You can configure certain settings for the mobile SSO flow for Android to provide the best user experience for users on Android devices.

Native Android apps require the VMware Tunnel to be downloaded and installed on users' devices. As a best practice for a Workspace ONE-Okta integration environment, configure the Auto deployment setting for each native Android app so that the app and tunnel are automatically deployed on users' devices after they enroll. Also enable Managed Access for the apps.

You configure these settings in the VMware Workspace ONE UEM console.


  1. In the Workspace ONE UEM console, navigate to the Apps & Books > Applications > Native page.
  2. Click the app name.
  3. Click Assign.
  4. Click Add Assignment to add a new assignment or select the assignment to edit and click Edit.
  5. Configure the assignment according to your needs and include the following selections as a best practice.
    • App Delivery Method: AUTO
    • Managed Access: ENABLED
    • App Tunneling: ENABLED
      Note: When you enable App Tunneling, you also need to select the VPN configuration profile to use for the app.

    For example:

    Assignment dialog box settings

  6. Save the assignment.


After users enroll their devices, the app appears in the catalog. The app icon indicates that the tunnel is included. When users install the app, both the app and the tunnel are installed.