VMware Tunnel uses certificates to authenticate communication among the Workspace ONE UEM console, VMware Tunnel, and end-user devices. The following workflows show the initial setup process and certificate integration cycle.

Initial Setup Workflow

  1. VMware Tunnel connects to the Workspace ONE UEM API and authenticates with an API Key and a Certificate.
    • Traffic requests are SSL encrypted using HTTPS.
    • Setup authorization is restricted to admin accounts with a role enabled for an VMware Tunnel setup role (see preliminary steps).
  2. Workspace ONE UEM generates a unique identity certificate pair for both the Workspace ONE UEM and VMware Tunnel environments.
    • The Workspace ONE UEM certificate is unique to the group selected in the Workspace ONE UEM console.
    • Both certificates are generated from a trusted Workspace ONE UEM root.
  3. Workspace ONE UEM sends the unique certificates and trust configuration back to the VMware Tunnel server over HTTPS.

    The VMware Tunnel configuration trusts only messages signed from the Workspace ONE UEM environment. This trust is unique per group.

    Any additional VMware Tunnel servers set up in the same Workspace ONE UEM group as part of a highly available (HA) load-balanced configuration are issued the same unique VMware Tunnel certificate. For more information on load-balanced configurations, see High Availability Overview.

Certificate Integration Cycle

  1. Workspace ONE UEM generates Device Root Certificates that are unique to every instance during the installation process.

    For Proxy: The Device Root Certificate is used to generate client certificates for each of the applications and devices.

    For Per-App Tunnel: The Device Root Certificate is used to generate client certificates for each of the devices.

  2. For Proxy: The certificate an application uses to authenticate with the VMware Tunnel is only provided after the application attempts to authenticate with the Workspace ONE UEM enrollment credentials for the first time.

    For Per-App Tunnel: The certificate is generated at the time of profile delivery.

  3. VMware Tunnel gets the chain during installation. The VMware Tunnel installer is dynamically packaged and picks these certificates at the time of download.

  4. Communication between the VMware Tunnel and device-side applications (includes VMware Browser and wrapped applications using app tunneling) is secured by using the identity certificates generated during installation. These identity certs are child certificates of the Secure Channel Root certificate.
  5. VMware Tunnel makes an outbound call to the AWCM/API server to receive updated details on the device and certificates. The following details are exchanged during this process: DeviceUid, CertThumbprint, applicationBundleId, EnrollmentStatus, complianceStatus.

  6. VMware Tunnel maintains a list of devices and certificates and only authenticates the communication if it sees a certificate it recognizes.

    X.509 (version 3) digitally signed client certificates are used for authentication.