Configure VPN Profile for Windows desktop applications for devices to connect to internal sites you define through the VMware Tunnel. Using this functionality requires you to configure and install the Per-App Tunnel component as part of your VMware Tunnel installation.


The VMware Tunnel client for Windows Desktop requires that devices are enrolled in Workspace ONE UEM and have the Workspace ONE Intelligent Hub installed.


  1. Navigate to Devices > Profiles > List View > Add and select Windows. Then select Windows Desktop and Device Profile.
  2. Configure the profile's General settings.
  3. Select the VPN payload from the list and select Configure.
  4. Enter a Connection Name and select Workspace ONE Tunnel as the Connection type.
    The Server text box populates automatically with your VMware Tunnel component server URL. If this component is not configured, you see a message and hyperlink to the system settings page where you can configure it.
  5. Enable the Desktop Client.
  6. Enter the XML code in the Custom Configuration XML textbox. You can set the following attributes based on your requirements:
    Settings Description

    You can use this attribute to detect if your device is connected to a trusted network, based on your device's ability to reach a private URL. You can specify a comma-separated list for redundancy.


    You can use this attribute for resolving shortnames by using the search domains.

    ServerCertSN You can use this attribute for setting a third-party certificate for the server authentication. If you do not know your subject CN name, you can open the certificate on the Windows device and go to the Details tab. You can find a row named Subject which contains the CN name of the certificate.
    For example, you can enter the following XML code in the Custom Configuration XML text box.
    <?xml version="1.0" encoding="utf-16"?>
  7. Configure the network settings for Tunnel.
    Settings Description
    Trusted Network Detection
    Enter comma-separated trusted networks (For example,, ). Tunnel is disabled when the device is on a trusted network.
    Note: Alternatively from the Probe URL, trusted networks may be detected based on DNS connection-suffix. Probe URLs takes precedence over connection suffixes, and the Probe URL is the primary recommendation.
    DNS Resolution via Tunnel Gateway In the DNS Resolution via Tunnel Gateway section, select Add New Domain to add domains to resolve through the VMware Tunnel server.

    Any domains added resolve though the VMware Tunnel server regardless of the app originating the traffic. For example, resolves through the VMware Tunnel server if you use the whitelisted Chrome or the non-whitelisted Edge apps.

  8. Select Save & Publish.
    Note: If you are migrating your devices from the Windows UWP client to the Windows desktop client, we recommend that you remove the previous VMware Tunnel profile and application once the new profile has propagated to devices.