To get started with VMware Secure Access, you must perform certain configurations on the Workspace ONE UEM to work with the tunnel service that will be deployed by Secure Access and provided as a service.

You can enroll existing users and groups of directory services such as Active Directory (AD), Lotus Domino, and Novell e-Directory. If you do not have such an infrastructure or choose not to integrate with it, you must manually create user accounts and perform basic enrollment in Workspace ONE UEM.

Perform the following tasks to complete basic enrollment in Workspace ONE UEM:
Step Task Refer to
1. Create a new tenancy that includes parent and child organization groups. Organization groups are created for each business entity where devices are deployed. Create Organization Groups
2. Create an administrator account and assign the organization group and role for the administrator. Create an Admin Account
3. Create the required basic user accounts. Create Basic User Accounts
4. Configure a Workspace ONE UEM tunnel.
Keep in mind the following points when you configure the tunnel:
  • Make a note of the Hostname that you enter when you configure this tunnel and ensure that you provide the same Hostname when you provision VMware Secure Access.
  • The domain suffix must be "" as the tunnel server is hosted in a VMware SASE POP.
  • Use port number 443 for the tunnel traffic.
Configure Per-App Tunnel
5. Configure device traffic rules. You can define traffic rules for either Full Device or Per-Application.
6. Create a Per-App VPN Profile. Per-App VPN profile allows you to force selected applications to connect through your corporate VPN. Your VPN provider must support this feature, and you must publish the applications as managed applications. The VPN profile that you create is used to configure the Workspace ONE Tunnel client on the device to allow only designated applications to access content on internal servers.
7. Deploy the Workspace ONE UEM tunnel that you created in step 4 on the managed devices.