Mobile single sign-on (SSO) for Android is an implementation of the certificate authentication method for Workspace ONE UEM managed Android devices. Mobile SSO allows users to sign in to their device and securely access their Workspace ONE apps without reentering a password.

The Workspace ONE Tunnel® mobile app is installed on the Android device to add certificate and device ID information into authentication flows. The Tunnel settings are configured in the Workspace ONE UEM console to access the Workspace ONE Access service for authentication, and the service retrieves the certificate from the device for authentication.

In the Workspace ONE UEM console, you also configure the following settings.

  • Android VPN profile. This profile is used to enable the per app tunneling capabilities for Android.
  • Enable VPN for each app that uses the app tunnel functionality from the Workspace ONE UEM console.
  • Create network traffic rules with a list of all the apps that are configured for Per App VPN, the proxy server details, and the Workspace ONE Access URL.

When implementing mobile SSO for Android with the Workspace ONE Access service on premises, you configure the cert proxy service on the Workspace ONE Access appliance. After the cert proxy service is configured, you can configure certificate authentication in the Workspace ONE Access built-in identity provider from the Workspace ONE Access console.

When implementing mobile SSO for Android with the Workspace ONE Access service in the cloud, you can configure certificate authentication in the Workspace ONE Access built-in identity provider from the Workspace ONE Access console. The cert proxy service is managed for you.

See the Android Mobile Single Sign-on to VMware Workspace One publication in the Workspace ONE Documentation Center for detailed information about setting up Android Mobile SSO.