40
GUIDE – MAY 2019 PRINTED 2 OCTOBER 2019 DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

  • Upload
    others

  • View
    79

  • Download
    1

Embed Size (px)

Citation preview

Page 1: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

GUIDE – MAY 2019

PRINTED 2 OCTOBER 2019

DEPLOYING VMWAREWORKSPACE ONE TUNNELFOR IOS: VMWAREWORKSPACE ONEOPERATIONAL TUTORIALVMware Workspace ONE

Page 2: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 2

Table of Contents

Overview

– Introduction

– Audience

Deploying VMware Workspace ONE Tunnel for iOS

– Introduction

– Prerequisites

– Logging In to the Workspace ONE UEM Console

– Creating Per-App VPN Profile

– Publishing VMware Tunnel as a Public App

– Configuring Workspace ONE Web for Per-App VPN

– Testing Per-App VPN on iOS

– Configuring Safari Domain Profiles

– Testing Safari Domains with Per-App Tunnel

Summary and Additional Resources

– Conclusion

– Terminology Used in This Tutorial

– Additional Resources

– About the Author

– Feedback

Page 3: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 3

OT-WS1-Tunnel-PerAppVPN

OverviewIntroductionVMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. In this tutorial, you explorehow to configure and deploy the VMware Workspace ONE® Tunnel app to enable per-app VPN on an enrolled device. Proceduresinclude creating and configuring a VPN profile and testing VPN access to VMware Workspace ONE® Web. You also configure Safaridomain profiles and test Safari domains with per-app VMware Tunnel.

AudienceThis operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Bothcurrent and new administrators can benefit from using this tutorial. Familiarity with networking and storage in a virtual environment isassumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such asVMware Workspace ONE® Access (formerly VMware Identity Manager) and VMware Workspace ONE® UEM is also helpful.

Deploying VMware Workspace ONE Tunnel for iOSIntroductionLeveraging Per-App VPN allows you to control which applications on a device have access to your VPN by automatically enabling ordisabling VPN access, based on which applications are active. You no longer need to provide a device-wide VPN on your devices,which can allow unintended or unauthorized apps or processes to access your VPN. In this tutorial, you explore how to configure anddeploy VMware Workspace ONE® Tunnel to enable per-app VPN on an enrolled device.

These exercises involve the following components:

VMware Tunnel Client – The app used to securely connect to the VMware tunnel server (host) to provide Per-App VPNfunctionalityTunnel Server (Host) – The physical or virtual server (Linux, Windows, UAG) where the tunnel service is installed, and towhich the tunnel client connectsPer-App Tunnel – The same service for connecting to a secure tunnel channel (VPN) on a per-application basis, which iscontrolled and configured by the Per-App VPN profilePer-App Tunnel Profiles – The Workspace ONE UEM profile that is pushed to the device that contains the Per-App VPNconfigurations that the tunnel client reads for Per-App VPN

For more information, see Configuring the VMware Tunnel Edge Service: VMware Workspace ONE Operational Tutorial.

PrerequisitesBefore you can perform this exercise, you must meet the following requirements.

Workspace ONE UEM version 9.4 or lateriOS 7.0+ device enrolled in Workspace ONE UEM

In addition, you need to create a VPN tunnel. For more information, see Configuring the VMware Tunnel Edge Service: VMwareWorkspace ONE Operational Tutorial.

Logging In to the Workspace ONE UEM ConsoleTo perform most of the steps in this exercise, you must first log in to the Workspace ONE UEM Console.

Page 4: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 4

1. Launch Chrome Browser

On your desktop, double-click the Google Chrome icon.

2. Navigate to the VMware Workspace ONE UEM ConsoleFor example, navigate to https://<WorkspaceONEUEMHostname> where WorkspaceONEUEMHostname is the host name of theWorkspace ONE UEM console.

3. Authenticate In to the Workspace ONE UEM Console

Page 5: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 5

Enter your Username, for example, administrator.1.Click Next. After you click Next, the Password text box is displayed.2.

Page 6: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 6

Enter your Password, for example, VMware1!1.Click Login.2.

Note: If you see a Captcha, be aware that it is case sensitive.

Creating Per-App VPN ProfileFor iOS 7+ devices and Android Enterprise devices, you can force selected applications to connect through your corporate VPN. YourVPN provider must support this feature, and you must publish the applications as managed applications.

In this activity, you configure the iOS profile which configures the tunnel client on the device to allow only designated applications toaccess content on internal servers.

1. Add a New Profile

Page 7: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 7

Click Add.1.Click Profile.2.

2. Select the OS for the Profile

Click Apple iOS.

3. Configure the General Properties of the Profile

Page 8: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 8

Enter the name, such as Per-App VPN in this example screenshot.1.Select the name of your device's assignment group, and select that group. For example, select All Devices2.([email protected]) as the Assigned Smart Group.

4. Add a VPN Payload

Page 9: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 9

Click VPN from the Payload menu.1.Click Configure to access the VPN payload settings.2.

5. Configure the VPN Payload

Page 10: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 10

Select VMware Tunnel from the Connection Type drop-down menu.1.Select the Enable VMware Tunnel check box.2.Click Save & Publish.3.

6. Publish the VPN Profile

Page 11: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 11

Click Publish.

Publishing VMware Tunnel as a Public AppIn this activity, you deploy an application configured to use the VPN tunnel on iOS.

Note: A VPN tunnel must be set up before you begin adding it as a public application. For more information, see Configuring theVMware Tunnel Edge Service: VMware Workspace ONE Operational Tutorial.

1. Add VMware Tunnel as a Public App

Page 12: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 12

Click Add.1.Click Public Application.2.

2. Search the App Store for Tunnel App

Page 13: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 13

Select Apple iOS for the Platform.1.Enter an application Name. For example, VMware Tunnel.2.Click Next.3.

3. Select the VMware Tunnel Result

Click Select for the VMware Tunnel result.

4. Save and Assign VMware Tunnel

Page 14: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 14

Click Save & Assign.

5. Add Assignment for VMware Tunnel

Page 15: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 15

Click Add Assignment.

6. Configure VMware Tunnel Assignment Settings

Click the Selected Assignment Groups field to display the list of created Assignment Groups. Enter All Devices, and1.select the All Devices ([email protected]) group.Select Auto for the App Delivery Method.2.

7. Configure Policies for VMware Tunnel

Page 16: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 16

Scroll down to find the Policies section.1.Select Enabled for Remove On Unenroll.2.Click Add.3.

8. Confirm Assignment and Save

Page 17: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 17

Verify that the assignment you created is displayed.1.Click Save & Publish.2.

9. Preview Assigned Devices and Publish

Click Publish.

Page 18: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 18

Configuring Workspace ONE Web for Per-App VPNNow that the tunnel client is assigned to the appropriate group, you can add an application enabled to use Per-App Tunnel. Afterenabling the setting that allows an application to use VPN, you must select the VPN profile that the app should use. Any applicationthat you want to leverage Per-App VPN is pushed to the device from the Workspace ONE UEM Console as a managed app. There isone exception to this, which is the Safari application on iOS. This is covered in detail in a later exercise.

In this activity, you add an application (Workspace ONE Web) from the Public App store to be associated with the VPN profile youcreated.

1. Add Public Application

Click Add.1.Click Public Application.2.

2. Search for the Application

Page 19: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 19

Select Apple iOS from the Platform drop-down menu.1.Enter the app name in the Name text box. For example, Workspace ONE Web.2.Click Next.3.

3. Select Workspace ONE Web

Click Select on the Workspace ONE Web application.

4. Save and Assign Workspace ONE Web

Page 20: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 20

Click Save & Assign.

5. Add Assignment for Workspace ONE Web

Page 21: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 21

Click Add Assignment.

6. Configure Workspace ONE Web Assignment Settings

Click the Selected Assignment Groups field. This displays the list of created Assignment Groups. Enter All Devices and1.select the All Devices ([email protected]) group.Select AUTO for the App Delivery Method.2.

7. Configure Policies for Workspace ONE Web

Page 22: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 22

Scroll down to find the Policies section.1.Select Enabled for Remove On Unenroll.2.Select Enabled for App Tunneling.3.Select the profile named Per-App VPN that you created earlier.4.Click Add.5.

8. Confirm Assignment and Save

Page 23: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 23

Confirm that the Assignment you configured is displayed.1.Click Save & Publish.2.

9. Preview Assigned Devices and Publish

Click Publish.

Page 24: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 24

Testing Per-App VPN on iOSNow that the device is enrolled and has received the settings configured in the Workspace ONE UEM Console, you are ready to begintesting the Per-App VPN functionality. The applications assigned in the previous exercises should push down during enrollment. TheVMware Tunnel and Workspace ONE Web applications should be installed on your device.

In this activity, launch Workspace ONE Web and access the internal website. Then verify that, although the VPN connection is active,other applications on the device are not able to access the tunnel or internal resources.

1. Launch Workspace ONE Web

Press the Home button on your device to return to the Launchpad. Swipe right to see the downloaded applications, if needed.

Tap the Workspace ONE Web icon to launch the application. If prompted, select OK to allow the Web to send your device pushnotifications.

2. Accept the Privacy Prompt

Page 25: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 25

Tap I understand to accept the Privacy prompt.

3. Agree to the Data Sharing Prompt

Page 26: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 26

Tap I agree to accept the Data Sharing Prompt.

4. Access the Internal Website with Workspace ONE Web

Page 27: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 27

When the application launches, enter the URL for your intranet website, such as https://internal.airwlab.com.1.Note how the VPN icon appears, indicating the connection is active. The application now connects to Workspace ONE UEM2.and retrieves the settings for your Organization Group.Note how the website loads and displays a Welcome message.3.

5. Select the URL from the Workspace ONE Web

Press & hold the Navigation Bar in Workspace ONE Web.1.Click Select All to highlight the URL for the internal site.2.

6. Copy the URL from the Workspace ONE Web

Page 28: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 28

Select Copy.

7. Open Safari

Return to the launchpad by pressing the Home button on your device. Open Safari by selecting the icon form the Launcher.

8. Paste the URL Into the Safari Browser

Page 29: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 29

Open a new tab by selecting the + sign on the navigation bar.1.Select the entry box on the navigation bar.2.Press & hold for a count of two then release on the entry box and select Paste.3.Select Go on the keyboard.4.

Note: The website does not load in the Safari browser due to DNS failure. The website is published to an internal DNS that can onlybe accessed when the VPN connection is being used. Although the VPN connection might remain active (look for the VPN icon in thestatus bar), Safari is not designated as an application that is allowed to use the Per-App VPN Tunnel. You may have multiple VPNconfigurations and multiple apps assigned for each VPN. Most public applications (apps using Cocoa framework) are compatible withper-app VPN on iOS.

Page 30: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 30

Configuring Safari Domain ProfilesIn this activity, you update the previously created Per-App VPN profile and deploy an application configured to use the VPN tunnel oniOS.

1. Update the Per-App VPN Profile

Return to the Workspace ONE UEM Console.

Click Devices.1.Click Profiles & Resources.2.Click Profiles.3.Select the edit icon next to the Per-App VPN profile.4.

2. Add Version to Update the Existing Profile

Page 31: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 31

Click Add Version to allow editing.1.Select the VPN payload on the left.2.

3. Configure Safari Domains

Page 32: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 32

In the Safari Domains text box, enter the URL for your intranet website. For example, https://internal.airwlab.com.1.Note: The syntax for Safari Domains does not require a wildcard character. Enter only the domain host name to whitelist theentire domain to initiate VPN in Safari.Click Save & Publish.2.

4. Publish the Updated VPN Profile

Click Publish.

Page 33: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 33

Testing Safari Domains with Per-App TunnelNow that the VPN profile has been updated to include the domain tested in the first example in the Safari Domains list, you canconfirm that these settings have updated on the device and test the settings in the native Safari application.

1. Open Device Settings

Tap Settings.

2. Open VPN Settings

Page 34: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 34

Tap General.1.Scroll down to find the VPN section.2.Tap VPN.3.

3. Select Your VPN Configuration

Page 35: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 35

Tap VPN Configuration #XXXXXX from your Per-App VPN profile.

4. View Included Per-App VPN Apps

Page 36: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 36

All managed applications from the Workspace ONE UEM Console that are enabled to use Per-App VPN and domains listed in SafariDomains in the VPN profile appear in this list.

Whitelisting a domain in the Safari Domains list initiates a VPN connection on demand whenever the user browses to a site within thisdomain.

Note: Wildcards are not required when whitelisting a Safari Domain. The entire domain is automatically whitelisted for VPN OnDemand when added to VPN profile.

5. Open Safari

Return to the launchpad by pressing the Home button on your device. Open Safari by selecting the icon from the Launcher. The VPNicon should not be displayed in the toolbar.

6. Browse to the Internal URL

Page 37: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 37

Notice that the website now loads in the Safari browser after the VPN profile is updated to include your intranet website in the SafariDomains list, whitelisting the domain for Per-App VPN. The website is published to an internal DNS that can be accessed only whenthe VPN connection is in use.

Summary and Additional ResourcesConclusionThis operational tutorial provided steps to leverage native Per-App VPN capabilities by publishing Per-App VPN profiles to yourdevices to ensure that only authorized apps are accessing your VPN. This eliminates the user requirement to manually start and endVPN connections based on what apps they are accessing. It also provides an extra layer of security to your corporate resources byensuring that non-authorized apps are unable to connect to your VPN.

Terminology Used in This TutorialThe following terms are used in this tutorial:

Page 38: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 38

application storeA user interface (UI) framework that provides access to a self-service catalog, publicexamples of which include the Apple App Store, the Google Play Store, and the MicrosoftStore.

auto-enrollmentAuto-enrollment simplifies the enrollment process by automatically enrolling registereddevices following the Out-of-Box-Experience.

catalogA user interface (UI) that displays a personalized set of virtual desktops and applications tousers and administrators. These resources are available to be launched upon selection.

cloudAsset of securely accessed, network-based services and applications. A cloud can also hostdata storage. Clouds can be private or public, as well as hybrid, which is both private andpublic.

device enrollmentThe process of installing the mobile device management agent on an authorized device.This allows access to VMware products with application stores, such as Workspace ONEAccess (formerly VMware Identity Manager).

identity provider (IdP)A mechanism used in a single-sign-on (SSO) framework to automatically give a user accessto a resource based on their authentication to a different resource.

mobile devicemanagement(MDM) agent

Software installed on an authorized device to monitor, manage, and secure end-user accessto enterprise resources.

one-touch loginA mechanism that provides single sign-on (SSO) from an authorized device to enterpriseresources.

service provider (SP) A host that offers resources, tools, and applications to users and devices.

virtual desktop The user interface of a virtual machine that is made available to an end user.

virtual machineA software-based computer, running an operating system or application environment, that islocated in the data center and backed by the resources of a physical computer.

For more information, see the VMware Glossary.

Additional ResourcesFor more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level-up in your Workspace ONE knowledge. You will find everything from beginner to advanced curatedassets in the form of articles, videos, and labs.

Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides aframework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon.

About the AuthorThis tutorial was written by:

Andreano Lanusse, End-User-Computing Staff Architect, Technical Marketing, VMware.

FeedbackThe purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at [email protected].

Page 39: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 39

Page 40: Deploying VMware Workspace ONE Tunnel for iOS: VMware ......DEPLOYING VMWARE WORKSPACE ONE TUNNEL FOR IOS: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL GUIDE | 4 1. Launch Chrome Browser

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001

www.vmware.com

Copyright © 2019 VMware, Inc. All rights reserved. This product is protected by U.S. and international

copyright and intellectual property laws. VMware products are covered by one or more patents listed at

http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in

the United States and/or other jurisdictions. All other marks and names mentioned herein may be

trademarks of their respective companies.