Configure VPN Profile for Windows platform (UWP) app to allow devices to connect to internal sites you define through the VMware Tunnel. Using this functionality requires you to configure and install the Per-App Tunnel component as part of your VMware Tunnel installation.


  1. Navigate to Devices > Profiles > List View > Add and select Windows. Then select Windows Desktop and User Profile or Device Profile.
  2. Configure the profile's General settings.
  3. Select the VPN payload from the list.
  4. Enter a Connection Name and select Workspace ONE Tunnel as the Connection type.
    The Server text box populates automatically with your VMware Tunnel component server URL. If this component is not configured, you see a message and hyperlink to the system settings page where you can configure it.
  5. Configure the Per App VPN rules.
  6. Configure the relevant Policies settings.
    Settings Description
    Always On Enable to force the VPN connection to be always on.
    VPN Lockdown

    Enable to force the VPN to always be on, never disconnect, deactivate any network access if the VPN is not connected, and prevent other VPN profiles from connecting on the device.

    A VPN profile with VPN Lockdown enabled must be deleted before you push a new VPN profile to the device.

    This feature only displays if the profile is set to Device context.

    Trusted Network Detection Enter comma separated trusted networks (For example,, and so on). Tunnel fails to connect when the device is on a trusted network.
    DNS Resolution via Tunnel Gateway In the DNS Resolution via Tunnel Gateway section, select Add New Domain to add domains to resolve through the VMware Tunnel server.

    Any domains added resolve though the VMware Tunnel server regardless of the app originating the traffic. For example, will resolve through theVMware Tunnel server if you use the whitelisted Chrome or the non-whitelisted Edge apps.

  7. Select Save & Publish.