You enable the Per App Tunnel component in the VMware Tunnel settings to set up per app tunneling functionality for Android devices. Per app tunneling allows your internal and managed public apps to access your corporate resources on an app-by-app basis.

Note: If you are configuring single sign-on for Android devices only and are not using VPN Access, in the Details page enter fictitious values for the host name and port, because for the single sign-on configuration this information is not used.


  1. In the Workspace ONE UEM console, navigate to System > Enterprise Integration > VMware Tunnel > Configuration.
    If this is the first time you configure VMware Tunnel, select Configure and follow the configuration wizard. Otherwise, select Override and select the Enable VMware Tunnel check box. Then click Configure
  2. In the Configuration Type page, enable Per-App Tunnel (Linux Only).
    Choose between Basic and Cascade mode. See the VMware Tunnel Guide for assistance with choosing the appropriate method.
    Click Next.
  3. In the Details page, for the Per-App Tunneling Configuration, enter the VMware Tunnel server FQDN public host name and port if using VPN Access.
    Click Next.
  4. In the SSL page, configure the Per-App Tunneling SSL Certificate. To use a public SSL, select the Use Public SSL Certificate check box. Click Next.
    A Workspace ONE UEM (AirWatch) certificate can be generated automatically. If you prefer to use your public SSL certificate, check the text box and upload the certificate.
  5. Click Next.
    The Tunnel Device Root Certificate is automatically generated when you click Next.
  6. In the Authentication page, select the certificate authentication type to use. Click Next.
    Option Description
    Default Select Default to use the Workspace ONE UEM issued certificates.
    Enterprise CA A drop-down menu listing the certificate authority and certificate template that you configured is displayed. You can also upload the root certificate of your CA.
    If you select Enterprise CA, make sure that the CA template contains the subject name CN={DeviceUid}:{EnrollmentUser}. Make sure to include the colon ( :). You can download the CA certificates from the VMware Tunnel configuration page.

    Another option for specifying the device ID is to put a DNS SAN in the certificate with the value UDID={DeviceUid}.

  7. Click Next.
  8. (Optional) In the Miscellaneous page, enable the access logs for the Per-App Tunnel components. Click Next.
  9. Review the summary of your configuration and click Save.
    You are directed to the system settings configuration page.
  10. Select the Configuration >General tab and click Download Unified Access Gateway.

What to do next

Configure the VMware Tunnel Settings for Workspace ONE UEM. For instructions, see the latest Unified Access Gateway documentation.