Configuring your client is the last step to deploying the VMware Workspace ONE Tunnel solution. This also includes setting up your device traffic rules, client and device profiles, and any custom configurations you might desire.

VMware Tunnel enables secure access for mobile workers and devices. Users have a simple experience and need not enable or interact with Tunnel, and IT organizations may take a least-privilege approach to enterprise access, ensuring only defines apps and domains have access to the network.

Preparing for your installation ensures a smooth installation process. Installation includes performing preliminary steps in the Workspace ONE UEM console, and setting up a server that meets the listed hardware, software, and network requirements.


Before starting your client configurations, confirm the following components.

  • Your Gateway needs to be installed and configured correctly. Refer to the Gateway Configurations topic for more details.
  • You have installed a device for the platform you will be using (Windows, macOS, Android, or iOS).
  • You have Workspace ONE UEM version 2109 or later installed. From that console, you will also need to confirm the following settings are also enabled:
    • Your Organization Group are created and set as "Customer" Type.
    • You have a current Device Root Certificate. issued.
    • You have configured Tunnel.
There are also some per-deployment configurations that need to be confirmed are set before deploying VMware Tunnel.
  • Confirm that your API (Application Programming Interface) and AWCM (AirWatch Cloud Messaging) are installed correctly, running, and communicating with the Workspace ONE UEM without any errors.
  • After completing AWCM Server configuration, you can configure Tunnel settings per your deployment's configuration and functionality needs in the Workspace ONE UEM console.
  • After you complete the Tunnel configuration, you also must configure various settings to enable the VMware Web and Tunnel-enabled apps to use Tunnel. Doing so ensures all HTTP(S) and TCP/ UDP traffic for the specified applications is routed through the Tunnel.
  • You can configure more settings that are optional for the Tunnel deployment. Except where noted, you can configure these settings before or after installation.

Configuring VMware Tunnel to Devices

The workflow to enable and use Per-App or Full Device tunneling in Workspace ONE UEM includes creating a VPN Tunnel profile for your end-user devices. These profiles depend on your device platform. After you create a VPN Tunnel profile, push the profiles and the apps to the devices.

An on-demand feature lets you configure apps to connect automatically using Tunnel when launched. The connection remains active until a time-out period of receiving no traffic, then it is disconnected. When using Tunnel, no IP address is assigned to the device, so you do not need to configure the network or assign a subnet to connected devices. In addition, iOS apps can use the iOS DNS Service to send DNS queries through the Tunnel server to the DNS server on a corporate network. This service allows applications such as Web browsers to use your corporate DNS server to look up the IP address of your internal Web servers.

Other Resources

VMware also offers a Digital Workspace Tech Zone who's mission is to provide the resources you need, wherever you are in your digital workspace journey. They have created a tutorial that explores how to configure and deploy the VMware Workspace ONE Tunnel app across iOS, Android, macOS, and Windows platforms to enable Per-App Tunnel on a managed device.