After configuring and installing VMware Tunnel with the Per-App Tunnel component, the workflow to enable and use per app tunneling in Workspace ONE UEM includes creating a VPN profile for your end-user devices. These profiles depend on your device platform. After you create a VPN profile, push the profiles and the apps to the devices. An on-demand feature lets you configure apps to connect automatically using VMware Tunnel when launched. The connection remains active until a time-out period of receiving no traffic, then it is disconnected. When using VMware Tunnel, no IP address is assigned to the device, so you do not need to configure the network or assign a subnet to connected devices. In addition, iOS apps can use the iOS DNS Service to send DNS queries through the VMware Tunnel server to the DNS server on a corporate network. This service allows applications such as Web browsers to use your corporate DNS server to look up the IP address of your internal Web servers.

Application Configurations


Application configurations are key-value pairs that you deploy with the application to preconfigure features for users. You can enter supported pairs when you upload applications to the Workspace ONE UEM console and you can code them into your applications.

Currently, application configurations are available for Android and iOS. You must know the supported key-value pairs for your application to deploy them and to code them. To find supported application configurations, review the listed resources.

The application vendor sets the supported configurations for the application, so you can contact the vendor or visit other sites with information about application configurations.

The Workspace ONE UEM knowledge base has articles about working with application configurations when you develop applications. See Workspace ONE UEM Managed App Configuration at

Privacy Dialog

VMware Workspace ONE Tunnel supports a privacy dialog that displays information regarding the application an admin configures. VMware Workspace ONE Tunnel only supports the privacy dialog for iOS and Android devices. You must deploy the VMware Workspace ONE Tunnel app to devices using Application Configurations during device assignment.

The dialog displays the following information to end users:

Table 1. Privacy Dialog Information
Information Description
Data collected by the application Provides a summary of data which is collected and processed by the application. Some of this data will be visible to administrators of theWorkspace ONE UEM console.
Device permissions Provides a summary of device permissions requested for the app to enable product features and functionality, such as push notifications to the device.
Company's privacy policy Enables administrators to display a customized privacy notice to their users through a configurable URL. If no privacy notice is provided, a default message will be shown to the user to contact their employer for more information.

Admin Configuration Settings

To configure the privacy dialog for VMware Workspace ONE Tunnel on iOS and Android devices, you must deploy the VMware Workspace ONE Tunnel app to your devices with Application Configurations.

You must use the following key-value pairs:

Table 2. VMware Tunnel Privacy Dialog Key-Value Pairs
Configuration Key-Value Pair
Company Privacy Policy URL
  • Key:PrivacyPolicyLink
  • Value Type: String
  • Values:

This policy changes the default company privacy policy text to allow the user to view a specific privacy disclosure web page directly within the application

VMware Feature Usage Analytics
  • Key:PolicyAllowFeatureAnalytics
  • Value Type: Integer
  • Values:
    • 0 - Disabled
    • 1 - Enabled

This policy controls whether end users will see the Data Sharing opt-in during configuration of the apps. When disabled, data sharing is forced off for all users. Feature analytics data is collected to allow VMware to improve existing product features and invent new ones to make users even more productive

Diagnostics Data through VMware Intelligence and Apteligent
  • Key: PolicyAllowCrashReporting
  • Value Type: Boolean
  • Values:
    • false - Disabled
    • true - Enabled

This policy controls whether applications will report diagnostic data to Apteligent which is used to provide troubleshooting and support, for example, in the event of a crash. Disabling this setting may significantly impact the efficiency of investigating and resolving any issues with the application.

Example Configuration: