Configure VPN Profile for Windows desktop applications for devices to connect to internal sites you define through the VMware Tunnel. Using this functionality requires you to configure and install the Per-App Tunnel component as part of your VMware Tunnel installation.


The VMware Tunnel client for Windows Desktop requires that devices are enrolled in Workspace ONE UEM and have the Workspace ONE Intelligent Hub installed.


  1. Navigate to Devices > Profiles > List View > Add and select Windows. Then select Windows Desktop and Device Profile.
  2. Configure the profile General settings.
  3. Select the VPN payload from the list and select Configure.
  4. Enter the Connection Name and select Workspace ONE Tunnel as the Connection type.
    The Server text box populates automatically with your VMware Tunnel component server URL. If this component is not configured, you see a message and hyperlink to the system settings page where you can configure it.
  5. Select the Device Traffic Rules created under the tunnel configuration page. For more information, see Configure Network Traffic Rules for the Per-App Tunnel.
  6. Enable the Desktop Client.
  7. Enter the XML code in the Custom Configuration XML text-box. You can set the following attributes based on your requirements:
    Settings Description

    Use this attribute to detect if your device is connected to a trusted network, based on your device's ability to reach a private URL. You can specify a comma-separated list for redundancy.


    Use this attribute for resolving shortnames by using the search domains.

    ServerCertSN Use this attribute for setting a third-party certificate for the server authentication. If you do not know your subject CN name, you can open the certificate on the Windows device and go to the Details tab. You can find a row named Subject which contains the CN name of the certificate.


    Use this attribute to enable the Tunnel service to start before you login. This may be useful for specific domain authentication scenarios.


    Use this attribute to prefer external DNS response over internal DNS response when DNS response is received from both.


    Use this attribute to prefer internal DNS response over external DNS response when DNS response is received from both.
    For example, you can enter the following XML code in the Custom Configuration XML text box.
    <?xml version="1.0" encoding="utf-16"?>
    Note: Use the PreferInternalDNS or PreferExternalDNS XML code in the Configuration XML. If both the XML codes are used in the Configuration XML, then the PreferInternalDNS XML code takes precedence.
  8. Configure the network settings for Tunnel.
    Settings Description
    Trusted Network Detection
    Enter comma-separated trusted networks (For example,, ). VMware Tunnel is disabled when the device is on a trusted network.
    Note: Alternatively from the Probe URL, trusted networks can be detected based on DNS connection-suffix. Probe URLs takes precedence over connection suffixes, and the Probe URL is the primary recommendation.
    DNS Resolution via Tunnel Gateway Enhanced Domain Resolution:
    If enabled, all the domains resolve though the VMware Tunnel server based on destination defined in the device traffic rule regardless of the application originating the traffic.
    Note: This option is supported only on Windows Tunnel Desktop client 2.1 and above.

    Domain / Add New Domain: In the DNS Resolution viaTunnelGateway section, select Add New Domain to add domains to resolve through the VMware Tunnel server.

    Any domains added resolve though VMware Tunnel server regardless of the application originating the traffic. For example, resolves through the VMware Tunnel server if you use Chrome's allow list or the deny list from the Edge application.
    Note: If the Enhanced domain Resolution option is enabled, this option is hidden.
  9. Select Save & Publish.
    Note: If you are migrating your devices from the Windows UWP client to the Windows desktop client, we recommend that you remove the previous VMware Tunnel profile and application once the new profile has propagated to devices.