To use non-native Per-App Tunnel functionality on macOS devices, you must extract the app Bundle ID. Extract the Bundle ID before pushing the VPN profile to macOS devices.

Procedure

  1. On a macOS device, find the file path for the app you want to flag for Per-App Tunnel.
    /Applications/Google\ Chrome.app/
    Note: Extracting the macOS Bundle ID for Per-App Tunnel does not work with the native MacOS system applications if the Application Bundle ID begins with com.apple.* on macOS 10.14 or later.
  2. Open the terminal.
  3. Run the following command to get the Application Bundle ID.
    codesign -dv --entitlements - /Applications/Google\ Chrome.app/
  4. Review the output.
    Executable=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome Identifier=com.google.Chrome Format=app bundle with Mach-O thin (x86_64) CodeDirectory v=20200 size=273 flags=0x800(restrict) hashes=3+3 location=embeddedSignature size=8949 Timestamp=Mar 20, 2018 at 2:23:20 AM Info.plist entries=36 TeamIdentifier=EQHXZ8M8AV Sealed Resources version=2 rules=7 files=203 Internal requirements count=1 size=240
  5. Copy the Application Bundle ID from the output.
    The Bundle ID follows identifier. In the above example it is com.google.Chrome.
  6. Run the following command to get the Designated Requirement.
    codesign -d -r- /Applications/Google\ Chrome.app/
  7. Review the output.
    Executable=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome designated => (identifier "com.google.Chrome" or identifier "com.google.Chrome.beta" or identifier "com.google.Chrome.dev" or identifier "com.google.Chrome.canary") and (certificate leaf = H"85cee8254216185620ddc8851c7a9fc4dfe120ef" or certificate leaf = H"c9a99324ca3fcb23dbcc36bd5fd4f9753305130a")
  8. Copy the Designated Requirement from the output.
    Designated Requirement is the entire string followed by "designated =>". In the above example, it is (identifier "com.google.Chrome" or identifier "com.google.Chrome.beta" or identifier "com.google.Chrome.dev" or identifier "com.google.Chrome.canary") and (certificate leaf = H"85cee8254216185620ddc8851c7a9fc4dfe120ef" or certificate leaf = H"c9a99324ca3fcb23dbcc36bd5fd4f9753305130a")
  9. To whitelist Chrome, enter the Application Bundle ID and Designated Requirement in the UEM console Tunnel profile.
    For example, from the above sample output, enter the following settings.
    Settings Description
    Application Bundle ID com.google.Chrome
    Designated Requirement (identifier "com.google.Chrome" or identifier "com.google.Chrome.beta" or identifier "com.google.Chrome.dev" or identifier "com.google.Chrome.canary") and (certificate leaf = H"85cee8254216185620ddc8851c7a9fc4dfe120ef" or certificate leaf = H"c9a99324ca3fcb23dbcc36bd5fd4f9753305130a")