Mobile SSO for Android is an implementation of the certificate authentication method for AirWatch-managed Android devices.

The VMware Tunnel mobile application is installed on the Android device. The VMware Tunnel client is configured to access the VMware Identity Manager service for authentication. The tunnel client uses the client certificate to establish a mutually authenticated SSL session and the VMware Identity Manager service retrieves the client certificate for authentication.

Note:

Mobile SSO authentication for Android is supported for Android devices 4.4 and later.

Mobile Single Sign-on Without VPN Access

Mobile single sign-on authentication for Android devices can be configured to bypass the Tunnel server when VPN access is not required. Implementing Mobile SSO for Android authentication without using a VPN uses the same configuration pages as used for configuring the VMware Tunnel. Because you are not installing the Tunnel server, you do not enter the VMware Tunnel server host name and port. You still set up a profile using the VMware Tunnel profile form, but traffic is not directed to the Tunnel server. The Tunnel client is used only for single sign-on.

In the AirWatch admin console, you configure the following settings.

  • Per App Tunnel component in the VMware Tunnel. This configuration allows Android devices access to internal and managed public apps through the VMware Tunnel mobile app client.

  • Per App Tunnel Profile. This profile is used to enable the per app tunneling capabilities for Android.

  • In the Network Traffic Rules page, because the Tunnel server is not configured, you select Bypass so that no traffic is directed towards a Tunnel server.

Mobile Single Sign-on with VPN Access

When the application configured for single sign-on also is used to access intranet resources behind the firewall, configure VPN access and set up the Tunnel server. When single sign-on is configured with VPN, the Tunnel client can optionally route application traffic and login requests through the Tunnel server. Instead of the default configuration used for the Tunnel client in the console in the single sign-on mode, the configuration should point to the Tunnel server.

Implementing Mobile SSO for Android authentication for AirWatch managed Android devices requires configuring the VMware Tunnel in the AirWatch admin console and installing the VMware Tunnel server before you configure Mobile SSO for Android in the VMware Identity Manager administration console. The VMware Tunnel service provides per app VPN access to AirWatch managed apps. VMware Tunnel also provides the ability to proxy traffic from a mobile application to VMware Identity Manager for single sign-on.

In the AirWatch admin console, you configure the following settings.

  • Per App Tunnel component in the VMware Tunnel. This configuration allows Android devices access to internal and managed public applications through the VMware Tunnel mobile app client.

    After the Tunnel settings are configured in the admin console, you download the VMware Tunnel installer and proceed with the installation of the VMware Tunnel server.

  • Android VPN profile. This profile is used to enable the per app tunneling capabilities for Android.

  • Enable VPN for each app that uses the application tunnel functionality from the admin console.

  • Create device traffic rules with a list of all the applications that are configured for per app VPN, the proxy server details, and the VMware Identity Manager URL.

For detailed information about installing and configuring the VMware Tunnel, see the VMware Tunnel Guide on the AirWatch Resources website.