The VMware Tunnel client on Windows now supports standalone enrollment. There is no requirement for device management or Workspace ONE HUB for configuration. Client version 2.1.8 supports all existing use-cases/ workflows excluding standalone enrollment. Client version 3.1 supports Standalone enrollment only and both Full Device and Per-app Tunnel mode. Please continue using the Windows Tunnel client version 2.1.8 for all MDM workflows.

Consolidating the MDM and standalone workflows in a unified Windows Tunnel client is on our roadmap. Standalone enrollment supports both basic and SAML (Security Assertion Markup Language) authentication.

The VMware Tunnel client for Windows Desktop requires that devices be enrolled in Workspace ONE UEM and have the Workspace ONE Intelligent Hub installed.

Configuring a Profile for MDM

  1. Go to: Devices > Profiles & Resources > Profiles > ADD > ADD Profile > Windows > Windows Desktop > Device Profile.

    Shows the navigation path to add a Windows Device Profile.
  2. Configure the profile General settings.

    Shows the General settings.
  3. Select the VPN payload from the list and select Configure.

  4. Enter the Connection Name and select Workspace ONE Tunnel as the Connection type.

    Shows the VPN configuations box in the UEM console.

    The Server text box populates automatically with your VMware Tunnel component server URL. If this component is not configured, you will see a message and hyperlink to the system settings page where you can configure it.

  5. Select the Device Traffic Rules created under the tunnel configuration page. For more information, refer to: Configuring Network Traffic Rules.

  6. Enable the Desktop Client.

  7. Enter the XML code in the Custom Configuration XML textbox.

  8. Configure the network settings for Tunnel.

  9. Select Save & Publish.


    If you are migrating your devices from the Windows UWP client to the Windows desktop client, we recommend that you remove the previous VMware Tunnel profile and application once the new profile has propagated to devices.

Configuring a Profile for Standalone Enrollment

To setup a new Tunnel profile within the UEM console, go to: Groups and Settings > All Settings > System > Enterprise Integration > VMware Tunnel.

UEM Console path for Standalone Enrollment

Tunnel Configuration box in the console is show

Under the section of client-side configurations, you will see it includes the original device traffic rule sets and the new Tunnel profiles.

From here, admins can manage their standalone enrollment client profiles and will no longer need to configure the VPN payload under the Device Profiles. The setup wizard will walk you through the first-time profile creation.

  1. Select Windows from the Platform drop-down menu.

  2. Enter a Connection Name for the profile.

  3. Select the appropriate Full Device DTR for this profile.

  4. Click Save.

The profile will then be associated to All devices at the Organization Group (OG).

Minimum Requirements for Standalone Enrollment:

  • UEM Console 2203+

  • Windows 10+

Current Limitations for Standalone Enrollment

  • Only one Tunnel Profile per platform can be set up at a particular Organization Group (OG).

  • The Tunnel client will only configure if it is enrolled at the OG where the Tunnel Profile is set up.

  • The profile is assigned to All devices at that OG, support for Assignment Groups is planned for a future release.

Custom Configuration for Windows Tunnel Profiles

The MDM Tunnel profile and the Tunnel profile for Standalone Enrollment support the following Custom Configurations.




Use this attribute to detect if your device is connected to a trusted network, based on your device's ability to reach a private URL. You can specify a comma-separated list for redundancy.


Use this attribute for resolving shortnames by using the search domains.


Use this attribute for setting a third-party certificate for the server authentication. If you do not know your subject CN name, you can open the certificate on the Windows device and go to the Details tab. You can find a row named Subject which contains the CN name of the certificate.


Use this attribute to enable the Tunnel service to start before you login. This may be useful for specific domain authentication scenarios.


Use this attribute to prefer external DNS response over internal DNS response when DNS response is received from both.


Use this attribute to prefer internal DNS response over external DNS response when DNS response is received from both.

For example, you can enter the following XML code in the Custom Configuration XML text box.

<?xml version="1.0" encoding="utf-16"?>

Use the PreferInternalDNS or PreferExternalDNS XML code in the Configuration XML. If both the XML codes are used in the Configuration XML, then the PreferInternalDNS XML code takes precedence.

Network Settings for Windows Tunnel Profiles

The MDM Tunnel profile and the Tunnel profile for Standalone Enrollment support the following Custom Configurations.



Trusted Network Detection

Enter comma-separated trusted networks (For example,, ). VMware Tunnel is disabled when the device is on a trusted network.


Alternatively from the Probe URL, trusted networks can be detected based on DNS connection-suffix. Probe URLs takes precedence over connection suffixes, and the Probe URL is the primary recommendation.

DNS Resolution via Tunnel Gateway

Enhanced Domain Resolution: If enabled, all the domains resolve though the VMware Tunnel server based on destination defined in the device traffic rule regardless of the application originating the traffic.


This option is supported only on Windows Tunnel Desktop client 2.1 and above.

Domain / Add New Domain: In the DNS Resolution viaTunnelGateway section, select Add New Domain to add domains to resolve through the Tunnel server.

Any domains added resolve though Tunnel ion originating the traffic. For example, resolves through the Tunnel server if you use Chrome's allowlist or the denylist from the Edge application.


If the Enhanced domain Resolution option is enabled, this option is hidden.