To use non-native Per-App Tunnel functionality on macOS devices, you must extract the app Bundle ID. Extract the Bundle ID before pushing the VPN profile to macOS devices.

To extract the Bundle ID:

  1. On a macOS device, find the file path for the app you want to flag for Per-App Tunnel.

    For example: /Applications/Google\ Chrome.app/.

  2. Open the terminal.

  3. Run the following command to get the Application Bundle ID : codesign -dv --entitlements - /Applications/Google\ Chrome.app/
  4. Review the output.



    Executable=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome Identifier=com.google.Chrome Format=app bundle with Mach-O thin (x86_64) CodeDirectory v=20200 size=273 flags=0x800(restrict) hashes=3+3 location=embeddedSignature size=8949 Timestamp=Mar 20, 2018 at 2:23:20 AM Info.plist entries=36 TeamIdentifier=EQHXZ8M8AV Sealed Resources version=2 rules=7 files=203 Internal requirements count=1 size=240

  5. Copy the Application Bundle ID from the output. The Bundle ID follows identifier. In the above example it is com.google.Chrome.
  6. Run the following command to get the Designated Requirement : codesign -d -r- /Applications/Google\ Chrome.app/
  7. Review the output.



    Executable=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome designated => (identifier "com.google.Chrome" or identifier "com.google.Chrome.beta" or identifier "com.google.Chrome.dev" or identifier "com.google.Chrome.canary") and (certificate leaf = H"85cee8254216185620ddc8851c7a9fc4dfe120ef" or certificate leaf = H"c9a99324ca3fcb23dbcc36bd5fd4f9753305130a")
  8. Copy the Designated Requirement from the output. Designated Requirement is the entire string followed by "designated =>".

    In the above example, it is (identifier "com.google.Chrome" or identifier "com.google.Chrome.beta" or identifier "com.google.Chrome.dev" or identifier "com.google.Chrome.canary") and (certificate leaf = H"85cee8254216185620ddc8851c7a9fc4dfe120ef" or certificate leaf = H"c9a99324ca3fcb23dbcc36bd5fd4f9753305130a")
  9. To whitelist Chrome, enter the Application Bundle ID and Designated Requirement in the UEM console Tunnel profile.

    For example, from the above sample output, enter the following:

    Settings Description
    Application Bundle ID com.google.Chrome
    Designated Requirement

    (identifier "com.google.Chrome" or identifier "com.google.Chrome.beta" or identifier "com.google.Chrome.dev" or identifier "com.google.Chrome.canary") and (certificate leaf = H"85cee8254216185620ddc8851c7a9fc4dfe120ef" or certificate leaf = H"c9a99324ca3fcb23dbcc36bd5fd4f9753305130a")