Add rules for VMware Tunnel to control how traffic is directed through the VMware Tunnel when using the Per-App Tunnel component. These rules allow you to tunnel, block, or bypass traffic as needed.

Prerequisites

  • Configured VMware Tunnel with the Per-App Tunnel component enabled.
  • For iOS and Android, applies to mobile applications configured for Per App VPN for VMware Tunnel. For more information, see Configure Public Apps to use Per App Profile

Watch a tutorial video explaining how to create device traffic rules: Configure the network traffic rules for Per-App Tunnel.

Procedure

  1. Navigate to Groups & Settings > Configurations > Tunnel.
  2. By default, the Device Traffic Rules settings of the Child OG are set to Override which allows you to Edit the settings of the current OG. Based on your configuration needs, you can also select Clear Override if you want to inherit the Device Traffic Rules settings of the current organization group's parent OG.
  3. Configure the Device Traffic Rules settings.
    Setting Description
    Add Rule Select Add Rule to create a rule.

    These rules are only applicable to the Per-App Tunnel component of VMware Tunnel for Android, iOS, macOS, and Windows Desktop devices. For iOS, use the Workspace ONE Tunnel client application from the App store. For Windows Desktop, use the Workspace ONE Tunnel Desktop application.

    1. Rank: Select-and-drag the rule to rearrange the ranking of your network traffic rules.
    2. Application: Select Add to add a triggering application for the network rule.This drop-down menu is populated with applications with Per App VPN enabled and Safari for macOS. If you configure rules for the Safari app for macOS, the traffic rules override and disable any domain rules configured in existing profiles.
    3. Action: Select the action from the drop-down menu that VMware Tunnel applies to all network traffic from the triggering app when the app starts.
      • Tunnel – Sends app network traffic for specified domains through the tunnel to your internal network. All apps, except Safari, on the device configured for Per App VPN sends the network traffic through the tunnel. For example, set the Action to Tunnel to ensure all configured apps without a defined traffic rule use the VMware Tunnel for internal communications.
      • Block – Blocks all apps, except Safari, on the device configured for Per App VPN from sending the network traffic. For example, set the Default Action to Block to ensure that all configured apps without a defined traffic rule cannot send any network traffic regardless of destination.
      • Bypass – Bypasses all apps, except Safari, on the device configured for Per App VPN bypass the tunnel and connect to the Internet directly. For example, set the Default Action to Bypass to ensure all configured apps without a defined traffic rule bypass the VMware Tunnel to access their destination directly.
      • Proxy – Redirect traffic to the specified HTTPS proxy for the listed domains. The proxy must be HTTPS and must follow the correct format: https://example.com:port.
      • Tunnel+Proxy - Redirect traffic to a specified HTTP proxy that resides behind Tunnel.
        Note: This action is supported only by the Tunnel SDK on iOS as used by the Workspace ONE Web app. The only configuration required here is the proxy host; the proxy destinations must be provided to the Workspace ONE Web app.
    4. Destination: Enter the hostname applicable to the action set for the rule. For example, enter all the domains to block traffic from accessing using the Block action.

      Use a comma (,) to distinguish between hostnames.

      You can use wildcard characters for your hostnames. Wildcards must follow the format:

      • *.<domain>.*
      • *<domain>.*
      • *.* — You cannot use this wildcard for Safari domain rules.
      • * — You cannot use this wildcard for Safari domain rules.
    5. Select Save to save your changes.
    Manage Applications
    1. Click Add.
    2. Select the Platform.
    3. For Windows Tunnel Desktop Client, complete the following steps:
      • Enter a Frienly Name for the application.
      • Select the App Type.
      • Enter the App Identifier.
        The App Identifier is the path or the package family name (PFN) of the application. For a Store App, the Package Friendly Name (PFN) is used and can be found using the PowerShell command Get-AppxPackage *<app_name>. For a Desktop App, the filepath is used. For example, you can use C:\Program Files (x86)\acme\app.exe.
        Note: macOS traffic rules can be created only if you are using UEM console 1910 or above.Older versions have to configure the rules via profile.
    4. For macOS applications, complete the following steps:
      • Enter the Friendly Name for the application.
      • Enter the Package ID.
      • Enter the Designated Requirement
      • Enter the Path.

        This text box is optional and is only applicable for macOS Catalina and above. Enter the Path when the whitelisting command-line utils are bundled inside an application. For example, executable vmware-remotemks has to be whitelisted with path details with the VMware Horizon Client application.

        To find the Bundle ID for a macOS application, see Extract macOS Bundle ID for Per-App Tunnel.
        Note: Currently for all the iOS devices only the default traffic rule is supported for IPs as we do not consider IP-based connections for evaluating the traffic rules. For Windows Desktop devices, the domains added to the destination must be added to the DNS Resolution via Tunnel Gateway section in the Windows Desktop device profile as well.
      • Select Save to save your changes.

    If you choose to make any changes to the application, in the Manage Applications window, select the application you like you edit and make changes.

    If you want to delete any application, in the Manage Applications window, select the application you like to delete and click Delete.

  4. Select Save and Publish to update your applicable VMware Tunnel device profiles to a new version with the new network traffic rules. The updated device profiles publish to the assigned smart groups.