The Per App Tunnel component and VMware Tunnel apps for iOS, Android, Windows Desktop, and macOS allow both internal and public applications to access corporate resources that reside in your secure internal network. They allow this functionality using per app tunneling capabilities. Per app tunneling lets certain applications access internal resources on an app-by-app basis. This restriction means that you can enable some apps to access internal resources while you leave others unable to communicate with your back-end systems.

This alternative solution is different from app tunneling with app wrapping because it supports both TCP and HTTP(S) traffic. It works for both public and internally developed apps. However, for internal apps, the VMware Tunnel app acts as an alternative option only if the sole requirement is tunneling into the internal network. Otherwise, you must use app wrapping to take advantage of features including integrated authentication, geofencing, offline access control, and so on.

After configuring and installing VMware Tunnel with the Per-App Tunnel component, the workflow to enable and use per app tunneling in AirWatch includes:

  1. Creating a VPN profile for your end-user devices. These profiles depend on your device platform.

    If your platform uses user profiles and device profiles, such as Windows Desktop and Android, you must create user profiles.

  2. After creating a VPN profile, push the profiles and the apps to the devices.

    For iOS and Android platforms, you must enable the Use VPN check box on the Deployment tab of the Add Application page to use app tunneling.

Windows Desktop devices use the native Per-App VPN functionality. Add the apps to the VPN profile to enable Per-App Tunnel functionality.


VMware Tunnel does not support Per-App VPN functionality for macOS devices. You can restrict access to domains through the Safari Domains feature of the Network Traffic rules. For more information, see Network Traffic Rules for Per-App Tunnel.

Additional Details

An on-demand feature lets you configure apps to connect automatically using VMware Tunnel when launched. The connection remains active until a time-out period of receiving no traffic, then it is disconnected. When using VMware Tunnel, no IP address is assigned to the device, so you do not need to configure the network or assign a subnet to connected devices.

In addition, iOS apps can use the iOS DNS Service to send DNS queries through the VMware Tunnel server to the DNS server on a corporate network. This service allows applications such as Web browsers to use your corporate DNS server to look up the IP address of your internal Web servers.