The VMware Tunnel client for Android versions 22.09 and later supports standalone enrollment in addition to the existing MDM workflows. For Standalone enrollment, there is no requirement for device management or Workspace ONE HUB for configuration.

MDM Tunnel Profile

  1. Navigate to: Devices > Profiles & Resources > Profiles. Click Add > Add Profile
  2. Provide a Profile name
  3. Select Android and search or navigate to the VPN payload.
    1. For a Samsung Knox deployment, select Android and then select Container
  4. Expand the VPN payload from the list and click Add.
  5. Select Workspace ONE Tunnel as the Connection Type and enter a Connection Name.
    Note: The Server text box populates automatically with your VMware Tunnel component server URL. If this component is not configured, you see a message and hyperlink to the system settings page where you can configure it.
  6. Select the appropriate Device Traffic Rules created under the tunnel configuration page.
  7. Configure the Always ON VPN setting if desired. If toggled ON, an option to enable Lockdown mode is displayed.
  8. Click Next
  9. Select the appropriate Assignment and Deployment options.
  10. Click Save & Publish

Tunnel Profile for Standalone Enrollment

To setup a new Tunnel profile within the UEM console, navigate to: Groups and Settings -> All Settings -> System -> Enterprise Integration -> VMware Tunnel.

The Client-Side Configurations section includes the original Device Traffic Rule Sets and the new Tunnel Profiles. From here, admins can manage their standalone enrollment client profiles and will no longer need to configure the VPN payload under the Device Profiles.

Follow the setup wizard for the first-time profile creation.

  1. Select Android from the Platform drop-down list and enter a Connection Name for the profile.
  2. Select the appropriate Full Device DTR for this profile.
  3. Click Save.

The profile will then be associated to All devices at the Organization Group (OG).

Minimum Requirements for Standalone Enrollment:
  • UEM Console 2209+
  • Andriod 8+
Current Limitations for Standalone Enrollment:
  • Administrators must upload the Tunnel application in the UEM console and assign it to the desired smart groups.
  • Only one Tunnel Profile per platform can be set up at a particular Organization Group (OG).
  • The Tunnel client will only configure if it is enrolled at the OG where the Tunnel Profile is set up.
  • The profile is assigned to All devices at that OG, support for Assignment Groups is planned for a future release.
  • Administrators must allow enrollment for Boxer / Content / Web at the specific OG. This can be done by navigating to: Groups and Settings --> All Settings --> Content --> Applications --> Workspace ONE Content App. Select Disabled for the Block Enrollment via Content, Boxer, and Web setting.