Mobile single sign-on authentication for Android devices can be configured to bypass the Tunnel server when VPN access is not required. For single sign-on, only the Workspace ONE Tunnel mobile app is required.

Mobile Single Sign-On Without VPN Access

Mobile single sign-on authentication for Android devices can be configured to bypass the Tunnel server when VPN access is not required. Implementing Mobile SSO for Android authentication without using a VPN uses the same configuration pages as used for configuring the VMware Tunnel. Because you are not installing the Tunnel server, you do not enter the VMware Tunnel server host name and port. Instead you create a fictitious profile using the VMware Tunnel profile form. This fictitious profile prevents traffic from being directed to the Tunnel server. The Tunnel mobile app is used only for single sign-on.

In the Workspace ONE UEM console, you configure the following settings.

  • Per App Tunnel component in the Workspace ONE Tunnel. This configuration allows Android devices access to managed public apps through the VMware Tunnel mobile app client.
  • Per App Tunnel Profile. This profile is used to enable the per app tunneling capabilities for Android.
  • In the Network Traffic Rules page, because the Tunnel server is not configured, you select Bypass so that no traffic is directed towards a Tunnel server.
  • Create device traffic rules with a list of all the applications that are configured for per app VPN, the proxy server details, and the VMware Workspace ONE Access URL.

Mobile Single Sign-On with VPN Access

When the application configured for single sign-on also is used to access intranet resources behind the firewall, configure VPN access and set up the Tunnel server. When single sign-on is configured with VPN, the Tunnel client can optionally route application traffic and login requests through the Tunnel server. Instead of the default configuration used for the Tunnel client in the console in the single sign-on mode, the configuration points to the Tunnel server.

Implementing Mobile SSO for Android authentication for managed Android devices requires configuring the VMware Tunnel in the Workspace ONE UEM console and installing the VMware Tunnel server before you configure Mobile SSO for Android in the Workspace ONE Access console. The VMware Tunnel service provides per app VPN access to Workspace ONE UEM managed apps. VMware Tunnel also provides the ability to proxy traffic from a mobile application to the Workspace ONE Access service for single sign-on.

In the Workspace ONE UEM console, you configure the following settings.

  • Per App Tunnel component in the VMware Tunnel. This configuration allows Android devices access to internal and managed public applications through the VMware Tunnel mobile app client.

    After the Tunnel settings are configured in the Workspace ONE UEM console, you download the VMware Tunnel installer and proceed with the installation of the server.

  • Android VPN profile. This profile is used to enable the per app tunneling capabilities for Android.
  • Enable VPN for each app that uses the application tunnel functionality from the Workspace ONE UEM console.
  • Create device traffic rules with a list of all the applications that are configured for per app VPN, the proxy server details, and the Workspace ONE Access URL.

For detailed information about installing and configuring the VMware Tunnel, see the VMware Tunnel Guide on the VMware Workspace ONE UEM documentation page.