Mobile SSO for Android is an implementation of the certificate authentication method for AirWatch-managed Android devices.
The AirWatch Tunnel mobile application is installed on the Android device. The AirWatch Tunnel client is configured to access the VMware Identity Manager service for authentication. The tunnel client uses the client certificate to establish a mutually authenticated SSL session and the VMware Identity Manager service retrieves the client certificate for authentication.
Mobile SSO authentication for Android is supported for Android devices 4.4 and later.
Mobile Single Sign-on without VPN Access
Mobile Single Sign-on authentication for Android devices can be configured to bypass the Tunnel server when VPN access is not required. Implementing Mobile SSO for Android authentication without using a VPN uses the same configuration pages as used for configuring the AirWatch Tunnel. Because you are not installing the Tunnel server, you do not enter the AirWatch Tunnel server host name and port. You still set up a profile using the AirWatch Tunnel profile form, but traffic is not directed to the Tunnel server. The Tunnel client is used only for single sign-on.
In theAirWatch admin console you configure the following settings.
Per App Tunnel component in the AirWatch Tunnel. This configuration allows Android devices access to internal and managed public apps through the AirWatch Tunnel mobile app client.
Per App Tunnel Profile. This profile is used to enable the per app tunneling capabilities for Android.
In the Network Traffic Rules page, because the Tunnel server is not configured, you select Bypass so that no traffic is directed towards a Tunnel server.
Mobile Single Sign-on with VPN Access
When the application configured for single sign-on also is used to access intranet resources behind the firewall, configure VPN access and set up the Tunnel server. When single sign-on is configured with VPN, the Tunnel client can optionally route application traffic and login requests through the Tunnel server. Instead of the default configuration used for the Tunnel client in the console in the single sign-on mode, the configuration should point to the Tunnel server.
Implementing Mobile SSO for Android authentication for AirWatch managed Android devices requires configuring the AirWatch Tunnel in the AirWatch admin console and installing the AirWatch Tunnel server before you configure Mobile SSO for Android in the VMware Identity Manager administration console. The AirWatch Tunnel service provides per app VPN access to AirWatch managed apps. AirWatch Tunnel also provides the ability to proxy traffic from a mobile application to VMware Identity Manager for single sign-on.
In the AirWatch admin console you configure the following settings.
Per App Tunnel component in the AirWatch Tunnel. This configuration allows Android devices access to internal and managed public applications through the AirWatch Tunnel mobile app client.
After the AirWatch Tunnel settings are configured in the admin console, you download the AirWatch Tunnel installer and proceed with the installation of the AirWatch Tunnel server.
Android VPN profile. This profile is used to enable the per app tunneling capabilities for Android.
Enable VPN for each app that uses the application tunnel functionality from the admin console.
Create device traffic rules with a list of all the applications that are configured for per app VPN, the proxy server details, and the VMware Identity Manager URL.
For detailed information about installing and configuring the AirWatch Tunnel, see the VMware AirWatch Tunnel Guide on the AirWatch Resources Web site.