Deploying Workspace ONE Tunnel: Workspace ONE Operational Tutorial | Omnissa (2024)

Overview

Note: This tutorial was created using Windows 10, but the basic principles and tasks outlined also apply to your deployment of Windows 11.

Tech Zone provides this operational tutorial to help you with yourWorkspace ONE®environment. In this tutorial, explore how to configure and deploy the Workspace ONE Tunnel app across iOS, Android, macOS, and Windows platforms to enable Per-App Tunnel on a managed device. Procedures include enabling per-app tunneling on managed devices and SDK-enabled applications, configuration of Tunnel policies, deployment of the client and profiles to devices, and general lifecycle maintenance.

Audience

This operational tutorial is intended for IT professionals, network and security administrators,and Workspace ONE administrators of existing production environments. Both current and new administrators can benefit from using this tutorial. Familiarity with networking in a virtual environment, knowledge of Tunnel Service onUnified Access Gateway, andWorkspace ONE® UEMis assumed.

Getting Started with Workspace ONE Tunnel

Workspace ONE Tunnel enables secure access for mobile workers and devices. Users have a simple experience and need not enable or interact with Tunnel, and IT organizations may take a least-privilege approach to enterprise access, ensuring only defined apps and domains have access to the network.

Tunnel provides industry-best security and builds on TLS 1.3 libraries, implements SSL Pinning to ensure no MITM attacks, and includes client certificates on the allowlist to ensure identity integrity. Combined with explicit definitions of managed applications and integration with the Workspace ONE compliance engine, Tunnel can help customers attain Zero Trust goals for their workforce.

Prerequisites

Before you can perform the steps in this tutorial, you must install and configure the following components:

• Tunnel Service configured in Unified Access Gateway
• Workspace ONE UEM 2302 and later
• A device for the platform you plan to use (Windows, macOS, Android, or iOS)

Ensure the following settings are enabled in the Workspace ONE UEM Console:

• Organization Group created and set as Customer Type
• UEM REST API enabled and setting override
• Device Root Certificate issued
• Tunnel configured

Confirm that Tunnel Service is Configured

The remainder of this section assumes that Tunnel Service is properly configured and running on the Unified Access Gateway. For more details, seeConfiguring the Tunnel Edge Service: Workspace ONE Operational Tutorial.

1. In the Workspace ONE UEM console, navigate to Groups & Settings > Configurations.
2. Scroll through the list of configurations if necessary and select Tunnel.

   

3. Select Test Connection and confirm that both theConsole to AWCMandTunnel to APItests reportSuccessand the Tunnel server reportsservice statusUP.

   

This status confirms that the Tunnel Service is up and running on the server-side, and properly communicating with Workspace ONE UEM.

Tunnel Mode (Per-App vs Full Device Tunnel)

Workspace ONE Tunnel provides two modes for tunneling traffic: Per-Application or Full Device. Each mode is configured as part of the Device Traffic Rules and assigned to a device based on the Profile configuration. A device cannot perform Per-App and Device Tunnel at the same time.

Per-App Tunnel

Per-App Tunnel restricts tunnel traffic only to authorized applications and destinations (domain) specified by the UEM administrator when configuring the Device Traffic Rules.

Full Device Tunnel

On Full Device Tunnel configuration, traffic is restricted based on the authorized destinations (domains or IPs), regardless of the application. Full Device mode on Windows requires Workspace ONE Desktop Tunnel 2.1.8+ for all MDM use cases. For standalone enrollment use cases, the Workspace ONE Desktop Tunnel version 3.1 is required and will support Per-App and Full Device tunnel mode. Consolidating the MDM and standalone workflows in a unified Windows Tunnel client is on our roadmap.

Supported Platforms

Workspace ONE Tunnel app is available for managed and unmanaged devices providingPer-App and Full Device Tunnel across multiple platforms. Only TCP and UCP traffic will be routed to the Workspace ONE Tunnel App; ICMP-based traffic used by ping utilities is not supported. The Workspace ONE Tunnel app on Windows and macOS platforms now supports Standalone enrollment without Workspace ONE Intelligent Hub or any device management.

Tunnel Mode (Per-App and Full Device) is available based on the device platform and how it is managed as described in the following table.

Feature availability based on Management Mode and Device Platform

* Requires use of the Tunnel module (aka Tunnel SDK) available on Workspace ONE SDK.

Standalone method does not require Intelligent Hub; enrollment is done through the Workspace ONE Tunnel App.

N/A1 – Management mode not supported on the specific platform.

N/A2 – Not applicable for the specific Tunnel mode.

For more information, seeSupported Platforms for Workspace ONE Tunnel.

For more information on Standalone requirements, seeConfiguring Tunnel Client for Standalone enrollment.

Per-App Tunnel Support for MAM Mode Workflow

Many organizations do not need to manage devices for their mobile fleets for various reasons, including possible privacy or legal issues. However, they might need to distribute mobile applications to access internal resources, so Workspace ONE UEM offers the flexibility of using a standalone catalog through Intelligent Hub that works independently of the MDM feature.

Applications that leverage the Workspace ONE SDK, such as Workspace ONE Web, can be configured to access internal web applications through Per-App Tunnel. The Workspace ONE Tunnel app is not required for this scenario. Also, organizations that develop mobile internal apps can be integrated with Workspace ONE SDK to enable access from unmanaged devices. Workspace ONE SDK is available on iOS and Android platforms.

In a MAM mode scenario, users do not have to enroll the device as UEM Managed and the Workspace ONE Tunnel app is not required, but rather they can:

1. Use SDK-Enabled apps like Boxer or Web that will manage the registration of the device and be identified as App Level registration on UEM.
2. Use the Intelligent Hub app in registered mode to access the Intelligent Hub catalog part of Workspace ONE UEM. This catalog distributes all application types; public, purchased, internal, and Web. Although end-user devices are not enrolled in MDM, you can access a device record in the Workspace ONE UEM console.

In both cases, the device record is for auditing purposes and the status of these devices in the UEM console displays as App Level (#1) or Hub Registered (#2).

Configuration Requirements for MAM

To enable Tunnel for SDK-based apps, navigate toGroups and Settings>Apps>Settings and Policies>SecurityPoliciesin the Workspace ONE UEM Console.

1. SelectEnabledto enable the AirWatch App Tunnel.
2. SelectVMware Tunnelfor the App Tunnel Mode.

After that, define the Device Traffic Rules for the iOS and Android SDK-enabled applications which will be covered later as part of this tutorial.

As a reminder, when using the MAM workflow and registered mode using the Workspace ONE Intelligent Hub, the SDK-enabled apps must be deployed through the Intelligent Hub catalog, and the Workspace ONE Tunnel app is not required.

The Workspace ONE Tunnel app can be deployed as a standalone app and perform enrollment without Workspace ONE Intelligent Hub or any device management. In this scenario, Workspace ONE UEM will only contain the device record.

Understanding Device Traffic Rules

This section discusses the two types of network traffic rules–server traffic rules and device traffic rules.

What are Device Traffic Rules?

Network traffic rules allow you to set granular control over how the Tunnel Service directs traffic from devices.

Workspace ONE UEM defines two types of network traffic rules in support of Workspace ONE Tunnel:

• Server Traffic Rules
• Device Traffic Rules

You can create device traffic rules to control how devices handle traffic on the device; Per-Application or Full Device.

Server Traffic Rules

TheServer Traffic Rulesenable you to manage how application traffic is routed throughout your network after traversing the Tunnel Service on Unified Access Gateway infrastructure. Specifically, if you require the use of proxies in your network or for external access, these proxies can be defined and configured as part of Server Traffic Rules.

Configuration of Service Traffic Rules will not be covered in this tutorial. For additional information, seeConfigure Server Traffic Rulesin the product documentation.

Device Traffic Rules

TheDevice Traffic Rulesdefine how traffic from specified applications (Per Application) or devices (Full Device) is routed by the Workspace ONE Tunnel application. The device traffic rules serve as a locally enforced Access Control List, defining which apps and destinations should be blocked, tunneled, proxied, or bypass the tunnel completely.

Under Manage Traffic Assignments, administrators can create multiple Device Traffic Rule sets to segment traffic to internal resources, such as rules for employees' devices that are less restricted than access to contractor devices.

• Each traffic assignment (Device Traffic Rule Set) contains multiple rules.
• A profile can only have a single traffic assignment (Device Traffic Rule Set).
• A device can only apply a single VPN profile at any one time.

Manage Traffic Assignments requires Workspace ONE UEM 2011, otherwise, a single Device Traffic Rule set can be created.

For each device traffic rule, you must set a Tunnel Mode to determine if traffic will be tunneled Per-Application or Full Device, then defined rules are ranked in order of execution. Multiple device traffic rules can be created and assigned to a profile that uses smart groups to determine the device assignment of the rules.

As an example, in device traffic rules set for Per-Application tunnel mode, every time a specified application is opened, the Tunnel client evaluates the Device Traffic Rule assigned to it before making any routing decisions. If no set rules match the situation, the Tunnel applies the default action. The default action behavior can vary per platform:

• On the iOS platform, the default action, set forall managed applications with tunnel profile associated except for Safari,applies to domains not mentioned in a rule. If no rules are specified, the default action applies to all domains and all managed applications associated with the VPN Profile.
• On the macOS platform, the default action, set forall macOS applications specified on the DTR rules,applies to domains not mentioned in a rule. At least one rule must be defined and when it doesn’t match any rule the default action applies to all domains and all macOS applications mentioned above in the Rank.
• On the Windows 10+ platform, the default action, set forall Windows applications specified on the DTR rules,applies to domains not mentioned in a rule. At least one rule must be defined and when it doesn't match any rule the default action applies to all domains and all Windows applications mentioned above in the Rank.
• On the Android platform, the default action, set forall Android managed applications with tunnel profile associated, applies to domains not mentioned in a rule. If no rules are specified, the default action applies to all domains and all managed applications associated with the VPN Profile.

More information about the specifics of device traffic rules per platform will be covered as part of this tutorial in the following chapters.

The device traffic rules help to separate personal and corporate traffic. Think of a scenario where the end-user can check their personal email, visit social media, and so on, without having their personal traffic inspected. We provide privacy where a traditional VPN cannot.

Per-Application Traffic Rules

When configuring the Device Traffic Rules and setting Tunnel Mode to Per Application, the administrator is required to configure the rules per application and domain. These rules will be used by the Workspace ONE Tunnel application to restrict the tunnel traffic only to authorized applications and domains.

Note the following:

1. Tunnel Mode for the Device Traffic Rules Set.
2. Per-Application Rules.
3. Default Action Rule that will be performed when the client traffic doesn't match rules 1 and 2.

Full Device Traffic Rules

When the Tunnel Mode is set to Full Device, traffic is restricted based on the domains specified in the rules.Note: You cannot configure applications as part of this rule.

Full Device mode requires Workspace ONE UEM 2102+, Workspace ONE Desktop Tunnel 2.1+, and it is available only on Windows 10+.

Note the following:

1. Tunnel Mode for the Device Traffic Rules Set.
2. Full Device Rules.
3. Default Action Rule that will be performed when the client traffic doesn't match rules 1 and 2.

Device Traffic Rules Wildcard Guidelines and use of asterisk (*)

When defining the Device Traffic Rules destination, the administrator can enter a list of domains to allow, block, or bypass traffic.

The wildcard is supported for the hostnames and multiple entries must be separated by a comma (,).

Supported Wildcard and use of asterisk (*)

You can use wildcard characters for your hostnames. Wildcards must follow the format:

• *.<domain>.*
• *<domain>.*
  
  • Includes primary domain and subdomains - for example, www.example.com, example.com, store.example.com
• *.* — You cannot use this wildcard for Safari domain rules (iOS and macOS specific)
• — You cannot use this wildcard for Safari domain rules (iOS and macOS specific)

IP and Port Ranges Format Support on Device Traffic Rules

Use of IPs and port ranges are only supported for Device Traffic Rules on Windows 10+ devices. The following list contains supported formats for the IPv4 & Port range when applying the Device Traffic Rules (DTR).

1. Single IP
   
   1. 10.10.0.1 or 10.10.10.1/32
2. IP range or subnet
   
   1. 10.10.10.1/24
   2. 10.10.0.0/16
3. Single Port
   
   1. *.example.com:80, 10.10.10.1:80,10.10.11.1/32:80
   2. *.example.com:[443], 10.10.11.1/24:[443]
4. Port Range
   
   1. *.example.com:[80-443], 10.10.10.1:[80-443],10.10.11.1/32:[80-443]
   2. 10.10.11.1/24:[80-443]
5. List of Ports
   
   1. *.example.com:[80,443], 10.10.10.1:[80,443],10.10.11.1/32:[80,443]
   2. 10.10.11.1/24:[80,443]
6. List of Ports and Ranges
   
   1. *.example.com:[80,443, 8080-8085], 10.10.10.1:[80,443,8080-8085],10.10.11.1/32:[80,443,8080-8085]
   2. 10.10.11.1/24:[80,443,8080-8085]

Publishing Device Traffic Rules

When making changes to the Device Traffic Rules, they need to be sent to the device to take effect. This process requires synchronization between the device and UEM and can be applied to existing managed devices or only newly enrolled devices. This chapter describes the difference between Save and Save and Publish device traffic rules set, in addition to how the changes will be sent to the device.

Save and Publish Device Traffic Rules Flow

When the administrator changes the Device Traffic Rules and clicksSave and Publish, an updated version of the VPN profile mapped to the Device Traffic Rules will be created and queued for all the assigned devices. That process will reissue the client certificate as part of the profile to the device with a new thumbprint.

The Tunnel client app might not be able to establish a connection with Tunnel Service until the new VPN profile gets installed on the device. Forcing a sync on the device can speed up the profile installation but in environments with a large number of devices, this process can take additional time.

TheSave and Publishoption is only available on the default Device Traffic Rules set.

Save Device Traffic Rules Flow

When the administrator changes the Device Traffic Rules set and clicksSave, the Device Traffic Rules get mapped to the profile, but the updated Device Traffic Rules are not replaced for the devices where the VPN profile is already installed. Device Traffic Rules are only updated for the newly enrolled devices or for the devices that have the VPN profile reinstalled.

Saveis the only option available for a non-default Device Traffic Rules set - this means that after you change the device traffic rule set and hit save, you must push a new version of the VPN profile to current devices where the profile was already deployed.

Identify the VPN Profile Status (Installed, Not Installed, Pending Install, and Assigned)

As mentioned previously, publishing a device traffic rule or changes on the VPN Profile will create a new profile version and queue it to all assigned devices. The tunnel client might not be able to establish a connection with the Tunnel Service until the new profile comes down to the device. The administrator can monitor the deployment status of the new VPN profile with the following steps:

Locate the VPN profile under the Resources / Profiles & Base Lines / Profiles and click the View link to identify the total number of profiles not installed, installed, and assigned. Click the Not Installed hyperlink to push the profile manually.

Locate the device under the Devices / List View, select the Profile page, and point to the Profile Status. Selecting the profile allows you to send a command to remove or install the profile on the respective device.

New Device Traffic Rules Sync Process

A new process to sync Device Traffic Rules (DTR) will be implemented on the Workspace ONE Tunnel App to minimize the push of the Tunnel profile to the device every time the DTR changes. This new process, as of today, is only available for Android and requires Workspace ONE UEM 2209+ and Workspace ONE Tunnel version 2209.

The new process requires you to enable the Workspace ONE Tunnel client to request the DTR from a Tunnel API endpoint (hosted on UEM) automatically on every launch or every 4 hours (default). The new Tunnel API endpoint is identified as http://ws1-api-server/DevicesGateway/devices/{deviceuuid}/tunnel/{tunnelconfiguuid}/configuration?device-traffic-rule-set-uuid={dtr-set-uuid}(TunnelConfigurationSyncEndpointUrl) and is invoked by the Workspace ONE Tunnel client to obtain the new DTR.

• By default, the client syncs DTR every 4 hours.
• This value can be changed via theclient_sync_intervalkey in Custom Settings on the Tunnel Configuration Page. The value is specified inminutes.

Workspace ONE Tunnel client would reach theTunnelConfigurationSyncEndpointUrlon every launch, so modifying theclient_sync_intervalis not recommended unless you have a critical use case. The following table provides the sync interval recommendation based on the number of devices enrolled.

To verify if the tunnel client can sync with the endpoint, open the Diagnostics UI.

Tunnel Client Codes in the UI:

• 200 - DTR was modified in UEM and successfully synced.
• 304 - sync triggered but no changes in DTR.
• 204 - sync triggered but admin has possibly deactivated FF and has not republished the profile to remove sync settings.

To ensure that the client received the settings, the Diagnostics UI displays the Sync Interval and Sync URL as well.

Trusted Network Detection

Trusted Network Detection is a mechanism in the Workspace ONE Tunnel app that determines whether to establish a connection with the Tunnel Service to tunnel access to corporate applications. If the device is connected to the corporate network and trusted network detection is configured, the Workspace ONE Tunnel app does not tunnel traffic to the corporate applications.

When setting up a Trusted Network Detection in UEM Tunnel Configuration, routing is dependent on DNS and will ignore HOSTS file entries.

Currently, Trust Network Detection is supported on Windows 10+ and Android platforms.

Trusted Network Detection on Windows Devices

For Windows 10+ devices, Trusted Network Detection is configured as part of the Per-App VPN payload and can be configured leveraging DNS suffix or internal URL (probe URL).

Trusted Network Detection based on DNS Suffix

When using DNS suffix, Workspace ONE Tunnel compares the DNS suffix defined on the device against the list of trusted networks configured on the Trusted Network Detection field to determine if the device is on the trusted network or not.

Administrators can add a list of domains separated by a comma into the Trusted Network Detection field (see the following screenshot) and that will leverage DNS suffix. Workspace ONE Tunnel fails to connect when the device is on a trusted network.

Trusted Network Detection Based on Probe URL

When using Probe URL (recommend method), Workspace ONE Tunnel will make HTTP calls against the list of private URLs defined in the custom configuration probe URLs to determine if the device is on the trusted network or not.

Administrators can add a list of domains separated by a comma into the Custom Configuration XML field (see the following screenshot) using the TrustedNetworkProbeUrl XML tag. Workspace ONE Tunnel fails to connect when the device is on a trusted network.

Trusted Network Detection on Android

For Android devices, Trusted Network Detection is configured on the Workspace ONE Tunnel app through App Config, using theTrustedNetworkProbeUrlkey, and the value is a list of URLs separated by a comma that can optionally have http/https scheme and an assigned port.

Format examples:

• <internal-site>
• <internal-site>:<port>
• http://<internal-site>
• http://<internal-site>:80
• https://<internal-site>
• https://<internal-site>:443

Workspace ONE Tunnel app for Android determines if the device is on the internal network based on the device's ability to reach the private URLs defined as part of the TrustedNetworkProbeUrl.

Next Steps

The procedures in this tutorial consist of the following:

• Device Traffic Rule configuration
• Deployment of Per-App VPN Profile
• Deployment of Workspace ONE Tunnel Client
• Testing configurations on the chosen device

The procedures are almost the same for each platform. To ensure you understand any existing particularity and stay focused on the platform of your choice, the following steps in this tutorial are organized per platform.

• Deploying Workspace ONE Tunnel for iOS
• Deploying Workspace ONE Tunnel for macOS
• Deploying Workspace ONE Tunnel for Windows Desktop
• Deploying Workspace ONE Tunnel for Android

Deploying Workspace ONE Tunnel for iOS

Per-App Tunneling helps users to access critical information using applications on their devices from their devices. Mobile flows help users perform business-critical tasks from a single app — streamlining the user experience.

Leveraging Per-App Tunnel allows you to control which applications are on a device and what internal resources the applications have access to by automatically activating or deactivating Per-App VPN access, based on which applications are active. By enabling remote access, you no longer need to provide a device-wide VPN on your devices, which can allow unintended or unauthorized apps or processes to access your VPN. In this tutorial, you configure and deploy Workspace ONE Tunnel to enable the Per-App Tunnel component on managed devices.

These exercises involve the following components:

• Workspace ONE Tunnel– The app used on the device to securely connect to the Unified Access Gateway to provide Per-App Tunnel functionality, also referred to as Tunnel Client.
• Unified Access Gateway– The virtual appliance where the Tunnel edge service is installed, and to which the tunnel client connects.
• Per-App Tunnel– Component of Tunnel edge service for connecting to a secure tunnel channel on a per-application basis, which is controlled and configured by the VPN profile payload and Device Traffic Rules.
• Per-App VPN Profile and Device Traffic Rules– The Workspace ONE UEM configuration is pushed to the device that contains the Per-App Tunnel configurations. Every time a specified application is opened, the Workspace ONE Tunnel client evaluates the Device Traffic Rules assigned to it before making any routing decisions and establishes a Per-App tunnel connection with the Unified Access Gateway based on the Per-App VPN Profile configuration.

High-Level Architecture

The device contains the applications required by the end-user to perform their daily job. Some applications require access to internal resources to function. Those applications, based on Per-App VPN configuration, use Workspace ONE Tunnel which communicates with the Tunnel Service on Unified Access Gateway hosted on the DMZ, to validate if the device requesting access is in compliance or not before authorizing access through the internal resource.

Prerequisites

Before you can configure the Per-App Tunnel component for iOS, you must have the following components installed and configured:

• Workspace ONE UEM version 2011 and later
• iOS 10.3+ device enrolled in Workspace ONE UEM
• VPN Tunnel must be configured before you can add it as an application
• Workspace ONE Tunnel application for iOS
  
  • Deploy Workspace ONE Tunnel using volume-purchased licenses from Apple Business Manager or Apple School Manager.
  • Workspace ONE Administrators must upload the Location token from Apple Business Manager to sync licenses to Workspace ONE UEM for managed distribution.

Configuring Device Traffic Rules for iOS

First, because Apple's Mail, Calendar, and Contacts applications may contain both corporate and personal data, administrators must take an extra step to define corporate-owned domains which should be marked for Per-App Tunnel.

Device traffic rulesprovide a centralized location to configure which domain traffic uses per-app tunneling. When a Workspace ONE administrator configures devices for Safari on iOS, Workspace ONE automatically merges these parameters into the VPN payload sent to iOS devices. These parameters allow the Tunnel edge service to apply the appropriate device traffic rules for those specific domains.

Second, Safari is another app that may be used for personal use on a corporate device. As such, Safari cannot be configured to tunnel all traffic. Device traffic rules for Safari must specify the domain and top-level domain component (for example,mycompany.com) although an asterisk (*) may be used to wildcard subdomains (for example,*.mycompany.com).

Note: Domain values used in this section are examples only. Your values will differ.

In the Workspace ONE UEM console:

1. Navigate to Groups & Settings > Configurations.
2. Select Tunnel.

   

3. From the Device Traffic Rules tile, click Edit.
4. Click Add or the Default assignment to manage the device traffic rules.
   Administrators can create multiple Device Traffic Rules that will be assigned to the Per-APP VPN profile and will deploy to the devices based on the smart group assigned to the Profile. The first device traffic rule assignment created will be set as default.

   

5. Observe the default device traffic rule.
   
   
   
   1. Update the Assignment Name with the name of your choice.
   2. Observe (or modify) the default action that applies to all iOS applications selected to use Per-App VPN except Safari:
      
      1. Tunnel – All apps, except Safari, on the device configured for Per-App Tunnel send network traffic through the tunnel. For example, set the Default Action to Tunnel to ensure all configured apps without a defined traffic rule use the Workspace ONE Tunnel for internal communications.
      2. Block – Blocks all apps, except Safari, on the device configured for Per-App Tunnel from sending network traffic. For example, set the Default Action to Block to ensure that all configured apps without a defined traffic rule cannot send any network traffic regardless of destination.
      3. Bypass – All apps, except Safari, on the device configured for Per-App Tunnel, bypass the tunnel and connect to the Internet directly. For example, set the Default Action to Bypass to ensure all configured apps without a defined traffic rule bypass the Workspace ONE Tunnel to access their destination directly.
      4. Proxy – Redirect traffic to the specified HTTPS proxy for the listed domains. The proxy must be HTTPS and must follow the correct format: https://example.com:port.
   3. Click ADD RULE.
6. Build the device traffic rule.
   
   
   1. Click the drop-down for the Applications list. Alternatively, select All Applications to apply the rule to all iOS applications listed in the drop-down, which are the ones that you assigned the Per-App VPN profile.
   2. Select one or more iOS apps for which this rule applies.
   3. Enter one or more destinations to control via Workspace ONE Tunnel.
   4. Select the Action to apply for the selected apps when they attempt to access the specified destinations.

For more information on the formats (wildcards, IP, ports) allowed into the Destination field, see theDevice Traffic Rules Destination formats supportedchapter.

Tip: iOS apps are automatically added to theApplicationsselection list after you enable an application for Per-App Tunnel when creating assignments in Resources.

Note: Wildcards must follow one of these formats:

• *.<domain>.*
• *<domain>.*
• *.* — You cannot use this wildcard for Safari rules.
• * — You cannot use this wildcard for Safari rules.

7. Add additional rules and publish.

   

   1. ClickAdd Ruleand repeat step 6for any additional required rules.
   2. Drag the rules to adjust your Device Traffic Rules priority.
   3. After the Device Traffic Rules are configured as necessary, clickSave and Publish.

Distributing Workspace ONE Tunnel for iOS

Workspace ONE Tunnel is an iOS application available for free on the App Store. It is also available for managed distribution volume licensing through Apple Business Manager and Apple School Manager. In both cases, the Workspace ONE Tunnel app can be deployed over-the-air through Workspace ONE UEM as a:

• Public App- this method pushes the application to the device from the App Store and is recommended when your organization doesn't use the Apple VPP program.

• Purchased App- Workspace ONE Tunnel app is free, however, it is also available for managed distribution volume licensing through Apple Business Manager and Apple School Manager. Use device-based licensing to distribute Workspace ONE Tunnel to corporate-managed iOS devices. If your organization has access to Apple Business Manager and you want to manage the license distribution, use this method.

This section demonstrates how to obtain Workspace ONE Tunnel and assign it to devices as a Public or Purchased App.

Note: The VPN tunnel profile should already be configured as part of the Prerequisites.

Distribute Workspace ONE Tunnel as Public App (Apple Store)

1. Add Workspace ONE Tunnel as a public app.

   

   1. In the Workspace ONE UEM console, navigate to Resources > Native > Public > Add Application.
2. Search for Workspace ONE Tunnel on the Apple store.

   

   1. SelectApple iOSas Platform.
   2. SelectSearch App Storefor Source.
   3. EnterWorkspace ONE Tunnel.
   4. ClickNext.
3. From the search result, click select for Tunnel – Workspace ONE.

   

4. Save and add the assignment.

   

   1. SelectBusiness (System)for the Categories; this is not required; however, it will show the Tunnel app under the specific category in the Intelligence Hub Catalog.
   2. ClickSave & Assign.
5. Define the Assignment.

   

   

   1. EnterAll Devicesfor Name.
   2. SelectAll Devicesfor Assignment Groups or a specific group of devices that you want to target for the tunnel deployment.
   3. SelectAutofor App Delivery Method.
   4. ClickRestrictions.
   5. TurnONthe Make App MDM Managed if User Installed.
   6. ClickCreate.
6. Click Save, and then click Publish.

Distribute Workspace ONE Tunnel as Purchased App (Apple Business Manager)

1. Get Workspace ONE Tunnel licenses.

   

   1. In Apple Business Manager (or Apple School Manager), click Apps and Books.
   2. Search forworkspace tunnelin the search text box.
   3. SelectTunnel - Workspace ONEfor iOS.
   4. Select the location for which you have uploaded the sToken into Workspace ONE UEM.
   5. Enter the quantity of licenses you want to purchase.
   6. ClickGet. The button changes toPurchasingand when the purchase is complete changes back toGet.
2. Sync assets in Workspace ONE UEM.

   

   1. In the Workspace ONE UEM console, click Resources.
   2. ExpandAppsand clickNative.
   3. SelectPurchased.
   4. ClickSync Assets.
   5. ClickOKon the dialog box.
   6. Wait a few moments and clickRefreshto update the app list.
   7. Click the Workspace ONE Tunnel app for iOS in the app list.
3. Enable device assignment.
   
   1. ClickEnable Device Assignment.
   2. ClickOKto confirm device-based licensing.
   3. ClickSave & Assign.
4. Click Add Assignment.
5. Edit Assignment.

   

   1. ClickAdd Assignment.
   2. Select an Assignment Group (or create a new smart group containing the targeted devices).
   3. Enter the number of licenses to allocate. Allocate up to the total number of unallocated licenses.
   4. SelectAuto.
   5. ClickSave.
6. Save Assignment.
   
   1. If more assignments are necessary, clickAdd Assignmentand repeat the steps inEdit Assignment.
   2. ClickSave and Publish, then clickPublishwhen all assignments have been added.

Creating Per-App VPN Profile for iOS

For iOS 7+ devices and Android Enterprise devices, you can force selected applications to connect through your corporate VPN. Your VPN provider must support this feature, and you must publish the applications as managed applications.

In this exercise, you configure the iOS profile which configures the tunnel client on the device to allow only designated applications to access content on internal servers.

1. To add a new profile, click Add and then click Profile.
2. Select Apple iOS.
3. Select Device Profile.
4. Configure General profile settings.

   

   1. Enter the name, such asPer-App VPNin this example screenshot.
   2. Select the name of your device's smart group, and select that group. For example, selectAll Devices ([email protected])as the assigned Smart Group.
   3. ClickVPNthen clickConfigure.
5. Configure the VPN payload.

   

   1. SelectWorkspace ONE Tunnelfrom theConnection Typedrop-down menu.
   2. SelectDefaultas theDevice Traffic Rulesthat will be assigned to this profile.
   3. Ensure theEnable VMware Tunnelis selected.
   4. Add any Mail, Contacts, and Calendar Domains.Do not configure Safari Domains - these are configured in the Tunnel Configuration later in this guide.
   5. ClickSave & Publishthen clickPublish.

Note: Safari Domains should be configured in the Device Traffic Rules for Workspace ONE Tunnel.

Configuring Workspace ONE Web for Per-App Tunnel

Workspace ONE Web is part of the secure productivity app suite from Workspace ONE UEM. Administrators can deploy Workspace ONE Web when data loss and copy/paste restrictions are critical to the business use case. In this exercise, you distribute and configure Workspace ONE Web for Per-App Tunnel on iOS.

This section demonstrates how to obtain Workspace ONE Web and assign it to devices as a Purchased App using the integration of Workspace ONE UEM and Apple Business Manager.

Workspace ONE Web is available for free on the App Store. To deploy as a Public App managed by Workspace ONE UEM, follow the same steps described in the previous chapter to deploy Workspace ONE Tunnel.

1. Get Workspace ONE Web licenses. In Apple Business Manager (or Apple School Manager):

   

   1. ClickApps and Books.
   2. Search forWorkspace ONE Webin the search text box.
   3. SelectWeb - Workspace ONEfor iOS.
   4. Choose the location for which you have uploaded the sToken into Workspace ONE UEM.
   5. Enter the quantity of licenses you want to purchase.
   6. ClickGet. The button changes toPurchasingand when the purchase is complete, it changes back toGet.
2. Sync assets in Workspace ONE UEM.

   

   1. In the Workspace ONE UEM console, clickResources.
   2. ExpandApplicationsand clickNative.
   3. ClickPurchased.
   4. ClickSync Assets.
   5. ClickOKon the dialog box.
   6. Wait a few moments and clickRefreshto update the app list.
   7. Click theWeb - Workspace ONEapp for iOS in the app list.
3. Enable device assignment.

   

   1. Click Enable Device Assignment.
   2. ClickOKto confirm device-based licensing.
   3. ClickSave & Assign.
4. Click Add Assignment.
5. Edit assignment.

   

   1. ClickAdd Assignment.
   2. Select an Assignment Group (or create a new smart group containing the targeted devices).
   3. Enter the number of licenses to allocate. Allocate up to the total number of unallocated licenses.
   4. SelectAutofor Assignment Type.
   5. SelectEnabledfor Remove on Unenroll.
   6. SelectEnabledfor Prevent Application Backup.
   7. SelectEnabledfor Make App MDM Managed if User Installed.
   8. SelectEnabledand then select the Per-App VPN profile created inCreating Per-App VPN Profile for iOS.
   9. ClickSave.
6. Save assignment.
   
   1. If more assignments are necessary, click Add Assignment and repeat the steps in Edit Assignment.
   2. Click Save and Publish, then click Publish when all assignments have been added.

Testing Safari Domains with Per-App Tunnel

Now that the VPN profile includes a domain in the Safari Domains list, you can confirm that these settings have been updated on the device and test the settings in the native Safari application.

1. Tap Settings.
2. Open VPN settings.

   

   1. Tap General and scroll down to the VPN section.
   2. Tap VPN.
3. Tap VPN Configuration from your Per-App VPN profile.
4. Verify included Per-App VPN apps.

   

   1. All managed applications from the Workspace ONE UEM Console that are enabled to usePer-App VPNand have an associated Device Traffic Rule appear in this list. Note that Safari is displayed to show that domains are configured for tunneling in Safari.
5. Next, tap the Safari icon. The VPN icon should not be displayed in the toolbar.
6. Browse to the internal URL.

   

   1. Enter the URL for a website that is accessible only through VPN.
   2. Confirm that the VPN indicator is displayed when iOS launches the VPN and connects.
   3. Confirm that the internal page loads.

Testing Per-App Tunnel on iOS

Now that the enrolled device has received the settings configured in the Workspace ONE UEM Console, you are ready to begin testing the Per-App Tunnel functionality. The applications assigned in the previous exercises should be pushed down during enrollment. The Tunnel and Workspace ONE Web applications should be installed on your device.

In this exercise, launch Workspace ONE Web and access the internal website. Then verify that, although the VPN connection is active, other applications on the device cannot access the tunnel or internal resources.

1. Launch Workspace ONE Web.
   
   1. Press the Home button on your device to return to the Launchpad.Swipe rightto see the downloaded applications, if needed.
   2. Tap theWorkspace ONE Webicon to launch the application. If prompted, selectOKto allow the Web to send your device push notifications.
2. Create and confirm password.
   
   1. If prompted, create a passcode for Workspace ONE Web.
   2. ClickNext.
   3. Confirm the passcode by entering it again.
   4. ClickConfirm.
3. Tap I understand to accept the Privacy prompt.
4. Tap I agree to accept the Data sharing prompt.
5. Access the internal website with Workspace ONE Web.

   

   1. When the application launches, enter the URL for your intranet website.
   2. Confirm that the VPN icon appears, indicating the connection is active. The application now connects to Workspace ONE UEM and retrieves the settings for your Organization Group.
   3. Confirm that the website loads.

Note: Depending on the Workspace ONE Web and SDK settings configured at your particular organization group level, the address bar may not be editable. This configuration is calledKiosk Mode.To work around this, two options can be configured at Groups & Settings>Configurations>Workspace ONE Web:

• Click theBookmarkstab, clickOverride(if necessary),clickAdd Bookmark, enter a name and URL for the testing URL, and clickSave.
• Scroll the settings toKiosk Modeand clickDisabled.ClickSave.

These changes affect theDefault settings for Workspace ONE Webin this Organization Group and all inherited organization groups unless otherwise configured.

Troubleshooting the Workspace ONE Tunnel on iOS

This section contains some basic steps for troubleshooting Per-App Tunnel on iOS.

1. On an enrolled iOS device, tap Tunnel.

   

2. Tap Continue.
3. Tap I understand to accept the Privacy prompt.
4. Tap I agree to accept the Data sharing prompt.
5. Validate device connectivity.

   

   1. Ensure the device and Internet connectivity are OK (showing a green check mark symbol).
   2. Tap the logging icon.
6. Activate the Enable debug toggle.

   

Tip: WithEnable Debugturned on, Workspace ONE administrators can view logging information for the iOS device as follows:

1. Plug the iOS device into a device running macOS.
2. Ensure the iOS device trusts the connection to macOS.
3. Connect to the Console, by either:
   
   1. Open Apple Configurator 2 and double-click the test iOS device. ClickConsoleto view the output from the device.
   2. OpenConsole.appand select the iOS device from the left side.
4. Search fortunneloriOSAppProxyProvider.

Deploying Workspace ONE Tunnel for macOS

Per-App Tunneling helps users to access critical information using applications on their devices from their devices. Mobile flows help users perform business-critical tasks from a single app — streamlining the user experience.

Leveraging Per-App Tunnel allows you to control which applications are on a device and what internal resources the applications have access to by automatically activating or deactivating Per-App VPN access, based on which applications are active. By enabling remote access, you no longer need to provide a device-wide VPN on your devices, which can allow unintended or unauthorized apps or processes to access your VPN. In this tutorial, you configure and deploy Workspace ONE Tunnel to enable the Per-App Tunnel component on managed devices.

These exercises involve the following components:

• Workspace ONE Tunnel– The app used on the device to securely connect to the Unified Access Gateway to provide Per-App Tunnel functionality, also referred to as Tunnel Client.
• Unified Access Gateway– The virtual appliance where the Tunnel edge service is installed, and to which the tunnel client connects.
• Per-App Tunnel– Component of the Tunnel edge service for connecting to a secure tunnel channel on a per-application basis, which is controlled and configured by the VPN profile payload and Device Traffic Rules.
• Per-App VPN Profile and Device Traffic Rules– The Workspace ONE UEM configuration is pushed to the device that contains the Per-App Tunnel configurations. Every time a specified application is opened, the Workspace ONE Tunnel client evaluates the Device Traffic Rules assigned to it before making any routing decisions and establishes a Per-App tunnel connection with the Unified Access Gateway based on the Per-App VPN Profile configuration.

High-Level Architecture

The device contains the applications required by the end-user to perform their daily job. Some applications require access to internal resources to function. Those applications, based on Per-App VPN configuration, use Workspace ONE Tunnel which communicates with the Tunnel Service on Unified Access Gateway hosted on the DMZ, to validate if the device requesting access is in compliance or not before authorizing access through the internal resource.

Prerequisites

Before you can perform the steps in this exercise, you must have the following components installed and configured:

• Workspace ONE UEM version 2302 and later
• macOS Mojave and later enrolled in Workspace ONE UEM
• The latest version of macOS Tunnel from the Apple macOS App Store
  
  • Deploy Workspace ONE Tunnel using volume-purchased licenses from Apple Business Manager or Apple School Manager.
  • Workspace ONE Administrators must upload the Location token from Apple Business Manager to sync licenses to Workspace ONE UEM for managed distribution.

Configuring Device Traffic Rules for macOS

First, because the Apple Mail, Calendar, and Contacts applications might contain both corporate and personal data, administrators must take an extra step to define corporate-owned domains, which should be marked for Per-App VPN. The Mail, Calendar, and Contacts apps do not automatically adhere todevice traffic rules. Administratorsmustspecify which domains are corporate-owned by enabling the Mail, Contacts, and Calendar domain parameters in the VPN profile payload. Enabling these parameters in the VPN payload allows Tunnel Edge service to apply the appropriate device traffic rules for those specific domains.

Second, Safari is another app that might be used for personal use on a corporate device. As such, Safari cannot be configured to tunnel all traffic. Device traffic rules for Safari must specify the domain and top-level domain component (for example,mycompany.com), although an asterisk (*) may be used to wildcard subdomains (for example,*.mycompany.com).

Note: Domain values used in this section are examples only. Your values will differ.

1. Access configurations.
   
   1. In the Workspace ONE UEM console, click Groups & Settings.
   2. Click Configurations.
2. Scroll through the list of configurations and select Tunnel.

   

3. Edit Device Traffic Rule sets.
   
   1. From within the Device Traffic Rules information block on theTunnel Configurationpage, clickEdit.
4. Add or modify device traffic rule set.

   

   Introduced in Workspace ONE UEM 2011, Device TrafficRule Setsexpand the functionality of device traffic rules allowing for granular assignment of rule sets to different groups of users and devices. Device Traffic Rule Sets are assigned when creating the per-app VPN profile in a later step.

   To get started with Device Traffic Rule Sets, perform the following in theManage Traffic Assignmentsscreen:

   1. If no other Device Traffic Rule Sets exist (or a new rule set is required), clickAddto create a new Device Traffic Rule Set.
   2. If modifications to an existing rule set are required, click the Device Traffic Rule Set name.
5. Enter a name for the Device Traffic Rule Set (or if necessary, modify the name of an existing rule set).
6. Click Manage Applications.

   

7. Click Add to add a new application for device traffic rules.
8. Define the application.

   

   1. SelectmacOSfor Platform.
   2. Enter the friendly name of the application, for example,Firefox Browser. The friendly name is displayed in the Device Traffic Rule.
   3. Enter the application's package id, which is theIdentifiervalue displayed by running the command:
      codesign -dv --entitlements - /path/to.app
   4. Enter the application's designated requirement, which is displayed to the right of the =>sign of the following command:codesign -d -r- /path/to.app
   5. For macOS 10.15 (Catalina) and later, enter a path if creating a device traffic rule for a binary or command-line utility bundled within an application. For example, the executablevmware-remotemksmust be allowlisted with path details along with the Horizon Client application.
   6. ClickSave.

Using Firefox as an example, a Workspace ONE administrator would see the commands and values as follows:

techzone@testmac ~ % codesign -dv --entitlements - /Applications/Firefox.appExecutable=/Applications/Firefox.app/Contents/MacOS/firefoxIdentifier=org.mozilla.firefoxFormat=app bundle with Mach-O thin (x86_64)CodeDirectory v=20500 size=415 flags=0x10000(runtime) hashes=4+5 location=embeddedSignature size=9018Timestamp=Oct 1, 2019 at 9:08:41 PMInfo.plist entries=26TeamIdentifier=43AQ936H96Runtime Version=10.11.0<<< trimmed for length >>>techzone@testmac ~ % codesign -d -r- /Applications/Firefox.appExecutable=/Applications/Firefox.app/Contents/MacOS/firefoxdesignated => anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "43AQ936H96"

As highlighted in the terminal output, the necessary information is as follows:

Package ID:org.mozilla.firefox

Designated Requirement:anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "43AQ936H96"

Caution: Some apps spawnhelperapplications to assist with background tasks. One particular example of this is Google Chrome, which performs network functions outside theGoogle Chrome.appprocess in a Google Chrome Helper process. In this case, the helper application must be added to the Device Traffic Rule, otherwise, specific settings must be changed client-side.

In the case of Google Chrome, perform the following:

• In the URL field, typechrome://flags
• Search fornetworkin the Search Flags text box.
• SetRuns network service in-processtoEnabledand relaunch Google Chrome before proceeding with testing.

9. Add a new application for device traffic rules.

   

   1. If more applications are needed for the rule set, clickAddand repeat starting atDefine the Application.
   2. If all the required applications have been defined, click the [X]to close theManage Applicationswindow.
10. Add device traffic rule.

    

    1. Observe (and optionally modify) the default action which applies to all macOS applicationsexcept Safari:
       
       1. Tunnel– All apps, except Safari, on the device configured for Per-App Tunnel send network traffic through the tunnel. For example, set the Default Action to Tunnel to ensure all configured apps without a defined traffic rule use the Workspace ONE Tunnel for internal communications.
       2. Block– Blocks all apps except Safari, on the device configured for Per-App Tunnel from sending network traffic. For example, set the Default Action to Block to ensure that all configured apps without a defined traffic rule cannot send any network traffic regardless of destination.
       3. Bypass– All apps, except Safari, on the device configured for Per-App Tunnel, bypass the tunnel and connect to the Internet directly. For example, set the Default Action to Bypass to ensure all configured apps without a defined traffic rule bypass the Workspace ONE Tunnel to access their destination directly.
       4. Proxy- Redirect traffic to the specified HTTPS proxy for the listed domains. The proxy must be HTTPS and must follow the correct format:https://example.com:port
    2. ClickAdd Rule.
11. Build device traffic rule.

    

    1. In the newly created device traffic rule, click the down arrow to display theApplicationlist.
    2. Select one or more triggering applications to control with this rule. In case you selectAll Applications, the rule will be applied only to Safari and macOS applications selected in additional rules defined as part of the Device Traffic Rules.
    3. Enter one or more comma-separated fully qualified domain names as destinations to which Workspace ONE Tunnel should apply the Device Traffic Rule. A single asterisk (*) can be used as a wildcard for subdomains.
    4. Select the AppropriateActionfor Workspace ONE Tunnel to perform on traffic from the selected apps:
       
       1. Tunnel– Sends app network traffic for specified domains through the tunnel to your internal network.
       2. Block– Blocks all traffic sent to specified domains.
       3. Bypass– Bypasses the Workspace ONE Tunnel so the application accesses specified domains directly.
       4. Proxy– Redirect traffic to the specified HTTPS proxy for the listed domains. The proxy must be HTTPS and must follow the correct format:https://example.com:port.
    5. If necessary, adjust the Device Traffic Rules rank in the list. Lower-numbered rank is the highest priority.
    6. If necessary, clickAdd Ruleand repeat the steps in Build Device Traffic Ruleuntil you have added all the necessary Device Traffic Rules for your organization.
    7. ClickSave and Publishto send the updated DTRs to all devices to which the DTR is assigned.

For more information on the formats (wildcards, IP, ports) allowed into the Destination field, see theDevice Traffic Rules Guidelines and use of asteriskchapter.

Distributing Workspace ONE Tunnel for macOS

Workspace ONE Tunnel is a macOS application available for free on the Mac App Store. It is also available for managed distribution volume licensing through Apple Business Manager and Apple School Manager. Use device-based licensing to distribute Workspace ONE Tunnel to managed macOS devices. This section demonstrates how to purchase Workspace ONE Tunnel and assign it to devices.

Note: The VPN tunnel should already be configured as part of the Prerequisites.

1. Get Workspace ONE Tunnel licenses.

   

   1. In Apple Business Manager (or Apple School Manager), click Apps and Books.
   2. Search forworkspace tunnelin the search text box.
   3. SelectTunnel - Workspace ONEfor macOS.
   4. Choose the location for which you have uploaded thesTokeninto Workspace ONE UEM.
   5. Enter the quantity of licenses you want to purchase.
   6. ClickGet.The button changes toPurchasingand when the purchase is complete changes back toGet.
2. Sync assets in Workspace ONE UEM.

   

   1. In the Workspace ONE UEM console, click Resources.
   2. ExpandApplicationsand clickNative.
   3. ClickPurchased.
   4. ClickSync Assets.
   5. ClickOKon the dialog box.
   6. Wait a few moments and clickRefreshto update the app list.
   7. Click the Workspace ONE Tunnel app in the app list.
3. Enable device assignment.

   

   1. ClickEnable Device Assignmentand clickOKfor theAre you sure?prompt.
   2. ClickSave & Assign.
4. Click Add Assignment.
5. Edit assignment.

   

   1. Enter a name for the Distribution
   2. Select an Assignment Group (or create a new smart group containing the targeted devices).
   3. Enter the number of licenses to allocate. Allocate up to the total number of unallocated licenses.
   4. SelectAutofor Assignment Type.
   5. ClickCreate.
6. Save assignment.
   
   1. If more assignments are necessary, clickAdd Assignmentand repeat the steps inEdit Assignment.
   2. ClickSaveand thenPublishwhen all assignments have been added.

Creating Per-App VPN Profile for macOS

Before device traffic rules take effect on macOS, Workspace ONE administrators must deploy a VPN profile payload that configures macOS to leverage Workspace ONE Tunnel. In this exercise, you create the macOS profile which configures the tunnel client on the device to allow only designated applications to access content on internal servers.

1. To add a new profile, click Add and then click Profile.

   

2. Select macOS.
3. Select User Profile.
4. Configure General profile settings.

   

   1. Enter a name for the profile, for example,Per-App VPN.
   2. SelectAutoas the assignment type.
   3. Select one or moreSmart Groupsto assign the VPN profile (or create a new smart group).
   4. Click theVPNpayload then click Configure.
5. Configure VPN payload.

   

   1. Enter a name for the Per-App VPN Connection, for example,Corporate Per-App VPN.
   2. SelectWorkspace ONE Tunnelas the Connection Type.
   3. Choose the Device Traffic Rule Set (as configured inConfiguring Device Traffic Rules for macOS) to be assigned via this Profile Payload.
   4. If required, select the check boxes forEnable Mail Domains,Enable Contacts Domains,andEnable Calendar Domains.
   5. For each check box, enter a domain that should be tunneled.
   6. If multiple domains are required, clickAddto enter an additional domain. Repeat as necessary.
   7. ClickSave and Publish.
6. Click Publish.

Testing Per-App Tunnel on macOS

With the settings configured in the Workspace ONE UEM Console, administrators can test the Per-App Tunnel functionality on an enrolled device. The Workspace ONE Tunnel assigned in the previous exercises should install automatically during enrollment. As part of testing, the applications defined in the Device Traffic Rules should be deployed as described inDeploying Third-Party macOS Applications: Workspace ONE Operational Tutorial.

As a reminder, the prerequisites for testing Per-App Tunnel on macOS include the following:

• Tunnel Edge Service configured on Unified Access Gateway
• Device Traffic Rules configured in Workspace ONE UEM
• Workspace ONE Tunnel and additional apps defined in Define Traffic Rules deployed to an enrolled device running macOS
• A valid endpoint that is not accessible to the apps on the device except via per-app Tunnel

Validate Per-App Tunnel based on Device Rules

1. Open an app specified in a Device Traffic Rule and ensure the application attempts to connect to the mapped domain name(s).
2. Open an app that isnotspecified in a Device Traffic Rule, such as Safari (which will not adhere to the default Device Traffic Rule due to the wildcard mapping). Ensure the same mapped domain name does not work.

   

In the section of this tutorial where device traffic rules were created for macOS, Firefox was the allowed application. In the screenshot, note that Firefox is launched and attempted connection to an approved (wildcard) destination (#1). Also, observe that Safari (which was not granted access to the tunnel) cannot connect to the endpoint.

Extending Tunnel Configuration for Kerberos SSO Extension in macOS

With macOS Catalina, Apple introduced a new single sign-on (SSO) extension framework and included a built-in Kerberos SSO extension. The Kerberos SSO extension syncs passwords between a user's account in Active Directory and the local macOS account. It also brings Kerberos SSO functionality directly into the OS via MDM-manageable payloads. This tutorial aims to help experienced Workspace ONE administrators to configure the Kerberos SSO extension for macOS Catalina and enable off-network access for the extension through per-app tunneling.

IMPORTANT: This document is provided as a courtesy to aid anyone wishing to test the functionality. This document was created around the time macOS Catalina was released. Kerberos Ticketing worked as expected at that time, but the Kerberos SSO Extension had a known bug that prevented AD password sync and change over per-app tunnel. Since then, the Kerberos SSO Extension has continued to work for network-connected devices.

However, Kerberos SSO over per-app tunneling has been in varying states of functioning depending on major, minor, and development builds of the OS. We encourage customers interested in this functionality to test and file feedback with Apple (usingApple's Feedback Assistant) and also with us.

Validate No Pre-existing Kerberos Tickets

1. Press CMD+SpaceBar (⌘+Space) and enterterminalinto the Finder window.
2. SelectTerminalto openTerminal.app.
3. Enterklistand press Return on the keyboard.
4. Ensure that there are no Kerberos Tickets and the command returnsNo credentials cache file found.

   

Validate Kerberos Application or Website Fails

1. Launch an application that should be Kerberos-enabled. If using a website, browse to the Kerberos-enabled website.

   

2. Note that authentication either fails (as there are no Kerberos tickets) or reverts to a non-Kerberos authentication type (such as certificate authentication or username/password).

Define the Kerberos Extension in Device Traffic Rules

To connect the SSO Kerberos Extension over Per-App Tunnel, you must add the appropriate device traffic rules to the Tunnel configuration to support this. This section covers how to add the appropriate device traffic rules.

1. Access configurations.
   
   1. In the Workspace ONE UEM console, click Groups and Settings.
   2. Click Configurations.
2. Scroll through the list of configurations and select Tunnel.

   

3. Edit Device Traffic Rule sets.
   
   1. From within the Device Traffic Rules information block on theTunnel Configurationpage, clickEdit.
4. Add or modify device traffic rule set.

   

   Introduced in Workspace ONE UEM 2011, Device TrafficRule Setsexpand the functionality of device traffic rules allowing for granular assignment of rule sets to different groups of users and devices. Device Traffic Rule Sets are assigned when creating the per-app VPN profile in a later step.

   To get started with Device Traffic Rule Sets, perform the following in theManage Traffic Assignmentsscreen:

   1. If no other Device Traffic Rule Sets exist (or a new rule set is required), clickAddto create a new Device Traffic Rule Set.
   2. If modifications to an existing rule set are required, click the Device Traffic Rule Set name.
5. Enter a name for the Device Traffic Rule Set (or if necessary, modify the name of an existing rule set).

   

6. Click Manage Applications.
7. Click Add to add a new application for device traffic rules.
8. Define the application.

   

   1. SelectmacOSfor Platform.
   2. Enter the friendly name of the application, for example,Kerberos SSO Extension. The friendly name is displayed in the Device Traffic Rule.
   3. Enter the application's package id (com.apple.AppSSOKerberos.KerberosExtension), which is theIdentifiervalue displayed by running the command:

      codesign -dv --entitlements - /System/Library/PrivateFrameworks/AppSSOKerberos.framework/PlugIns/KerberosExtension.appex/Contents/MacOS/KerberosExtension

   4. Enter the application's Designated Requirement (identifier "com.apple.AppSSOKerberos.KerberosExtension" and anchor apple), which is displayed to the right of the =>sign of the following command:

      codesign -d -r - /System/Library/PrivateFrameworks/AppSSOKerberos.framework/PlugIns/KerberosExtension.appex/Contents/MacOS/KerberosExtension

      See Also

      Interface and Hardware Component Configuration Guide for Cisco NCS 6000 Series Routers, IOS XR Release 7.4.x - Configuring Tunnel Interfaces [Cisco IOS XR Software Release 7.4]

   5. Enter the following path:

      /System/Library/PrivateFrameworks/AppSSOKerberos.framework/PlugIns/KerberosExtension.appex/Contents/MacOS/KerberosExtension

   6. Click Save.
9. Define additional applications (macOS BigSur and later).

   For macOS Big Sur and later, follow the same process defined inAdd macOS Application to Rule BuilderandDefine the Application,configure these additional applications. These additional configurations allow the full functionality of the Kerberos SSO Extension with regard to Active Directory password sync and change.

   AppSSOAgent:

   1. Platform: macOS
   2. Friendly Name: Kerberos SSO AppSSOAgent
   3. Package ID: com.apple.AppSSOAgent
   4. Designated Requirement: identifier "com.apple.AppSSOAgent" and anchor apple
   5. Path: /System/Library/PrivateFrameworks/AppSSO.framework/Support/AppSSOAgent.app/Contents/MacOS/AppSSOAgent

KerberosMenuExtra:

6. Platform: macOS
7. Friendly Name: Kerberos SSO KerberosMenuExtra
8. Package ID: com.apple.KerberosMenuExtra
9. Designated Requirement: identifier "com.apple.KerberosMenuExtra" and anchor apple
10. <No Path Required>

10. Add device traffic rule.

    

    1. ClickAdd Rule.
    2. Click the down arrow in theApplicationcolumn of the new device traffic rule.
    3. Select the three Kerberos SSO Extensionapps you defined in the previous steps:
       
       1. com.apple.AppSSOKerberos.KerberosExtension
       2. com.apple.AppSSOAgent
       3. com.apple.KerberosMenuExtra
    4. SelectTunnelas the action.
    5. Configure destination domain names (include wildcards if needed) that match your domain controllers.
    6. ClickSave and Publish.

Configure Kerberos Profile Payload

Next, create the Kerberos profile and configure the SSO extension payload.

1. Click Add and click Profile.
2. Select macOS.
3. Select User Profile.
   Note: The SSO Extension payload is available inboththe User and Device context as of Workspace ONE UEM 2011 and later. The choice to use User Profile versus Device Profile will primarily be driven by the certificate used in the payload. In most cases, the certificate/credential should be used from the login keychain, and the Workspace ONE UEM administrator should use a User profile. Otherwise, choose Device Profile to use a certificate/credential from the system keychain.
4. Configure General Profile details.

   

   1. Enter a name for the profile, for example,Kerberos SSO Extension.
   2. SelectAutoas the Assignment Type.
   3. Select one or more Smart Groups to assign the SSO Extension profile (or create a new smart group).
5. Configure SSO extension payload.

   

   1. Search for the SSO payload.
   2. ClickSSO Extension.
   3. ClickConfigure.
6. Modify and save the SSO extension payload.

   

   1. SelectKerberosfor Extension Type.
   2. Enter the Active Directory Realm (in capital letters) where the user logs in. For example,AAPP.XXXX.COM.
   3. Enter the Active Directory hosts and domains that can be authenticated through the extension. For example,aapp.xxxx.com.
   4. Select whether the extension should use active directory and DNS to discover its AD site.
   5. Select whether the extension should save passwords to the keychain.
   6. Select whether the user should be required to use biometrics or a password to use the keychain.
   7. Select the Certificate Credential that should be used for authenticating in the SSO Extension.
   8. Enter a list of application Bundle IDs allowed to use the Kerberos Ticket Granting Ticket. If more than one app is allowed, clickAddto add additional bundle IDs.
   9. Select whether to allow users to initiate directory password changes from the extension.
   10. Select whether to keep the local macOS user account password synchronized with the Active Directory account password.
   11. Select whether passwords must meet Active Directory's definition of complex.
   12. Optionally, scroll down to configure additional parameters with regard to password settings.
   13. ClickSave and Publish.
7. Click Publish to publish the SSO extension profile.

Validate Kerberos Tickets

Finally, log in to Kerberos and confirm that the Kerberos credentials are obtained over Per-App VPN by the Kerberos SSO Extension.

1. Log in to Kerberos extension.

   

   1. Click the extension (keyicon) in the menu bar.
   2. ClickSign In.
   3. Enter a user's username and password.
   4. ClickSign In.
2. Click Yes to accept automatic sign-in.
3. Rerun klist command.

   

   1. InTerminal.app, enterklistand press return.
   2. Observe the Kerberos Credential obtained over Per-App VPN by the built-in macOS Catalina Kerberos SSO Extension.
4. Validate Kerberos-enabled application or website.

   

   1. Launch an application that is Kerberos-enabled. If using a website, browse to the Kerberos-enabled website.
   2. Note the application or website is authenticated without any intervention from the user (no certificate chooser or username/password prompt).

Note: Some applications may require additional configuration to enable Kerberos Authentication. Google Chrome and Firefox also require additional configuration to enable Kerberos Authentication.

For Firefox:

1. Open Firefox and enterabout:configin the address bar.
2. Search fornegotiateand then double-clicknetwork.negotiate-auth.trust-uris.
3. Enter a comma-separated list of domain names that should be enabled for Kerberos Authentication and clickOK.
4. Open a new tab and re-try the Kerberos-enabled website.

ForGoogle Chrome:

1. Create aCustom Settingspayload in a User Profile for the device, targetingcom.google.Chromeas the PayloadType.
2. Include the following keys in your settings:

<key>AuthServerWhitelist</key>

<string>*.domain.name</string>

<key>AuthNegotiateDelegateWhitelist</key>

<string>*.domain.name</string>

Caution: Some apps spawnhelperapplications to assist with background tasks. In these cases, the helper apps may be making DNS calls or performing other network tasks requiring the Per-App Tunnel but may not be part of a device traffic rule. One particular example of this is Google Chrome, which performs network functions outside theGoogle Chrome.appprocess. In this case, the helper application must be added to the device traffic rule, otherwise, specific settings are required to be changed client-side within the application.

As an example, to validate Kerberos-enabled websites in Google Chrome using Per-App Tunnel, perform the following:

1. In the URL field, enterchrome://flags
2. Search fornetworkin theSearch flagstext box.
3. SetRuns network service in-processtoEnabledand relaunch Google Chrome before proceeding with testing.

This small change allows Google Chrome to leverage the Per-App Tunnel for connectivity required to query DNS and obtain Kerberos tickets. At the time of writing, theForceNetworkInProcesskey was not available in Chrome for macOS and must be enabled by the individual user.

Troubleshooting Workspace ONE Tunnel on macOS

If a Per-App Tunnel problem occurs on macOS, there are a number of places to troubleshoot. This section of the tutorial covers where to troubleshoot on macOS at a high level. Depending on the problem, there might be steps that should be performed on the Unified Access Gateway. However, troubleshooting the Unified Access Gateway is outside the scope of this tutorial. Workspace ONE UEM administrators should contact our support for assistance when troubleshooting Per-App Tunnel, Workspace ONE Tunnel, or the Unified Access Gateway.

This section covers a high-level set of initial troubleshooting steps.

To begin, open Workspace ONE Tunnel. Click Launchpad and click VMware Tunnel.

Ensure Tunnel is Configured

1. Ensure that theDevice Configuredstatus showsConfigured. This indicates that Workspace ONE Tunnel has received configuration data from Workspace ONE UEM. If the status is not configured, try one of the following:

   

   1. Check the Device Traffic Rules andSave and Publishthe rules again.
   2. Check thelast seenvalue for the device in the Workspace ONE UEM console. Is the device communicating with Workspace ONE UEM?
   3. Validate that other MDM commands are being sent to the device. Create an assignment (smart) group containing the single device and attempt to send it a new profile payload.
2. Ensure that theInternetstatus showsConnected. If Tunnel cannot connect to the Internet, it probably cannot connect to the Unified Access Gateway.
   
   1. Validate that the device has a working Ethernet or Wi-Fi connection (IP address, subnet mask, gateway, and DNS addresses are present).
   2. Validate DNS resolution: OpenTerminaland enternslookup uag.fully.qualified.domainto ensure that an IP address is resolved.
   3. Validate Connectivity to UAG: Within Terminal, enternc -vz uag.fully.qualified.domain uagport(such asnc -vz uag.company.com 443).
3. Ensure that theEnterprise Networkstatus showsConnected.If Workspace ONE Tunnel is disconnected from the Enterprise network, apps cannot use Per-App Tunnel. This might indicate an issue with Workspace ONE Tunnel connecting to the Unified Access Gateway or an issue with Device Traffic Rules.

The remainder of this section details how to troubleshoot Tunnel connectivity.

Validate Per-App VPN Profile

1. ClickSystem Preferences.

   

2. Double-clickProfiles.
3. Scroll through the left panel.
4. Click thePer-App VPNprofile that was created.
5. Ensure that theVPN App Layer Servicedetails are correct, especially theVPN Remote Addressand theOnDemand Enabledvalue.
   
   1. If the profile is missing or misconfigured, check the profile configuration and re-push the profile to the device from within the UEM Console Device Details view (on theProfilestab).

Validate Advanced Tunnel Information

1. Open the Workspace ONE Tunnel client and click theVMware Tunnelmenu.

   

2. ClickWhitelisted Applications.
3. Verify that the list of allowlisted applications matches the settings configured in the Device Traffic Rules.
4. From the VMware Tunnel menu (#1), clickDiagnostics.
5. ClickEnable Debugto get verbose information.
6. Review Diagnostics information.
7. ClickDisable Debugwhen troubleshooting is complete.

Review Tunnel-Related Unified Logging

1. Press CMD+SpaceBar (⌘+Space) and enterconsoleinto the Finder window.

   

2. Select theConsoleapplication.
3. Enterprocess:macOSAppProxyProviderinto the search bar and pressReturnon the keyboard.
4. Without clearing the contents of the search bar, add an additional filter parameter by addingprocess:VMware Tunnelinto the search bar and pressReturnon the keyboard.
5. Click theActionmenu and confirm thatInclude Info MessagesandInclude Debug Messagesare selected.
6. Review the logging produced within the Console application.

Tip: If the console filters do not provide any meaningful data, you can optionally attempt to view information and debug messages from entire subsystems. Some filters that may help include:

• process:macOSAppProxyProvider
• any:com.vmware.macos-tunnel

Also, if troubleshooting Kerberos over the Per-App Tunnel, you can include the following console filters:

• subsystem:com.apple.appsso
• subsystem:com.apple.appssokerberosextension

The following Terminal command might provide meaningful output: log stream --debug --predicate '(subsystem == "com.apple.Heimdal") OR (subsystem == "com.apple.AppSSO") OR (subsystem == "org.h5l.gss") OR (subsystem == "com.apple.network") OR (process == "VMware Tunnel") '

General VPN Network Extension Troubleshooting

PerApple's Developer Website (requires login), you can use the following commands to gather additional data from the VPN (Network Extension):

• sudo defaults write /Library/Preferences/com.apple.networkextension.control.plist LogToFile -boolean true
• sudo defaults write /Library/Preferences/com.apple.networkextension.control.plist LogLevel -int 7

Reproduce the issue and then enter this command inTerminal.app:

• /System/Library/Frameworks/SystemConfiguration.framework/Resources/get-mobility-info

You should find additional information in the resulting get-mobility-info output file.

You can later deactivate the logging by issuing the following commands:

• sudo defaults delete /Library/Preferences/com.apple.networkextension.control.plist LogToFile
• sudo defaults delete /Library/Preferences/com.apple.networkextension.control.plist LogLevel

Deploying Workspace ONE Tunnel for Windows Desktop

Per-App Tunneling helps users to access critical information using applications on their devices from their devices. Mobile flows help users perform business-critical tasks from a single app — streamlining the user experience.

Leveraging Per-App Tunnel allows you to control which applications are on a device and what internal resources the applications have access to by automatically activating or deactivating Per-App VPN access, based on which applications are active. By enabling remote access, you no longer need to provide a device-wide VPN on your devices, which can allow unintended or unauthorized apps or processes to access your VPN. In this tutorial, you configure and deploy Workspace ONE Tunnel to enable the Per-App Tunnel component on managed devices.

These exercises involve the following components:

• Workspace ONE Tunnel– The app used on the device to securely connect to the Unified Access Gateway to provide Per-App Tunnel functionality, also referred to as Tunnel Client.
• Unified Access Gateway– The virtual appliance where the Tunnel edge service is installed, and to which the tunnel client connects.
• Per-App Tunnel– Component of Tunnel edge service for connecting to a secure tunnel channel on a per-application basis, which is controlled and configured by the VPN profile payload and Device Traffic Rules.
• Per-App VPN Profile and Device Traffic Rules– The Workspace ONE UEM configuration is pushed to the device that contains the Per-App Tunnel configurations. Every time a specified application is opened, the Workspace ONE Tunnel client evaluates the Device Traffic Rules assigned to it before making any routing decisions and establishes a Per-App tunnel connection with the Unified Access Gateway based on the Per-App VPN Profile configuration.

High-Level Architecture

The device contains the applications required by the end-user to perform their daily job. Some applications require access to internal resources to function. Those applications, based on Per-App VPN configuration, use Workspace ONE Tunnel which communicates with the Tunnel Service on Unified Access Gateway hosted on the DMZ, to validate if the device requesting access is in compliance or not before authorizing access through the internal resource.

Prerequisites

Before you can perform the steps in this exercise, you must have the following components installed and configured:

• Workspace ONE UEM 2203+
• Windows 10 1704+ or Windows 11+ enrolled in Workspace ONE UEM
• Latest version of the Workspace ONE Tunnel Desktop Application
  
  • Download the installer file:Workspace ONE Tunnel
  • For more information, seeSupported Platforms for Workspace ONE Tunnel
• VPN tunnel must be configured before you can add it as an application

Note: SeeWorkspace ONE Tunnel for Windows Release Notesfor updates to the client.

Configuring Device Traffic Rules for Windows

This exercise outlines how to configure device traffic rules for Windows. Before you start this section, read theDevice Traffic Rules chapterfor a better understanding of how device traffic rules are managed by Workspace ONE Tunnel.

For this example, the user must access internal websites, internal network file shares, and a remote desktop session. To allow secure access, you configure Workspace ONE Tunnel to allow only the applications required.

In this exercise, you configure the following:

• Internal web browser access - defining Chrome as the application
• Internal network file shares - allowing system access
• Remote Desktop Session Connection - defining Microsoft Remote Desktop client as the application

Note: Domain values used in this section are examples only. Your values will differ.

1. Access configurations.
   
   1. In the Workspace ONE UEM console, click Groups & Settings.
   2. Click Configurations.
2. Scroll through the list of configurations and select Tunnel.

   

3. Edit Device Traffic Rule sets.
   
   1. From within the Device Traffic Rules information block on theTunnel Configurationpage, clickEdit.
4. Add or modify device traffic rule set.

   

   Introduced in Workspace ONE UEM 2011, Device TrafficRule Setsexpand the functionality of device traffic rules allowing for granular assignment of rule sets to different groups of users and devices. Device Traffic Rule Sets are assigned when creating the per-app VPN profile in a later step.

   To get started with Device Traffic Rule Sets, perform the following in theManage Traffic Assignmentsscreen:

   1. If no other Device Traffic Rule Sets exist (or a new rule set is required), clickAddto create a new Device Traffic Rule Set.
   2. If modifications to an existing rule set are required, click the Device Traffic Rule Set name.
5. Set or modify device traffic rule name and tunnel mode.

   

   1. Enter a name for the Device Traffic Rule Set (or if necessary, modify the name of an existing rule set).
   2. Set the Tunnel Mode toPer Application.

This first tutorial on Windows shows you how to configure device traffic rules based on Per-Application Tunnel Mode. After completing the Windows tutorial return and switch the Tunnel Mode for this rule to Full Device. The Application fields will be removed and you will be required to specify only the actions and destination domains.

6. Click Manage Applications.
7. Click Add.
8. Define the application.

   

   1. SelectWindowsas the Platform.
   2. Enter the friendly name of the application. The friendly name is displayed in the Device Traffic Rule.
   3. Select theApp Type, for example,Desktop App. The App Type can be a traditional Windows application or a Windows Store application.
   4. Enter theApp Identifier. For traditional Windows applications, use the File Path. For Store applications, you must enter the Package Family Name or PFN. You can use the PowerShell commandGet-AppxPackageto find the PFN. For more information, seeMicrosoft Docs: Find a package family name (PFN) for per-app VPN.
9. Add Chrome Web browser access.

   

   1. In this example, the Chrome application is defined under the Program Files (x86) path. The App Identifier value should contain the full path where the EXE file is located on the Windows machine.
   2. The screenshot shows that the App Identifier used for Chrome isC:\Program Files (x86)\Google\Chrome\Application\chrome.exe
   3. After you have entered the application details, clickSave.
10. Add remote desktop (RDP) client.

    

    1. Next, add the Remote Desktop client. This allows end users to connect to Remote Desktop Hosts located behind the corporate firewall.
    2. As the Remote Desktop Client is built into the Windows Operating system, the file path of the executable is different.
    3. For example, in this screenshot, the App Identifier used for the RDP client isC:\Windows\System32\mstsc.exe
    4. After you have entered the application details, clickSave.
11. Add SMB for network drive and printer support.

    

    1. Next, add support for tunneling SMB traffic from the system to allow users to map network shares and network printers. This allows end users to connect to file shares and printers that are located behind the corporate firewall.
    2. As the SMB protocol is built into the Windows Operating system, the App Identifier is not an executable, instead, you defineSystemas the App Identifier.
    3. After you have entered the application details, clickSave.
12. Add more applications to device traffic rules, if required.
    
    1. If more applications are needed for the ruleset, clickAddand repeat starting atDefine the Application.
    2. If all the required applications have been defined, click Xto close theManage Applicationswindow.
13. Add device traffic rule.

    

    1. Observe (and optionally modify) the default action which applies to all Windows applications.
       
       1. Tunnel– All apps on the device configured for Per-App Tunnel send network traffic through the tunnel. For example, set the Default Action to Tunnel to ensure all configured apps without a defined traffic rule use the Workspace ONE Tunnel for internal communications.
       2. Block– Blocks all apps on the device configured for Per-App Tunnel from sending network traffic. For example, set the Default Action to Block to ensure that all configured apps without a defined traffic rule cannot send any network traffic regardless of destination.
       3. Bypass– All apps on the device configured for Per-App Tunnel bypass the tunnel and connect to the Internet directly. For example, set the Default Action to Bypass to ensure all configured apps without a defined traffic rule bypass the Workspace ONE Tunnel to access their destination directly.
    2. ClickAdd Device Traffic Rule.
14. Build device traffic rule.
    
    
    
    1. In the newly created traffic rule, Click the down arrow to display theApplicationlist.
    2. Select one or more triggering applications to control with this rule.All Applicationsnot applicable to Windows.
    3. Select the AppropriateActionfor Workspace ONE Tunnel to perform on traffic from the selected apps - For this exercise, selectTunnel.
       
       1. Tunnel– Sends app network traffic for specified domains through the tunnel to your internal network.
       2. Block– Blocks all traffic sent to specified domains.
       3. Bypass– Bypasses the Workspace ONE Tunnel so the application accesses specified domains directly.
       4. Proxy– Redirect traffic to the specified HTTPS proxy for the listed domains. The proxy must be HTTPS and must follow the correct format:https://example.com:port.
       5. Note:Proxy is not yet supported using the Workspace ONE Tunnel Desktop Application.
    4. Enter one or more comma-separated fully qualified domain names as destinations to which Workspace ONE Tunnel should apply the Device Traffic Rule. A single asterisk (*) can be used as a wild card for subdomains.
    5. If necessary, adjust the Device Traffic Rules rank in the list. Lower-numbered rank is the highest priority.
    6. If necessary, clickAdd Ruleand repeatBuild Device Traffic Ruleuntil you have added all the necessary Device Traffic Rules for your organization.
    7. ClickSave.

For more information on the formats (wildcards, IP, ports) allowed into the Destination field, see theDevice Traffic Rules Destination formats supportedchapter.

Note: For Windows Desktop devices, if Enhanced Domain Resolution is not enabled on the Per-App VPN profile, the domains added to the destination must also be added to the list of domains part of the DNS Resolution via Tunnel Gateway.

15. Review the summary of the device traffic rule configurations.
    
    
    
    1. TheApplicationlist contains triggering applicationsChrome,Remote Desktop, andSystem.
       
       1. The applications appear in the following format:Application Friendly Name - UEM Organization Group - Platform
          
          1. Google Chrome - ACME Corp - WinRT
          2. RDP - ACME Corp - WinRT
          3. System - ACME Corp - WinRT
    2. The AppropriateActionfor Workspace ONE Tunnel to perform isTunnel.
       
       1. Tunnel– Sends app network traffic for specified domains through the tunnel to your internal network
       2. Destination- For this example, the domains are*.corp.localand*.airwlab.com
    3. Optional- You can also configure Device Traffic Rules toBlock.
       
       1. In this example, Chrome is set to block domains*.cnn.com,*.facebook.com,and*.match.com.

Distributing Workspace ONE Tunnel for Windows

In this exercise, you deploy the Workspace ONE Tunnel Desktop Application on Windows 10 devices.

Note: The Per-App VPN profile should already be configured as part of the Prerequisites.

1. Download the Workspace ONE Tunnel desktop installer.

   

   1. Navigate tohttps://my.workspaceone.com/productsand log in with your credentials.
   2. ClickView All.
2. Scroll to the end of the page and select Workspace ONE Tunnel.

   

3. Select platform and version.

   

   1. SelectWindowsas the platform.
   2. Select theLatest versionfor the Workspace ONE Tunnel Desktop Application.
   3. Filter by console version.
   4. SelectInstall and Upgradestab for a link to the download.

4. Upload Tunnel application into Workspace ONE UEM.

   
   

   1. In the Workspace ONE UEM console, click Resources.
   2. SelectInternal Application.
   3. ClickAdd > Application FileandUpload.
   4. Browse for the Workspace ONE Tunnel EXE installer file and clickSave.
   5. SelectNoforIs this a dependency app?.
   6. ClickContinue.
5. On the Details tab, enter a name. For example, Workspace ONE Tunnel.

   

6. On the Files tab, Scroll down to find theApp Uninstall Processsection. For Tunnel, enter VMware Workspace ONE Tunnel 1.2 for Win10_Desktop.exe /uninstall /Passiveas the Uninstall Command.

   

7. Configure the Deployment Options tab.

   

   1. Select theDeployment Optionstab.
   2. Locate theWhen to Installsection.
   3. Configure anyminimum requirementsfor the following:
      
      1. Data Contingencies-Use where criteria type needs to check for existing/non-existingApplications,FilesorRegistry Keys.
      2. Disk Space Required- This specifies the amount of disk space the device must have available to install the application.
      3. Device Power Required- This specifies the battery power, in percentage, that the device must have to install the application.
      4. RAM Required- This specifies the amount of RAM the device must have to install the application.
8. Find the Install command options.

   Some application installers may contain help options. Find help options by running the application file and adding/helpor/?to the end of the file.

   The following steps demonstrate how to run these commands.

   1. Find theinstaller file.

      

   2. HoldSHIFT + Right-clickthe installer file.
   3. Hold SelectCopy As Path.
   4. OpenCommand Prompt.

      

   5. Paste in the installer file location, adding/helpor/?to the end.
   6. This should show a dialog box to show supported installation commands.

The results of running the command are shown in the screenshot. This example shows the supportedWorkspace ONE Tunnel Desktop ApplicationInstall parameters.

9. Define How to Install.

   

   1. UnderDeployment Optionstab, scroll down to find theHow To Installsection.
   2. For the Install Command, enterVMware Workspace ONE Tunnel 1.2 for Win10_Desktop.exe /Install /Passive.
   3. EnsureAdmin Privilegesis set toYes.
   4. ChangeDevice Restartif required. This example usesUser Engaged Restart.This allows the user to reboot the machine to complete the install when the user is ready.
   5. ForInstaller Reboot Exit Code,the supported values are3010and1641.
   6. ForInstaller Success Exit Code, the supported values are0and3010.
      

10. Define When to Call Install Complete.

    

    1. ClickAdd.
    2. SelectFile Existsfor theCriteria Type.
    3. EnterC:\Program Files\VMware\Workspace ONE Tunnel\VMwareTunnel.exefor thePath.
    4. ClickAdd.
11. Add the application icon.

    

    1. Select theImagestab.
    2. Select theIcontab.
    3. Click the area labeledClick or drag files here.
    4. Navigate to the folder containing the Application logo, or download the provided image to use.
12. Set Terms of Use.
    
    1. Select theTerms of Usetab.
    2. If you decide to have a Terms of Use that your users must accept beforeinstalling applications, you can configure that here. For this exercise, selectNone.
    3. ClickSave & Assign.
13. Select Assignments and click Add Assignment.
14. Configure the assignment.
15. Click Add Assignment.
16. Configure application distribution settings.

    

    1. Give the application assignment a name.
    2. Select the Select Assignment Groups search box and select an assignment group, for example,(Acme Corp).
    3. SelectOn-Demandfor the App Delivery Method.
    4. SelectShowfor Display in App Catalog.
    5. Navigate to theRestrictionsTab.
    6. Enable forMake App MDM Managed if User Installed.
    7. SelectSavethen clickSave and Publish.
17. Confirm that the application appears in List View.

    

    1. On the Internal applications List View, confirm that theWorkspace ONE Tunnel Desktop Applicationis displayed.

You have successfully added the Workspace ONE Tunnel Desktop Application to Workspace ONE UEM for deployment.

Creating Per-App VPN Profile for Windows Desktop

On Windows Desktop, Tunnel can force selected applications to connect through your corporate VPN.

In this exercise, you configure the Windows Desktop profile which configures the tunnel client on the device to allow only designated applications to access content on internal servers.

Log in to the Workspace ONE UEM console to perform the next steps.

1. Click Add and click Profile.
2. Select Windows.
3. Select Windows Desktop.
4. Select Device Profile.
5. Configure the General settings.

   

   1. Select theGeneraltab.
   2. Enter a Name, for example,Per App VPN.
   3. SelectAssignment type. This example usesAuto, so devices automatically receive the policy.
   4. Assign the policy to aSmart Group(s).
6. Add and configure VPN payload.

   

   1. Select VPN from the payload menu and click Configure.
   2. Enter aConnection Namefor the policy, for example,Corp VPN.
   3. SelectWorkspace ONE Tunnelfrom theConnection Typedrop-down menu.
   4. Choose the Device Traffic Rule Set (as configured inConfiguring Device Traffic Rules for Windows 10) to be assigned via this Profile Payload.
   5. SelectEnableforDesktop Client- This enables theWorkspace ONE Tunnel Desktop Application,otherwise it will use the Windows UWP client, no longer recommended.
   6. ConfigureCustom Configuration XMLas needed. Refer toCustom Configuration XML for Windows Desktop for additional details on the list of Custom Configuration parameters available.
   7. SelectEnablefor the Enhanced Domain Resolution located underDNS Resolution via Tunnel Gateway.
   8. ClickSave & Publish.
7. Click Publish to publish the VPN profile.

Custom Configuration XML for Windows Desktop

Custom Configuration allows the administrator to determine the behavior of the Tunnel Client on the device, from initialization process, UI elements and network behavior.

For example, the following XML configuration allows the end user to turn on/off (ToggleTunnelFeature) the Tunnel from the tray icon, and change the Tunnel connection (OnDemand) from an on-demand basis to always connected.

<?xml version="1.0" encoding="utf-16"?><CustomConfiguration> <ToggleTunnelFeature>true</ToggleTunnelFeature> <OnDemand>false</OnDemand></CustomConfiguration>

The result of this XML configuration reflects on the UI of the Tunnel Windows Client showing an option to enable/deactivate the Tunnel Client, and for the OnDemand connection, it determines the Tunnel internal behavior as always connected.

Several other parameters can be customized to change the Tunnel behaviour; the following table lists the custom configuration parameters supported and their respective Tunnel Mode. For additional information, visit theConfigure Tunnel Profile for Windows Desktop Clientin the product documentation.

Testing Per-App Tunnel on Windows

Now that the enrolled device has received the settings configured in the Workspace ONE UEM Console, you are ready to begin testing the Per-App VPN functionality. TheWorkspace ONE Tunnel Desktop Applicationshould be installed on your device.

In this exercise, you learn how to:

1. Launch an internal website with an authorized application.
2. Launch an internal website with an unauthorized application.
3. Launch a defined application and demonstrate blocked domains.
4. Launch an RDP session and connect to the machine on the internal network.
5. Connect to an SMB share to access file shares inside the corporate network.

Launch Internal Website with an Authorized Application

1. LaunchChromeas a browser. Chrome was the application specified to Tunnel traffic.
2. TheWorkspace ONE Tunnel Desktop Applicationis connected and an internal web page is displayed.
3. The address used –atl-intranet-corp.airwlab.com– is specified in the Device Traffic Rules in the previous exercise.

This web page is accessible only to applications (in this use case, Chrome) defined in the policy.

Launch Internal Website with an Unauthorized Application

Next, open another web browser, such as Microsoft Edge, and navigate to an internal web page. For example,atl-intranet-corp.airwlab.com.

1. LaunchChrome- this is the authorized application.
2. Launch another browser - for example,Microsoft Edge.
3. TheWorkspace ONE Tunnel Desktop Applicationis connected and an internal web page is displayed.
4. The addressatl-intranet-corp.airwlab.comcan be resolved in Chrome, butnotin Microsoft Edge.

Launch a Defined Application to Demonstrate Blocked Domains

1. In the Application access rules,certain websites are blocked. These were listed in the Device Traffic Rules.
   
   1. Websites blocked arecnn.com,facebook.com, andmatch.com.
2. OpenChromeand navigate to one of these websites. This example usesfacebook.com.
   
   1. When trying to resolve the DNS name, the browser displays an error as this website is blocked.
3. Launchanother browser, in this case, Microsoft Edge. Facebook.com is accessible, as the policy is configured for Chrome only.

Test RDP Connections

Sometimes, you may need to RDP into desktop sessions that are located back in the office.

1. In the Application access rules, confirm the domain configuration forRemote Desktop Clientaccess.
   Note: The RDP application is not from the Windows Store.
2. Launch theRDP applicationand enter the machine name. In this example, you connect to the machineatl-intranet-corpon the domainairwlab.com.
3. Workspace ONE Tunnel Desktop Applicationresolves this address, and you should be prompted for authentication.

Workspace ONE Tunnel Desktop Applicationallows remote Windows users to connect to file shares located behind the corporate firewall. This can be team shares, individual shares, or connecting to a specific machines' C drive, for example.

This example uses the hostatl-intranet-corpand connects to itsC: drive.

1. In the search bar, enterRunand press the return key.
2. Enter the address of thefile shareyou would like to connect to. For example,\\atl-intranet-corp.airwlab.com\c$.
3. In the Application access rules, confirm the domain configuration for System resource access.
4. Launch the SMB share. Tunnel will resolve this address, and you should be prompted for authentication to the SMB share.

Troubleshooting Workspace ONE Tunnel on Windows

If a Per-App Tunnel problem occurs on Windows Desktop, you can check a number of places to troubleshoot. This section of the operational tutorial covers where to troubleshoot on Windows Desktop at a high level. Depending on the problem, there may be steps that should be performed on the Unified Access Gateway. However, troubleshooting the Unified Access Gateway is outside the scope of this tutorial. Workspace ONE UEM administrators should contact our support for assistance when troubleshooting Per-App Tunnel, Workspace ONE Tunnel, or the Unified Access Gateway.

This section is divided into two and covers the following high-level set of initial troubleshooting steps.

1. Workspace ONE Tunnel Desktop ApplicationInstallation Troubleshooting.
   
   1. Checking Workspace ONE UEM console for application install status.
   2. Locating Workspace ONE Tunnel desktop applicationinstaller logs.
   3. Checking device registry for Workspace ONE Tunnel desktop application install status.
   4. Checking Workspace ONE UEM console for Policy install status.
   5. Checking device registry for Per-App VPN Profile.
2. Workspace ONE Tunnel Desktop ApplicationConnectivity Troubleshooting.
   
   1. Confirming the Workspace ONE Tunnel status when Tunnel is connected.
   2. Confirming the Workspace ONE Tunnel status when Profile is not installed.
   3. Confirming Application Access and Tunnel Service.
   4. Checking the Workspace ONE Tunnel certificate.
   5. Enabling Workspace ONE Tunnel debug logging.
   6. Locating Workspace ONE Tunnel logs.
   7. Confirming Workspace ONE Tunnel DNS Resolution.

Troubleshoot Workspace ONE Tunnel Installation

In this section, check issues that may arise from the Workspace ONE Tunnel desktop client application installation.

1. Check Workspace ONE UEM console for application install status.

   

   1. Navigate to the Details view of the device.
   2. Select theAppstab.
   3. Confirm that the App Status for theTunnelInstalleris Installed.
   4. Confirm that the App Status forWorkspace ONE Tunnelshows the correct version. In this example,Workspace ONE Tunnel 1.2.0.18is installed.
2. Locate Workspace ONE Tunnel desktop application installer logs.

   

   By default, the Workspace ONE Tunnel Desktop Application Installer logs are found in%TEMP%.

   Two logs should exist:

   1. Workspace_ONE_Tunnel_<date>.log
      
      1. This is the Bootstrapper log which usually does not yield very important errors unless any dependency programs fail on install, for example, .NET.
   2. Workspace_ONE_Tunnel_<date>_000_VMwareTunnelClientInstaller.log
      
      1. This is the Tunnel Installer log whichshows any failuresduring the Workspace ONE Tunnel desktop application installation.
3. Check device registry for Workspace ONE Tunnel install status.

   Check the location of the registry installation settings for the Workspace ONE Tunnel desktop application. These values should match the values in the Workspace ONE UEM console.

   On the computer that should have the Workspace ONE Tunnel desktop application installed, open theWindows Registryor runregedit.msc.

   

   1. Navigate toComputer >HKEY_LOCAL_MACHINE > SOFTWARE > AirWatchMDM > AppDeploymentAgent > S-1-5-18.
   2. Click the GUID of the application. For example,{3A7FE2DB-8AE4-4DBA-A9D3-042C88F53A50}.
   3. Click the Registry key to showIsInstalled.

Tip: The Application GUID should match the value in the Workspace ONE UEM Console.

4. Confirm application ID in the Workspace ONE UEM console.

   

   1. In the Workspace ONE UEM console, navigate toResources > and select theWorkspace ONE Tunnel Application from List View.
   2. In theApp Details View, the Application ID (GUID) should match the registry value in the previous screenshot.

      For more information on troubleshooting Windows Applications, seeTroubleshooting Windows Devices: Workspace ONE Operational Tutorial.

5. Check Workspace ONE UEM console for policy install status.

   

   After you have confirmed that the application is installed, make sure the policy is installed on the device.

   1. In the Workspace ONE UEM console, navigate to theDetails Viewof that device.
   2. Select theProfilestab.
   3. Confirm that the Status of thePer App VPNProfile is successful.
6. Check device registry for per-app VPN profile.

   On the computer that should have the Tunnel policy installed, open theWindows Registryor runregedit.msc.

   

   1. Navigate toComputer\HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tunnel.
   2. ClickTunnelConfiguration.
   3. This displays the Tunnel Policy applied to that machine.

      Tip: If no policy is shown in the registry, re-push the policy from the Workspace ONE UEM console and perform a Device Query on that device from the Workspace ONE UEM console.

Troubleshoot Workspace ONE Tunnel Client Connectivity

After you have successfully installed the Workspace ONE Tunnel, the next step is to test the Per-App Tunnel connectivity by attempting to access one of the internal resources through the domains defined on the Device Traffic Rules.

1. Confirm the Workspace ONE Tunnel status when Tunnel is connected.
   
   1. When the Tunnel Client has reached a successful connection, the Tunnel Client UI displays Connected.
2. Confirm Workspace ONE Tunnel status when profile is not installed.

   

   1. If the Workspace ONE Tunnel Client has installed, but the configuration settings have not, the Tunnel client status isNot Configured.

      Tip: To resolve, ensure the Per-App VPN profile is assigned to the device, and ensure it is successfully installed.

3. Confirm application access and Tunnel service.

• Problem: The Workspace ONE Tunnel Client status isDisconnected.
• Solution: Confirm that the Application is defined in Application Access and that the application is running.
• Problem: The Workspace ONE Tunnel Client status isDisconnected.
• Solution: Confirm that the Workspace ONE Tunnel Service is running in Windows Services. If the service is not started, start the service.

To check the Tunnel service:

1. On the Windows machine, open Services and locate theVMware Workspace ONE Tunnel Service.
2. Ensure that the Startup type is set toAutomatic.
3. Ensure that the Service isrunning.

4. Check the Workspace ONE Tunnel desktop application certificate.
   
   • Authentication for the Tunnel Client can be configured to use Enterprise Certificates or internally-signed certificates. If no certificate is present, the Tunnel UI status displaysNot Configured - Authentication Certificates are not present.
   • If there is no certificate present, you may want to push the policy again to the device. By re-pushing the policy, the Tunnel certificate should be installed.

     

To check the certificates:

1. On the Windows machine, search MMC, and open theCertificatessnap in.
2. Navigate toLocal Computer>Personal>Certificates.
3. Confirm that the certificate for certificate authentication to the Tunnel service is listed.
4. Retrieve the device UDID from the Workspace ONE UEM console.
5. Navigate toDevices>List View>Summaryand confirm that the device UDID matches the Certificate request as shown in the previous screenshot.

5. Enable Workspace ONE Tunnel debug logging.

   

   1. On the Windows machine, navigate to the system tray. You should see the Tunnel icon.
   2. Right-click theTunnel client.
   3. SelectEnable debug logging.
   4. Debug logging levels are from 0-4 - Enabling debug logging will set the log level to 4.

You can also check the Workspace ONE Tunnel log level in the device registry.

5. On the computer that should have the Tunnel installed, open theWindows Registryor runregedit.msc.
6. Navigate toComputer\HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tunnel.
7. Under theLogLevelentry, you should see a value from 0-4. In this example, the value is 0.
8. You cannot change the value in the registry. You must follow the steps toEnableWorkspace ONE Tunnel Debug Logging.

6. Locate Workspace ONE Tunnel logs.
   
   1. By default, the Workspace ONE Tunnel Client Installer logs are located inC:\ProgramData\VMware\VMware Tunnel.

Two logs should exist:

1. win_tunnel –This log file shows connectivity issues with the Workspace ONE Tunnel desktop application.

   

2. win_tunnelui–This log file shows User Interface changes within the Workspace ONE Tunnel desktop application.

   

7. Confirm Workspace ONE Tunnel desktop application DNS resolution.

   

   After you have confirmed Tunnel connectivity, check the DNS resolution.

Sometimes, the Workspace ONE Tunnel Client may be in good working order. For example, the profile is installed, the application is installed, the service is running, and the status isConnected. However, the DNS resolution is still failing. In this case, general networking troubleshooting can assist greatly.

You can check the Name Resolution Policy Table (NRPT).

On the Windows machine, open PowerShell and enterGet-DnsClientNrptRule. This command retrieves the Name Resolution Policy Table (NRPT) for the device. For more information, seeMicrosoft PowerShell Docs - Get-DnsClientNrptRule.

Deploying Workspace ONE Tunnel for Android

Per-App Tunneling helps users to access critical information using applications on their devices from their devices. Mobile flows help users perform business-critical tasks from a single app — streamlining the user experience.

Leveraging Per-App Tunnel allows you to control which applications are on a device and what internal resources the applications have access to by automatically activating or deactivating Per-App VPN access, based on which applications are active. By enabling remote access, you no longer need to provide a device-wide VPN on your devices, which can allow unintended or unauthorized apps or processes to access your VPN. In this tutorial, you configure and deploy Workspace ONE Tunnel to enable the Per-App Tunnel component on managed devices.

These exercises involve the following components:

• Workspace ONE Tunnel– The app used on the device to securely connect to the Unified Access Gateway to provide Per-App Tunnel functionality, also referred to as Tunnel Client.
• Unified Access Gateway– The virtual appliance where the Tunnel edge service is installed, and to which the tunnel client connects.
• Per-App Tunnel– Component of Tunnel edge service for connecting to a secure tunnel channel on a per-application basis, which is controlled and configured by the VPN profile payload and Device Traffic Rules.
• Per-App VPN Profile and Device Traffic Rules– The Workspace ONE UEM configuration is pushed to the device that contains the Per-App Tunnel configurations. Every time a specified application is opened, the Workspace ONE Tunnel client evaluates the Device Traffic Rules assigned to it before making any routing decisions and establishes a Per-App tunnel connection with the Unified Access Gateway based on the Per-App VPN Profile configuration.

High-Level Architecture

The device contains the applications required by the end-user to perform their daily job. Some applications require access to internal resources to function. Those applications, based on Per-App VPN configuration, use Workspace ONE Tunnel which communicates with the Tunnel Service on Unified Access Gateway hosted on the DMZ, to validate if the device requesting access is in compliance or not before authorizing access through the internal resource.

Prerequisites

Before you can perform the steps in this exercise, you must have the following components installed and configured:

• Workspace ONE UEM version 2203 and later
• Android 10.0+ enrolled in Workspace ONE UEM
• The latest version of Workspace ONE Tunnel app from the Google Play Store
  
  • Deploy Workspace ONE Tunnel using Android Enterprise

Configuring Device Traffic Rules for Android

In this exercise, you configure device traffic rules for Android.

Note: Domain values used in this section are examples only. Your values will differ.

In the Workspace ONE UEM console:

1. Navigate to Groups & Settings > Configurations.
2. Select Tunnel.

   

3. From the Device Traffic Rules tile, click Edit.
4. Click Add or the Default assignment to manage the device traffic rules.

   
   Administrators can create multiple Device Traffic Rules that will be assigned to the Per-APP VPN profile and will deploy to the devices based on the smart group assigned to the Profile. The first device traffic rule assignment created will be set as default.

5. Observe the default device traffic rule.

   

   1. Update the Assignment Name with the name of your choice.
   2. Observe (or modify) the default action which applies to all Android applications selected to use Per-App VPN:
      
      1. Tunnel – All apps, on the device configured for Per-App Tunnel send network traffic through the tunnel. For example, set the Default Action to Tunnel to ensure all configured apps without a defined traffic rule use the Workspace ONE Tunnel for internal communications.
      2. Block – Blocks all apps, on the device configured for Per-App Tunnel from sending network traffic. For example, set the Default Action to Block to ensure that all configured apps without a defined traffic rule cannot send any network traffic regardless of destination.
      3. Bypass – All apps, except Safari, on the device configured for Per-App Tunnel bypass the tunnel and connect to the Internet directly. For example, set the Default Action to Bypass to ensure all configured apps without a defined traffic rule bypass the Workspace ONE Tunnel to access their destination directly.
   3. Click ADD RULE.
6. Build the device traffic rule.

   

   1. ClickADD RULE.
   2. Click the down arrow to display the Applicationlist.
   3. Select one or more triggering applications to control with this rule. Alternatively, on the drop-down selectAll Applicationsto apply the rule to all Android applications listed in the drop-down, which are the ones that you assigned the Per-App VPN profile.
   4. Enter one or more comma-separated fully qualified domain names as destinations to which Workspace ONE Tunnel should apply the Device Traffic Rule. A single asterisk (*) can be used as a wildcard for subdomains.
   5. Select the AppropriateActionfor Workspace ONE Tunnel to perform on traffic from the selected apps:
      
      1. Tunnel– Sends app network traffic for specified domains through the tunnel to your internal network.
      2. Block– Blocks all traffic sent to specified domains.
      3. Bypass– Bypasses the Workspace ONE Tunnel so the application accesses specified domains directly.
      4. Proxy– Redirect traffic to the specified HTTPS proxy for the listed domains. The proxy must be HTTPS and must follow the correct format:https://example.com:port.
   6. If necessary, adjust the Device Traffic Rules rank in the list. Lower-numbered rank is the highest priority.
   7. ClickSave.

The example shown blocks access to Facebook, Tinder, and Utorrent domains for all applications available on the Android device.

For more information on the formats (wildcards, IP, ports) allowed into the Destination field, see theDevice Traffic Rules Destination formats supportedchapter.

Distributing Workspace ONE Tunnel for Android

In this exercise, you deploy an application configured to use the Per-App VPN tunnel on Android.

1. Click Add and click Public Application.

   

2. Search for Workspace ONE Tunnel.

   

   1. SelectAndroidfor thePlatform.
   2. Enter an applicationName. For example,Workspace ONE Tunnel.
   3. ClickNext.
3. Select Tunnel – Workspace ONE Tunnel.
   
   
4. Click Approve for the Workspace ONE Tunnel app and for any following requests.
5. Click Save and Assign.
6. Click Add Assignment.
7. Configure Assignment settings.

   

   1. Click theSelected Assignment Groupsfield to display the list of created Assignment Groups. EnterAll Devices, and select theAll Devices ([email protected])group.
   2. SelectAutofor theApp Delivery Method.
8. Configure Policies.

   

   1. Scroll down to find the Policies section.
   2. SelectEnabledforManaged Access.
   3. ClickAdd.
9. Confirm that your assignment is displayed and click Save and Publish.

   

10. Preview your assigned devices and click Publish.

Android Considerations

Note the following for Workspace ONE Tunnel on Android:

• After installing Workspace ONE Tunnel for Android, end users must run the application at least once and accept the connection request.
• The key icon in the notification center displays on the device because there is an application installed that uses the Per-App Tunnel functionality. This icon does not indicate an active connection or session with the Tunnel Service. The key icon displays even if you are not actively browsing.
• Certain Android devices allow end users to disable the VPN on an OS level. This prevents the Tunnel from working on the device.

Creating Per-App VPN Profile for Android

Per-App VPN profile allows you to force selected applications to connect through your corporate VPN. Your VPN provider must support this feature, and you must publish the applications as managed applications.

In this exercise, you create the Android profile which configures the Workspace ONE Tunnel client on the device to allow only designated applications to access content on internal servers.

Log in to the Workspace ONE UEM console to perform the next steps.

1. Click Add and click Profile.
2. Select Android.
3. Configure the General settings.
   
   
   
   1. Select theGeneraltab.
   2. Enter a Name, for example,Per App VPN.
   3. Select the name of your device's assignment group, and select that group. For example, selectAll MDM Enrolled Devices (ACME Corp)as the Assigned Smart Group.
4. Add and configure VPN payload.

   

   1. Select VPN from the payload menu and click Configure.
   2. SelectWorkspace ONE Tunnelfrom theConnection Typedrop-down menu.
   3. Select theDefault traffic rulepreviously created for Device Traffic Rule Sets.
   4. ClickSave & Publish.
5. Click Publish to publish the VPN profile.

Configuring Workspace ONE Web for Per-App Tunnel

Workspace ONE Web is part of the secure productivity app suite from Workspace ONE UEM. Administrators can deploy Workspace ONE Web when data loss and copy/paste restrictions are critical to the business use case.

In this exercise, you distribute and configure Workspace ONE Web for Per-App Tunnel on Android.

1. Add application.

   

   1. In the Workspace ONE UEM console, click Resources.
   2. Select Native under Apps.
   3. Select Public and click Add Application.
2. Search for Workspace ONE Web on Google Play Store.

   

   1. SelectAndroidfor thePlatform.
   2. Enter an applicationName. For example,Workspace ONE Web.
   3. ClickNext.
3. Select Workspace ONE Web app and approve.

   

4. Click Save and Assign.
5. Click Add Assignment.
6. Assign Per-App VPN profile to Workspace ONE Web.

   

   1. Select All Devices on Assignment Groups.
   2. Select Auto for App Delivery Method.
   3. Enable Managed Access.
   4. Enable App Tunneling
   5. On Android, select the Per-App VPN Profile that you previously created.
   6. Click Add.
7. Click Save and Publish.

Testing Per-App Tunnel on Android

Now that the enrolled device has received the settings configured in the Workspace ONE UEM Console, you are ready to begin testing the Per-App Tunnel functionality. The applications assigned in the previous exercises should push down during enrollment. The Tunnel and Workspace ONE Web applications should be installed on your device.

In this exercise, launch Workspace ONE Web and access the internal website. Then verify that, although the VPN connection is active, other applications on the device are not able to access the tunnel or internal resources.

1. Open Workspace ONE Tunnel.

   

   Press the Home button on your device to return to the Launchpad.Swipe rightto see the downloaded applications, if needed.

   Tap theWorkspace ONE Tunnelicon to launch the application. If prompted, selectOKto allow Workspace ONE Web to send your device push notifications.
   After the application has been opened, accept the privacy prompts and tap Continue.

   Note: On Android, the Workspace ONE Tunnel Clientmust be launched onceto silently route traffic for future occurrences.

2. Tap I Understand to accept the Privacy Prompt.
3. Tap I agree to accept the Data Sharing Prompt.
4. Confirm Tunnel connectivity.
   After the Tunnel Client has been opened, you can see three areas.

   

   1. Device VPN Configuration
      
      1. The Profile or Policy that is delivered from Workspace ONE UEM. It shows a list of apps that will use the VPN Tunnel.
   2. Internet
      
      1. Displays whether the device has internet connectivity or not.
   3. Enterprise Server
      
      1. Displays whether the device has connectivity to the Tunnel edge service.
5. Launch Workspace ONE Web.

   

   Press the Home button on your device to return to the Launchpad.Swipe rightto see the downloaded applications, if needed.

   Tap theWorkspace ONE Webicon to launch the application. If prompted, tapOKto allow the Web to send your device push notifications.

6. Access the internal website with Workspace ONE Web.
   
   
   
   1. After the application launches, enter the URL for your intranet website, such ashttps://atl-intranet-corp.airwlab.com.
   2. Confirm that the VPN icon appears, indicating the connection is active. The application now connects to Workspace ONE UEM and retrieves the settings for your Organization Group.
   3. The website should load. In this example, it displays a Welcome message.
   4. Select and copy the internal URL. In the next step, you test entering this URL into another browser.
7. Paste the URL into another browser.
   
   
   
   1. Open another browser, such as Chrome.
   2. Copy and paste the URL from the previous step.
   3. Confirm that only the defined applications can access internal resources.

Note: This example used a Work Managed Device. Work Managed devices provide separation from personal and corporate data. With Per-App Tunnel, you can isolate traffic to only those applications that need it rather than all corporate resources. This example shows Chrome inside the Work Profile attempting to access internal resources.

Troubleshooting Workspace ONE Tunnel on Android

If a Per-App Tunnel problem occurs on Android, you can check a number of places to troubleshoot. This section of the operationaltutorial covers where to troubleshoot the Workspace ONE Tunnel client for Android at a high level.

Depending on the problem, there may be steps that should be performed on the Unified Access Gateway. However, troubleshooting the Unified Access Gateway is outside the scope of this tutorial.

Workspace ONE UEM administrators should contact our support for assistance when troubleshooting Per-App VPN, Workspace ONE Tunnel, or the Unified Access Gateway.

This section is divided into three parts and guides you through high-level steps to troubleshoot the Workspace ONE Tunnel installation and connectivity.

1. Troubleshooting Device Connectivity
   
   1. This section displays where to search for Tunnel Client connectivity issues.
2. Collecting logs automatically
   
   1. This step is useful for recreating issues and retrieving the Workspace ONE Tunnel Client log file.
3. Advanced: Collecting logs manually on an Android Device
   
   1. This step is for advanced cases where you may need to see how the device's VPN stack is behaving. This step should be used only for test devices; it is not recommended to leaveDeveloper Optionsturned on.

Troubleshoot Device Connectivity

1. Open theTunnel Applicationand tap theDiagnosticsmenu option.

   

2. Any issuesrelated to connectivity issues with the Tunnel server or a Proxy server areshown on the UI.

   

3. Tap theemailoption in the upper-right corner to send these logs to your administrator.

Collect Logs Automatically

1. Open theTunnel Applicationand tap theDiagnosticsmenu option.
2. Activate theEnable debug logstoggle.

   

3. After the issue is reproduced, go to yourinternal storageand open the AirWatchLogs folder.
4. This folder contains a set of log files that, if required, can be shared with the Workspace ONE support teams.

Advanced: Collect Logs Manually on Android

1. To collect logs manually, you mustenable developer optionson the mobile device.
   
   1. Navigate toSettings>Aboutpage on the device and tap the build number more than 7 times to enable developer options.
2. Enable USB debuggingin Settings>Developer Options.
3. Connect the device via a USB cable to a laptop and install the device drivers.
   
   1. Check whether the device is getting detected in the laptop by runningadb devicesin the command prompt. The device should be listed with a Unique id.
   2. adbis a tool part of theandroid-sdkwhich you must download fromhttp://developer.android.com.
4. After the device is detected (keep the device connected) runadb logcat –v threadtime > TunnelLogs.log. Logs will continuously dump to the file.
5. After the issue is reproduced, logging can be stopped either by disconnecting the device or usingCtrl + ccommand.
6. If required, share theTunnelLogs.logwith the Workspace ONE support teams.

Summary and Additional Resources

This operational tutorial provided steps to leverage native Per-App Tunnel capabilities across mobile platforms, Android and iOS, and desktop platforms, macOS and Windows.

By publishing Per-App VPN profiles to your devices, you can ensure that only authorized apps are accessing authorized applications through the Tunnel. This eliminates the user requirement to manually start and end a network connection like traditional VPN solutions based on the apps they are accessing.

It also provides an extra layer of security to your corporate resources by ensuring that non-authorized apps are unable to connect to your VPN, creating the beginnings of a Zer- Trust model for application access.

Additional Resources

For more information about Workspace ONE, explore theWorkspace ONE UEM product page on Tech Zone. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.

Additionally, you can check out theWorkspace ONE and Horizon Reference Architecturewhich provides a framework and guidance for architecting an integrated digital workspace using Workspace ONE and Horizon.

Changelog

The following updates were made to this guide:

About the Author and Contributors

This tutorial was written by:

• Andreano Lanusse, End-User-Computing Staff Architect, Technical Marketing, EUC Division, Broadcom.

Feedback

Your feedback is valuable.

To comment on this paper, either use the feedback button or contact us at [email protected].

Filter Tags

Workspace ONE Workspace ONE UEM Document Operational Tutorial Intermediate Deploy Zero Trust