Configure the network traffic rules so that the VMware Tunnel client routes traffic to the web proxy for Android devices.

You list the Android apps that are configured with the per app VPN option to the traffic rules and configure the proxy server address and the destination host name.

Configure the device traffic rules to control how devices handle traffic from specified applications. Device traffic rules force the VMware Tunnel app to send traffic through the tunnel, block all traffic to specified domains, bypass the internal network straight to the Internet, or send traffic to a web proxy site

For detailed information about creating network traffic rules, see the VMware Tunnel Guide.

Prerequisites

  • VMware Tunnel is configured with the per-app tunnel component activate
  • Microsoft Intune Company Portal app configured to use the Device Traffic Rules with Android Mobile SSO
  • Android VPN profile created.
  • Per-App VPN enabled for each Android App that is added to the Network Traffic rules.

Procedure

  1. In the Workspace ONE UEM console, navigate to System > Enterprise Integration > VMware Tunnel > Network Traffic Rules.
  2. In the Device Traffic Rules tab, configure the device traffic rules settings as described in the VMware Tunnel Guide. Specific to the Mobile SSO for Android configuration, configure the following settings.
    1. Default Action. This rule is automatically configured and applies to all applications except Safari. The default action is always applied last.
      Option Description
      Tunnel Set the Action to Tunnel if VPN access is required for Mobile SSO for Android. All apps, except Safari, on the device configured for Per App VPN send network traffic through the tunnel.
      Bypass

      Set the Action to Bypass if VPN access is not required for Mobile SSO with Android. All apps, except Safari, on the device configured for Per App VPN bypass the tunnel and connect to the Internet directly.

      Important: With this implementation, no traffic is sent to the Tunnel server when the Tunnel client is used only for single sign-on.
      After the default rule is updated and the action is set to Bypass, a network traffic rule is added and configured for Android single sign-on.
    2. Select Add to create additional rules as required.
    3. Select the up and down arrows to rearrange the ranking of your network traffic rules. The default rule is the last rule in the ranking.
    4. In the Application column, add the Android apps that are configured with the per app VPN profile.
      Note: If Microsoft Office 365 is deployed with the Microsoft Intune Company Portal app, make sure that you add the Microsoft Company Portal app to the list of apps in the Device Traffic Rules.
    5. For tenants hosted in the cloud, in the Action column, select Proxy and specify the web proxy information. For example, enter as certproxy.vmwarews1access.<top-leveldomain>:5262.
      In the Destination Hostname column, enter your destination Workspace ONE Access host name. Enter as <tenant>.vmwarews1access.<top-leveldomain>. For example, myco.vmwarews1access.com. The VMware Tunnel client routes the traffic to the HTTPS proxy from the Workspace ONE Access host name.
    6. For on premises, in the Action column, select Proxy and specify the web proxy information. Enter the Workspace ONE Access host name and port. For example, login.example.com:5262.
      Note: For on-premises deployments, if you are providing external access to the Workspace ONE Access host, the firewall port 5262 (configurable) must be opened between devices on the Internet and the Workspace ONE Access host allowing Layer 4 TCP SSL passthrough on the load balancer/reverse proxy.
  3. Click Save.

What to do next

Publish these rules. After the rules are published, the device receives an updated VPN profile and the VMware Tunnel application is configured to enable SSO.

Go to the Workspace ONE Access console and configure Mobile SSO for Android in the Built-in Identity Provider page.