. If prompted, select OK to allow Workspace ONE Web to send your device push notifications.

Note: On Android, the Workspace ONE Tunnel Client must be launched once to silently route traffic for future occurrences.

After the application has been opened, accept the privacy prompts and tap Continue.

Tap I understand to accept the Privacy prompt.

Tap I agree to accept the Data Sharing Prompt.

After the Tunnel Client has been opened, you can see three areas.

1. Device VPN Configuration
   • The Profile or Policy that is delivered from Workspace ONE UEM. It shows a list of apps that will use the VPN Tunnel.
2. Internet 
   • Displays whether the device has internet connectivity or not.
3. Enterprise Server
   • Displays whether the device has connectivity to the VMware Tunnel edge service.

Press the Home button on your device to return to the Launchpad. Swipe right to see the downloaded applications, if needed.

Tap the Workspace ONE Web icon to launch the application. If prompted, tap OK to allow the Web to send your device push notifications.

1. After the application launches, enter the URL for your intranet website, such as https://atl-intranet-corp.airwlab.com.
2. Confirm that the VPN icon appears, indicating the connection is active. The application now connects to Workspace ONE UEM and retrieves the settings for your Organization Group.
3. The website should load. In this example, it displays a Welcome message.
4. Select and copy the internal URL. In the next step, you test entering this URL into another browser.

1. Open another browser, such as Chrome.
2. Copy and paste the URL from the previous step.
3. Confirm that only the defined applications can access internal resources.

Note: This example used a Work Managed Device. Work Managed devices provide separation from personal and corporate data. With Per-App Tunnel, you can isolate traffic to only those applications that need it rather than all corporate resources. This example shows Chrome inside the Work Profile attempting to access internal resources.

Open the Tunnel Application and tap the Diagnostics menu option.

1. Any issues related to connectivity issues with the Tunnel server or a Proxy server are shown on the UI.
2. Tap the email option in the upper-right corner to send these logs to your administrator.

Open the Tunnel Application and tap the Diagnostics menu option.

1. Toggle the Enable debug logs switch to enable.
2. After the issue is reproduced, go to your internal storage and open the AirWatchLogs folder.
3. This folder contains a set of log files that, if required, can be shared with the Workspace ONE support teams.

1. To collect logs manually, you must enable developer options on the mobile device.
   • Navigate to Settings > About page on the device and tap the build number more than 7 times to enable developer options.
2. Enable USB debugging in the Settings > Developer Options.
3. Connect the device via USB cable to a laptop and install the device drivers.
   • Check whether the device is getting detected in the laptop by running adb devices in the command prompt. The device should be listed with a Unique id.
   • adb is a tool part of the android-sdk which you must download from http://developer.android.com.
4. After the device is detected (keep the device connected) run adb logcat –v threadtime > TunnelLogs.log. Logs will continuously dump to the file. 
5. After the issue is reproduced, logging can be stopped either by disconnecting the device or using Ctrl + c command.
6. If required, share the TunnelLogs.log with the Workspace ONE support teams.