The VMware Tunnel client on Windows now supports standalone enrollment. There is no requirement for device management or Workspace ONE HUB for configuration. Client version 2.1.8 supports all existing use-cases/ workflows excluding standalone enrollment. Client version 3.1 supports Standalone enrollment only and both Full Device and Per-app Tunnel mode. Please continue using the Windows Tunnel client version 2.1.8 for all MDM workflows. Consolidating the MDM and standalone workflows in a unified Windows Tunnel client is on our roadmap. Standalone enrollment supports both basic and SAML authentication.

The VMware Tunnel client for Windows Desktop requires that devices are enrolled in Workspace ONE UEM and have the Workspace ONE Intelligent Hub installed.

  1. Navigate to Devices > Profiles > List View > Add and select Windows.
  2. Configure the profile General settings.
  3. Select the VPN payload from the list and select Configure.
  4. Enter the Connection Name and select Workspace ONE Tunnel as the Connection type.

    The Server text box populates automatically with your VMware Tunnel component server URL. If this component is not configured, you see a message and hyperlink to the system settings page where you can configure it.

  5. Select the Device Traffic Rules created under the tunnel configuration page. For more information, see Configure Network Traffic Rules for the Per-App Tunnel.
  6. Enable the Desktop Client.
  7. Enter the XML code in the Custom Configuration XML text-box.
  8. Configure the network settings for Tunnel.
  9. Select Save & Publish.
    Note: If you are migrating your devices from the Windows UWP client to the Windows desktop client, we recommend that you remove the previous VMware Tunnel profile and application once the new profile has propagated to devices.

MDM Tunnel Profile

  1. Navigate to Devices > Profiles > List View > Add and select Windows.
  2. Select Windows Desktop and Device Profile
  3. Configure the profile General settings.
  4. Select the VPN payload from the list
  5. Then select Configure.
  6. Enter the Connection Name and select Workspace ONE Tunnel as the Connection type.
    Note: The Server text box populates automatically with your VMware Tunnel component server URL. If this component is not configured, you see a message and hyperlink to the system settings page where you can configure it.
  7. Select the appropriate Device Traffic Rules created under the tunnel configuration page.
    Note: For more information, see Configure Network Traffic Rules for the Per-App Tunnel.
  8. Enable the Desktop Client
  9. Select Save & Publish

Tunnel Profile for Standalone Enrollment

To setup a new Tunnel profile within the UEM console, navigate to: Groups and Settings --> All Settings --> System --> Enterprise Integration --> VMware Tunnel. Under the section of client-side configurations, you will see it includes the original device traffic rule sets and the new Tunnel profiles.

From here, admins can manage their standalone enrollment client profiles and will no longer need to configure the VPN payload under the Device Profiles. The setup wizard will walk you through the first-time profile creation.
  1. Select Windows from the Platform drop-down menu
  2. Enter a Connection Name for the profile.
  3. Select the appropriate Full Device DTR for this profile.
  4. Click Save.

The profile will then be associated to All devices at the Organization Group (OG).

Minimum Requirements for Standalone Enrollment:
  • UEM Console 2203+
  • Windows 10+
Current Limitations for Standalone Enrollment
  • Only one Tunnel Profile per platform can be set up at a particular Organization Group (OG).
  • The Tunnel client will only configure if it is enrolled at the OG where the Tunnel Profile is set up.
  • The profile is assigned to All devices at that OG, support for Assignment Groups is planned for a future release.

Custom Configuration for Windows Tunnel Profiles

The MDM Tunnel profile and the Tunnel profile for Standalone Enrollment support the following Custom Configurations.

Settings Description
TrustedNetworkProbeUrl Use this attribute to detect if your device is connected to a trusted network, based on your device's ability to reach a private URL. You can specify a comma-separated list for redundancy.
DnsSearchDomain Use this attribute for resolving shortnames by using the search domains.
ServerCertSN Use this attribute for setting a third-party certificate for the server authentication. If you do not know your subject CN name, you can open the certificate on the Windows device and go to the Details tab. You can find a row named Subject which contains the CN name of the certificate.
StartTunnelPreLogon Use this attribute to enable the Tunnel service to start before you login. This may be useful for specific domain authentication scenarios.
PreferExternalDNS Use this attribute to prefer external DNS response over internal DNS response when DNS response is received from both.
PreferInternalDNS Use this attribute to prefer internal DNS response over external DNS response when DNS response is received from both.
For example, you can enter the following XML code in the Custom Configuration XML text box. 
<?xml version="1.0" encoding="utf-16"?>
                    <CustomConfiguration>
                    <TrustedNetworkProbeUrl>http://probeurl</TrustedNetworkProbeUrl>
                    <ServerCertSN>SubjectNameofCertificate</ServerCertSN>
                    <DnsSearchDomain>domainname</DnsSearchDomain>
                    <PreferExternalDNS>true</PreferExternalDNS>
                    <PreferInternalDNS>true</PreferInternalDNS>
                    </CustomConfiguration>
Note: Use the PreferInternalDNS or PreferExternalDNS XML code in the Configuration XML. If both the XML codes are used in the Configuration XML, then the PreferInternalDNS XML code takes precedence.

Network Settings for Windows Tunnel Profiles

The MDM Tunnel profile and the Tunnel profile for Standalone Enrollment support the following Custom Configurations.

Settings Description
Trusted Network Detection Enter comma-separated trusted networks (For example, acme.com, abc.net ). VMware Tunnel is disabled when the device is on a trusted network.
Note: Alternatively from the Probe URL, trusted networks can be detected based on DNS connection-suffix. Probe URLs takes precedence over connection suffixes, and the Probe URL is the primary recommendation.
DNS Resolution via Tunnel Gateway Enhanced Domain Resolution: If enabled, all the domains resolve though the VMware Tunnel server based on destination defined in the device traffic rule regardless of the application originating the traffic.
Note: This option is supported only on Windows Tunnel Desktop client 2.1 and above.

Domain / Add New Domain: In the DNS Resolution viaTunnelGateway section, select Add New Domain to add domains to resolve through the VMware Tunnel server.

Any domains added resolve though VMware Tunnel server regardless of the application originating the traffic. For example, vmware.com resolves through the VMware Tunnel server if you use Chrome's allowlist or the denylist from the Edge application.

Note: If the Enhanced domain Resolution option is enabled, this option is hidden.