The VMware Tunnel client on macOS now supports standalone enrollment. There is no requirement for device management or Workspace ONE HUB for configuration. To ensure a seamless user experience and simplified administrator experience, the macOS Tunnel client for standalone enrollment will be delivered outside of the App Store. This macOS VMware Tunnel application will be available through the Workspace ONE Resource Portal.

The macOS Tunnel application delivered through the Resources Portal will support Full Device Tunnel mode only with Per-app mode planned for the future. Continue using the macOS Tunnel client delivered through the App Store for all MDM and Per-App workflows. Standalone enrollment supports both basic and SAML authentication.

MDM Per-app Tunnel Profile

Complete the following steps to configure Per-App Tunnel Profile for macOS:
  1. Navigate to Devices > Profiles > List View > Add and select macOS. Then select User.
  2. Configure the General settings.
  3. Select the VPN payload from the list and click Configure.
  4. Enter a Connection Name and select Workspace ONE Tunnel as the Connection Type.The Server text box populates automatically with your VMware Tunnel component server URL. If this component is not configured, you see a message and hyperlink to the system settings page where you can configure it.
  5. Select the appropriate DTR from the drop-down list.
  6. Verify or select AppProxy as the Provider Type.
  7. Select Save & Publish.

Extract macOS Bundle ID for Per-App Tunnel

To use non-native Per-App Tunnel functionality on macOS devices, you must extract the app Bundle ID. Extract the Bundle ID before pushing the VPN profile to macOS devices.

  1. On a macOS device, find the file path for the app you want to flag for Per-App Tunnel./Applications/Google\ Chrome.app/
    Note:
    Extracting the macOS Bundle ID for Per-App Tunnel does not work with the native MacOS system applications if the Application Bundle ID begins with com.apple.* on macOS 10.14 or later.
  2. Open the terminal.
  3. Run the following command to get the Application Bundle ID.codesign -dv --entitlements - /Applications/Google\ Chrome.app/
  4. Review the output.
    Executable=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome
            Identifier=com.google.Chrome Format=app bundle with Mach-O thin (x86_64) CodeDirectory
            v=20200 size=273 flags=0x800(restrict) hashes=3+3 location=embeddedSignature size=8949
            Timestamp=Mar 20, 2018 at 2:23:20 AM Info.plist entries=36 TeamIdentifier=EQHXZ8M8AV
            Sealed Resources version=2 rules=7 files=203 Internal requirements count=1
            size=240
  5. Copy the Application Bundle ID from the output.The Bundle ID follows identifier. In the above example it is com.google.Chrome.
  6. Run the following command to get the Designated Requirement.codesign -d -r- /Applications/Google\ Chrome.app/
  7. Review the output.
    Executable=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome designated =>
            (identifier "com.google.Chrome" or identifier "com.google.Chrome.beta" or identifier
            "com.google.Chrome.dev" or identifier "com.google.Chrome.canary") and (certificate
            leaf = H"85cee8254216185620ddc8851c7a9fc4dfe120ef" or certificate leaf =
            H"c9a99324ca3fcb23dbcc36bd5fd4f9753305130a")
  8. Copy the Designated Requirement from the output.Designated Requirement is the entire string followed by "designated =>". In the above example, it is 
    (identifier "com.google.Chrome" or identifier "com.google.Chrome.beta" or
            identifier "com.google.Chrome.dev" or identifier "com.google.Chrome.canary") and
            (certificate leaf = H"85cee8254216185620ddc8851c7a9fc4dfe120ef" or certificate leaf =
            H"c9a99324ca3fcb23dbcc36bd5fd4f9753305130a")
  9. To allowlist Chrome, enter the Application Bundle ID and Designated Requirement in the UEM console Tunnel profile.For example, from the above sample output, enter the following settings.
    Settings Description
    Application Bundle ID com.google.Chrome
    Designated Requirement (identifier "com.google.Chrome" or identifier "com.google.Chrome.beta" or identifier "com.google.Chrome.dev" or identifier "com.google.Chrome.canary") and (certificate leaf = H"85cee8254216185620ddc8851c7a9fc4dfe120ef" or certificate leaf = H"c9a99324ca3fcb23dbcc36bd5fd4f9753305130a")

Tunnel Profile for Standalone Enrollment

To setup a new Tunnel profile within the UEM console, navigate to: Groups and Settings --> All Settings --> System --> Enterprise Integration --> VMware Tunnel.

You will find a new section titled Client-Side Configurations, which includes the original Device Traffic Rule Sets and the NEW Tunnel Profiles. From here, admins can manage their standalone enrollment client profiles and will no longer need to configure the VPN payload under the Device Profiles.

The setup wizard will walk you through the first-time profile creation.

  • Select macOS from the Platform drop-down list and enter a Connection Name for the profile.
  • Select the appropriate Full Device DTR for this profile.
  • Click Save

The profile will then be associated to All devices at the Organization Group (OG).

Minimum Requirements for Standalone Enrollment:
  • UEM Console 2203+
  • macOS 11+
Current Limitations for Standalone Enrollment:
  • Only one Tunnel Profile per platform can be set up at a particular Organization Group (OG).
  • The Tunnel client will only configure if it is enrolled at the OG where the Tunnel Profile is set up.
  • The profile is assigned to All devices at that OG, support for Assignment Groups is planned for a future release.
  • Administrators must allow enrollment for Boxer / Content / Web at the specific OG. This can be done by navigating to Groups and Settings --> All Settings --> Content --> Applications --> Workspace ONE Content App. Select 'Disabled' for the 'Block Enrollment via Content, Boxer, and Web' setting.