VMware Tunnel uses certificates to authenticate communication among the AirWatch Console, VMware Tunnel, and end-user devices. The following workflows show the initial setup process and how certificates are generated and provisioned.

Initial Setup Workflow

  1. VMware Tunnel connects to the AirWatch API and authenticates with an API Key and a Certificate.
    • Traffic requests are SSL encrypted using HTTPS.
    • Setup authorization is restricted to admin accounts with a role enabled for an VMware Tunnel setup role (see preliminary steps).
  2. AirWatch generates a unique identity certificate pair for both the AirWatch and VMware Tunnel environments.
    • The AirWatch certificate is unique to the group selected in the AirWatch Console.
    • Both certificates are generated from a trusted AirWatch root.
  3. AirWatch sends the unique certificates and trust configuration back to the VMware Tunnel server over HTTPS.

    The VMware Tunnel configuration trusts only messages signed from the AirWatch environment. This trust is unique per group.

    Any additional VMware Tunnel servers set up in the same AirWatch group as part of a highly available (HA) load-balanced configuration are issued the same unique VMware Tunnel certificate. For more information on load-balanced configurations, see High Availability Overview.

Certificate Integration Cycle

  1. AirWatch generates Device Root Certificates that are unique to every instance during the installation process.

    For Proxy: The Device Root Certificate is used to generate client certificates for each of the applications and devices.

    For Per-App Tunnel: The Device Root Certificate is used to generate client certificates for each of the devices.

  2. For Proxy: The certificate an application uses to authenticate with the VMware Tunnel is only provided after the application attempts to authenticate with the AirWatch enrollment credentials for the first time.

    For Per-App Tunnel: The certificate is generated at the time of profile delivery.

  3. VMware Tunnel gets the chain during installation. The VMware Tunnel installer is dynamically packaged and picks these certificates at the time of download.

  4. Communication between the VMware Tunnel and device-side applications (includes VMware Browser and wrapped applications using app tunneling) is secured by using the identity certificates generated during installation. These identity certs are child certificates of the Secure Channel Root certificate.
  5. VMware Tunnel makes an outbound call to the AWCM/API server to receive updated details on the device and certificates. The following details are exchanged during this process: DeviceUid, CertThumbprint, applicationBundleId, EnrollmentStatus, complianceStatus.

  6. VMware Tunnel maintains a list of devices and certificates and only authenticates communication if it sees a certificate it recognizes.

    X.509 (version 3) digitally signed client certificates are used for authentication.