Use App Tunnel to allow an application to communicate through a VPN or reverse proxy to access internal resources, such as a SharePoint or intranet sites.

If users access an internal resource through a non-standard port (a port that is not port 80 or 443), explicitly list the port number in the URL you enter in App Tunnel URLs. For example, if the resource URL is data.company.com and it is accessed through port 7777, you must add data.company.com:7777 in the App Tunnel URLs field.

Prerequisites

To use Allow all non-FQDN URLs through App tunnel, applications must use Workspace ONE SDK v19.3+ (both Android and iOS Swift).

Before you can use VMware Tunnel - Proxy or VMware Tunnel menu items, you must install these tunnels. See VMware Tunnel.

If you are switching from VMware Tunnel - Proxy to VMware Tunnel, migrate the App Tunnel URLs entries. See Migrate Proxy App Tunnel URLs to Per-App Tunnel.

Procedure

  1. Navigate to Groups & Settings > All Settings > Apps > Settings and Policies > Security Policies.
  2. Select Enabled and then select the App Tunnel Mode.
    Setting Description
    VMware Tunnel

    Sets devices to access corporate resources using the Per-App Tunnel component of VMware Tunnel.

    For this option to work, install VMware Tunnel. If this feature is not installed and configured, use the UI links to go to the configuration pages.

    Also, the Per-App Tunnel component of VMware Tunnel uses rules to set policies for tunneling, blocking, or bypassing specific domains. Ensure that you have setup web and other SDK-enabled apps on the Device Traffic Rules page before enabling it here.

    • Select Configure Tunnel Settings to enable the VMware Tunnel if you have not already set this feature.
    • If you have some SDK applications that still use VMware Tunnel - Proxy, enable Tunnel Proxy for Backward Compatibility. This menu item allows those SDK applications that have not migrated to Per-App Tunnel to continue to work using Proxy.

      This setting does not act as a backup. If your Tunnel gateway is not available, applications do not fall back to Proxy.

    VMware Tunnel - Proxy

    Sets devices to access corporate resources using the proxy component of the VMware Tunnel, also called Proxy. Consider migrating to the Per-App Tunnel component for better performance and new features.

    For this option to work, install VMware Tunnel. If this feature is not installed and configured, use the UI links to go to the configuration pages.

    • Select Configure VMware Tunnel - Proxy Settings to enable Proxy if you have not already set this feature.
    • Use Allow all non-FQDN URLs through App tunnel to control traffic to non-FQDN (fully qualified domain name) URLs through the tunnel.
      • YES - All non-FQDN URLs use the tunnel.
      • NO - Only non-FQDN that are explicitly listed in the App Tunnel URLs use the tunnel.
    • To restrict the communication to a set of tunnel domains, enter domains in the App Tunnel URLs text box. All other traffic not listed in this text box, goes directly to the Internet.

      Use wildcards to allow access to any site with a domain subset. For example, *.<example > .com allows traffic to any site that contains .<example > .com in its domain. Similarly, it allows access to any port on that site with an implementation similar to *.<example > .com.

      If nothing is listed in this text box, all traffic directs through the app tunnel.

    Standard Proxy
    Sets devices to request resources using a proxy server that allows or denies connections to enterprise systems.
    • To access your internal network, select an App Tunnel Proxy from the menu . Add standard proxies by selecting Configure Standard Proxy Settings.
    • Use Allow all non-FQDN URLs through App tunnel to control traffic to non-FQDN (fully qualified domain name) URLs through the tunnel.
      • YES - All non-FQDN URLs use the tunnel.
      • NO - Only non-FQDN that are explicitly listed in the App Tunnel URLs use the tunnel.
    • To restrict the communication to a set of tunnel domains, enter domains in the App Tunnel URLs text box. All other traffic not listed in this text box, goes directly to the Internet.

      Use wildcards to allow access to any site with a domain subset. For example, *.<example > .com allows traffic to any site that contains .<example > .com in its domain. Similarly, it allows access to any port on that site with an implementation similar to *.<example > .com.

      If nothing is listed in this text box, all traffic directs through the app tunnel.

  3. Save your settings.