Configure Per-App Tunnel for macOS to allow macOS devices to connect to internal sites you define through the VMware Tunnel. This functionality requires you to configure and install the Per-App Tunnel component as part of your VMware Tunnel installation.

Complete the following steps before you Configure Per-App Tunnel Profile for macOS
  1. Cofigure VMware Tunnel.
  2. Configure Network Traffic Rules for Safari Split Tunneling.
  3. Deploy VMware Tunnel.
Complete the following steps to configure Per-App Tunnel Profile for macOS:
  1. Navigate to Devices > Profiles > List View > Add and select macOS. Then select User.
  2. Configure the General settings.
  3. Select the VPN payload from the list.
  4. Enter a Connection Name and select Workspace ONE Tunnel as the Connection Type.The Server text box populates automatically with your VMware Tunnel component server URL. If this component is not configured, you see a message and hyperlink to the system settings page where you can configure it.
  5. Enable App Mapping.
  6. Add the Bundle ID for each application you want to use with Per-App Tunnel.
  7. Select Save & Publish.

Extract macOS Bundle ID for Per-App Tunnel

To use non-native Per-App Tunnel functionality on macOS devices, you must extract the app Bundle ID. Extract the Bundle ID before pushing the VPN profile to macOS devices.

  1. On a macOS device, find the file path for the app you want to flag for Per-App Tunnel./Applications/Google\ Chrome.app/
    Note:
    Extracting the macOS Bundle ID for Per-App Tunnel does not work with the native MacOS system applications if the Application Bundle ID begins with com.apple.* on macOS 10.14 or later.
  2. Open the terminal.
  3. Run the following command to get the Application Bundle ID.codesign -dv --entitlements - /Applications/Google\ Chrome.app/
  4. Review the output.
    Executable=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome
                Identifier=com.google.Chrome Format=app bundle with Mach-O thin (x86_64) CodeDirectory
                v=20200 size=273 flags=0x800(restrict) hashes=3+3 location=embeddedSignature size=8949
                Timestamp=Mar 20, 2018 at 2:23:20 AM Info.plist entries=36 TeamIdentifier=EQHXZ8M8AV
                Sealed Resources version=2 rules=7 files=203 Internal requirements count=1
                size=240
  5. Copy the Application Bundle ID from the output.The Bundle ID follows identifier. In the above example it is com.google.Chrome.
  6. Run the following command to get the Designated Requirement.codesign -d -r- /Applications/Google\ Chrome.app/
  7. Review the output.
    Executable=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome designated =>
                (identifier "com.google.Chrome" or identifier "com.google.Chrome.beta" or identifier
                "com.google.Chrome.dev" or identifier "com.google.Chrome.canary") and (certificate
                leaf = H"85cee8254216185620ddc8851c7a9fc4dfe120ef" or certificate leaf =
                H"c9a99324ca3fcb23dbcc36bd5fd4f9753305130a")
  8. Copy the Designated Requirement from the output.Designated Requirement is the entire string followed by "designated =>". In the above example, it is
    (identifier "com.google.Chrome" or identifier "com.google.Chrome.beta" or
                identifier "com.google.Chrome.dev" or identifier "com.google.Chrome.canary") and
                (certificate leaf = H"85cee8254216185620ddc8851c7a9fc4dfe120ef" or certificate leaf =
                H"c9a99324ca3fcb23dbcc36bd5fd4f9753305130a")
  9. To whitelist Chrome, enter the Application Bundle ID and Designated Requirement in the UEM console Tunnel profile.For example, from the above sample output, enter the following settings.
    Settings Description
    Application Bundle ID com.google.Chrome
    Designated Requirement (identifier "com.google.Chrome" or identifier "com.google.Chrome.beta" or identifier "com.google.Chrome.dev" or identifier "com.google.Chrome.canary") and (certificate leaf = H"85cee8254216185620ddc8851c7a9fc4dfe120ef" or certificate leaf = H"c9a99324ca3fcb23dbcc36bd5fd4f9753305130a")