You enable the Per App Tunnel component in the VMware Tunnel settings to set up per app tunneling functionality for Android devices. Per app tunneling allows your internal and managed public applications to access your corporate resources on an app-by-app basis.

About this task

The VPN can automatically connect when a specified app is launched.


  1. In the AirWatch admin console, navigate to System > Enterprise Integration > VMware Tunnel.
  2. The first time you configure VMware Tunnel, select Configuration and follow the configuration wizard. Otherwise, select Override and select Enable . Then click Configure.
  3. In the Configuration Type page, enable Per-App Tunnel (Linux Only). Click Next.

    Leave Basic as the deployment model.

  4. In the Details page, for the Per-App Tunneling Configuration enter the VMware Tunnel server host name and port. For example, enter as Click Next.
  5. In the SSL page, configure the Per-App Tunneling SSL Certificate. To use a public SSL, select the Use Public SSL Certificate check box. Click Next.

    The Tunnel Device Root Certificate is automatically generated.


    SAN certificates are not supported. Make sure that your cert is issued for the corresponding server host name or is a valid wildcard certificate for the corresponding domain.

  6. In the Authentication page, select the certificate authentication type to use. Click Next.




    Select Default to use the AirWatch issued certificates.

    Enterprise CA

    A drop-down menu listing the certificate authority and certificate template that you configured in AirWatch is displayed. You can also upload the root certificate of your CA.

    If you select Enterprise CA, make sure that the CA template contains the subject name CN=<udid>:<string>. You can download the CA certificates from the VMware Tunnel configuration page.

    If device compliance check is configured for Android, make sure that the CA template contains the Subject Name CN={DeviceUid} or set a SAN type to include the UDID. Select the San type DNS Name. The value must be UDID={DeviceUid}.

  7. Click Next.
  8. In the Profile Association page, associate an existing or create a new VMware Tunnel VPN profile for Android.

    If you create the profile in this step, you still must publish the profile. See Configure Android Profile in AirWatch.

  9. (Optional) In the Miscellaneous page, enable the access logs for the Per-App Tunnel components. Click Next.

    You must enable these logs before you install the VMware Tunnel server.

  10. Review the summary of your configuration and click Save.

    You are directed to the system settings configuration page.

  11. Select the General tab and download the Tunnel virtual appliance.

    You can use VMware Unified Access Gateway to deploy the Tunnel server.

What to do next

Install the VMware Tunnel server. For instructions, see the VMware Tunnel Guide on the AirWatch Resources Web site.