After configuring and installing VMware Tunnel with the Per-App Tunnel component, the workflow to enable and use per app or full device tunneling in Workspace ONE UEM includes creating a VPN Tunnel profile for your end-user devices. These profiles depend on your device platform. After you create a VPN Tunnel profile, push the profiles and the apps to the devices. An on-demand feature lets you configure apps to connect automatically using VMware Tunnel when launched. The connection remains active until a time-out period of receiving no traffic, then it is disconnected. When using VMware Tunnel , no IP address is assigned to the device, so you do not need to configure the network or assign a subnet to connected devices. In addition, iOS apps can use the iOS DNS Service to send DNS queries through the VMware Tunnel server to the DNS server on a corporate network. This service allows applications such as Web browsers to use your corporate DNS server to look up the IP address of your internal Web servers.

Privacy Dialog

VMware Workspace ONE Tunnel supports a privacy dialog that displays information regarding the application an admin configures. VMware Workspace ONE Tunnel only supports the privacy dialog for iOS and Android devices. You must deploy the VMware Workspace ONE Tunnel app to devices using Application Configurations during device assignment.

The dialog displays the following information to end users:

Table 1. Privacy Dialog Information
Information Description
Data collected by the application Provides a summary of data which is collected and processed by the application. Some of this data will be visible to administrators of theWorkspace ONE UEM console.
Device permissions Provides a summary of device permissions requested for the app to enable product features and functionality, such as push notifications to the device.
Company's privacy policy Enables administrators to display a customized privacy notice to their users through a configurable URL. If no privacy notice is provided, a default message will be shown to the user to contact their employer for more information.

Application Configurations

Application configurations are key-value pairs that you deploy with the application to preconfigure features for users.

Currently, application configurations are available for Android and iOS.

Listed below are the key-value pairs for Android Tunnel.
Table 2. Key-Value Pairs for Android Tunnel
Friendly Key Name Configuration Key Value Type Configuration Value Description Version Added
Privacy Controls:
Custom Privacy Policy URL PrivacyPolicyLink String Example: Provide the Policy URL that you want your users to visit when Your company's privacy policy is selected from the Privacy notice. 4.2
Display Privacy Dialog Box DisplayPrivacyDialog Boolean

True - Enable

False - Disable
When set to '1' (Enable), Workspace ONE Tunnel displays a privacy notice to the users about the data that is collected and the permissions that are required on the device for the optimal functioning of the app. 4.2
Crash Reporting PolicyAllowCrashReporting Boolean

True - Enable

False - Disable
Set to True to report Workspace ONE Tunnel crashes to VMware. 4.2

Toggle VPN Connection

(Technical Preview)


Boolean True - Enable

False - Disable (Default)

Set to True to provide users the option to connect/ disconnect the Tunnel Connection on demand. 22.03

Toggle Timeout

(Technical Preview)
ToggleVPNTimeout Integer

Time in minutes

Default Value = 0 (No timeout)
Set a timeout in minutes for an Active Tunnel connection. 22.03
Diagnostics and Troubleshooting:
Feature Analytics PolicyAllowFeatureAnalytics Integer

1 - Enable

0 - Disable
Set to True to enable data collection for Workspace ONE Tunnel experience improvement. 4.2
Display Welcome Screen DisplayWelcomeScreen Boolean True - Enable

False - Disable

Set to True to hide the Workspace ONE Tunnel welcome screen. 4.2
Filter Diagnostics View FilterDiagnosticsView Boolean True - Enable

False - Disable

Set to True to filter advanced connection details in the Diagnostics view. 5.6
Enable Debug Logs on Install EnableDebugLogsOnInstall Integer

0 – Disable

1 – Enable

2 – Force Enable

This setting is strictly for debugging. 21.01
Enable App Activity (Beta) ShowDataUsage Boolean True - Enable

False - Disable

Set to True to enable details for applications that have recently sent a network request in the UI. 21.01
Container Wide/ Full Device Mode:
Exempt Application from Container-wide Tunnel DisallowAppsList String Example:

{ "com.facebook.orca","com.whatsapp"}

Provide a list of applications that are exempt from Full Device Tunnel. 22.03
Other Settings:
Custom Settings CustomSettings String Example:

{ “PackageID”: “”, “Domains”: “”, “Action”: “Proxy”, “Proxy”: “”, “DefaultActionForSettings”: “Bypass” }

Custom Settings for Tunnel 5.1
Trusted Network Probe Url TrustedNetworkProbeUrl String
  • <internal-site>
  • <internal-site>:<port>
  • http://<internal-site>
  • http://<internal-site>:80
  • https://<internal-site>
  • https://<internal-site>:443
You can use this attribute to detect if your device is connected to a trusted network, based on your device's ability to reach a private URL. You can specify a comma-separated list for redundancy. 5.6
UEM API Sync Interval ClientSyncInterval String Time in minutes. Minimum value recommended is 60 minutes. Default value is 240 minutes. Determines sync interval with UEM API for Tunnel configuration updates. This is part of the new DTR sync mechanism. 22.03

You must know the supported key-value pairs for your application to deploy them and to code them. To find other supported application configurations, review the listed resources. You can enter supported pairs when you upload applications to the Workspace ONE UEM console and you can code them into your applications.

The application vendor sets the supported configurations for the application, so you can contact the vendor or visit other sites with information about application configurations.

The Workspace ONE UEM knowledge base has articles about working with application configurations when you develop applications. See Workspace ONE UEM Managed App Configuration at