Enable Mobile Single Sign-On (SSO) with Workspace ONE Tunnel

You can enable single sign on for applications including XR Hub and 3rd party apps to run on your VR headsets.

SSO for native Android applications with Workspace ONE XR Hub requires that a device is either a dedicated device or a shared device that has been checked out to a user. There are several steps to setting up SSO for native Android applications with Workspace ONE XR Hub.

Note: Please ensure that your organization has Implemented Mobile Single Sign-On Authentication for Workspace ONE UEM Managed Android Devices before proceeding with the following steps.

Set Up SSO for Workspace ONE Access

  1. Log in to the Workspace One Access Admin Console as your tenant admin.

    This screenshot shows the Access resources policies screen which enables you to add new policy rules.

  2. Navigate to Resources > Policies.

  3. Select default_access_policy_set.
  4. Select Edit.
  5. Select Configuration.
  6. Select Add Policy Rule.
  7. Set up the policy rule for ALL RANGES, Android, Mobile SSO, Password.

Add Workspace ONE Tunnel

Add the Workspace ONE Tunnel (Tunnel) client to Workspace ONE UEM to provide mobile SSO capabilities to XR Hub enrollment. After upload, Tunnel can then be assigned to a group of users or devices (smart groups). Additional deployment assignments can be added in the future by Selecting Add Assignment.

  1. In the Workspace ONE UEM console, navigate to Resources > Apps > Native and select the Internal tab.
  2. Select Add > Application File at the top of the application list.
  3. Select the Organizational Group where the application resides. Note: Best practice is the highest level the application should be visible to for lower level Organizational Groups. For a flattened hierarchy this is typically at the top level.
  4. Upload the .apk file for the Tunnel application downloaded from My Workspace ONE
  5. Click Save & Assign. You can stop (press cancel) at this point in time if not ready to assign the application deployment, as the app has already been uploaded and saved. To assign the application see Step 2.

Assign Workspace ONE Tunnel

  1. On the Assignments tab, select Add Assignment.
  2. In the Distribution tab, enter the following information:

    Setting Description
    Name Enter an assignment name for the deployment assignment.
    Description Enter the assignment description.
    Assignment Groups Enter the smart group name(s) for your VR headsets to receive the deployment.
    Deployment Begins On For a typical as-soon-as-enrolled deployment choose the current date/time.
    App Delivery Method For a typical as-soon-as-enrolled deployment choose Automatic.
  3. In the Restrictions tab, enable the Managed Access slider.

  4. Select Create and select Save & Publish.

Configure Workspace ONE Tunnel

  1. In the Workspace ONE UEM console go to Groups & Settings > Configurations > Tunnel.
  2. Configure the following settings.

    • Deployment Type - Basic
    • Hostname

      • If Per App VPN is not being implemented, Hostname can be any value such as mytunnel.mydomain.com.
      • If Per App VPN is being used, Hostname must be set to the externally accessible endpoint of the Unified Access Gateway (UAG) used for the Tunnel VPN service.
    • Port - 8443 or the appropriate port if Per App VPN is being used.

    • SSL (Server Authentication) - set to “AirWatch”
    • Authentication (Client Authentication) - set to “AirWatch”
  3. Select Save.

Create Tunnel Profile

  1. In the Workspace ONE UEM console, navigate to Resources > Profiles & Baselines > Profiles.
  2. Select Add > Add Profile and select Android.
  3. Give a name for the profile such as VR SSO Tunnel.
  4. Scroll down and Select VPN and Select ADD.
  5. Configure Connection Info with the following settings.

    Setting Description
    Connection Type Accept “Default - Workspace ONE Tunnel”
    Connection Name Accept the Default or it can be changed per your preferences.
    Server Accept the Default.
    Device Traffic Rules Select the rules that have been created if using Per App VPN.
  6. Select Custom Settings and Select ADD.

  7. Generate a Unique ID from this website: https://www.uuidgenerator.net/version1 and replace it in the code below.
  8. Copy and paste the following XML into the custom settings field to enable the Tunnel App to start without confirmation.

    <characteristic type="com.airwatch.android.androidwork.app:com.airwatch.tunnel" uuid="PASTE YOUR UUID HERE">
        <parm name="DisplayPrivacyDialog" value="false" type="boolean" />
        <parm name="DisplayWelcomeScreen" value="false" type="boolean" />
        <parm name="FilterDiagnosticsView" value="true" type="boolean" />
  9. Select Next

  10. For Smart Group select the VR headset smart group(s) to be assigned.
  11. Select Save and Publish.

Configure Application(s) for SSO

  1. In the Workspace ONE UEM console, navigate to Resources > Apps > Native and select the Internal tab.
  2. Select the current version number of XR Hub (for example “”) in the UEM Version column. The App Details View displays.
  3. Select the Assign button at the top right of the Details View to launch the assignment window.
  4. Select the Assignment Name to edit the Tunnel configuration for that assignment.
  5. On the Tunnel tab, for Android Select the Tunnel Profile that has been created.
  6. Select Save then Save then Publish.

Configure Tunnel Traffic Rules

  1. In the Workspace ONE UEM console, navigate to Groups & Settings > Configurations > Tunnel.
  2. Configure the following settings:

    a. Under Device Traffic Rule Sets Select Edit and Select Default.

    b. For Application, All Other Apps, change the Action to “BYPASS”.

    c. Select Add Rule.

    Setting Description
    Application Select the application(s) for which to enable SSO
    Action Change the setting to PROXY.
    Web Proxy Enter the web proxy address: certproxy.workspaceoneaccess.com:5262 (SaaS) or certproxy.ws1.mycompany.com:5262 (on-prem example)
    Destination Enter the FDQN of the Workspace ONE Access server with a wildcard asterisk. For example: *mycompany.workspaceoneaccess.com* (SaaS) or *ws1.mycompany.com* (on-prem)

    d. Select Save, OK and then Close.

Configure Per App VPN with Workspace ONE Tunnel (Tech Preview)

With Workspace ONE Tunnel deployed and configured on your VR devices, you can now take advantage of not just Mobile SSO but also per-app VPN. This capability provides specific application secure access into the corporate network from outside.

Per App VPN requires the installation and configuration of one or more VMware Unified Access Gateways (UAG). Refer to the Introduction to VMware Tunnel documentation for steps on how to setup the UAG appliance and configuring the Tunnel service. These steps are not needed if simply using the Workspace ONE Tunnel client for Mobile SSO.

check-circle-line exclamation-circle-line close-line
Scroll to top icon