The
VMware Tunnel
client on Windows now supports standalone enrollment. There is no requirement for device management or Workspace ONE HUB for configuration. Client version 2.1.8 supports all existing use-cases/ workflows excluding standalone enrollment. Client version 3.1 supports Standalone enrollment only and both Full Device and Per-app Tunnel mode. Please continue using the Windows Tunnel client version 2.1.8 for all MDM workflows. Consolidating the MDM and standalone workflows in a unified Windows Tunnel client is on our roadmap. Standalone enrollment supports both basic and SAML authentication.
The
VMware Tunnel
client for Windows Desktop requires that devices are enrolled in
Workspace ONE UEM
and have the
Workspace ONE Intelligent Hub
installed.
Navigate to
and select
Windows
.
Configure the profile
General
settings.
Select the
VPN
payload from the list and select
Configure
.
Enter the
Connection Name
and select
Workspace ONE Tunnel
as the
Connection
type.
The Server text box populates automatically with your
VMware Tunnel
component server URL. If this component is not configured, you see a message and hyperlink to the system settings page where you can configure it.
Select the
Device Traffic Rules
created under the tunnel configuration page. For more information, see
Configure Network Traffic Rules for the Per-App Tunnel
.
Enable the
Desktop Client
.
Enter the XML code in the
Custom Configuration XML
text-box.
Configure the network settings for Tunnel.
Select
Save & Publish
.
Note:
If you are migrating your devices from the Windows UWP client to the Windows desktop client, we recommend that you remove the previous
VMware Tunnel
profile and application once the new profile has propagated to devices.
Navigate to
Devices > Profiles > List View > Add
and select
Windows
.
Select
Windows Desktop and Device Profile
Configure the profile
General
settings.
Select the
VPN payload
from the list
Then select
Configure
.
Enter the
Connection Name
and select
Workspace ONE Tunnel
as the Connection type.
Note:
The Server text box populates automatically with your VMware Tunnel component server URL. If this component is not configured, you see a message and hyperlink to the system settings page where you can configure it.
Select the appropriate
Device Traffic Rules
created under the tunnel configuration page.
Note:
For more information, see Configure Network Traffic Rules for the Per-App Tunnel.
Enable the Desktop Client
Select Save & Publish
Tunnel Profile for Standalone Enrollment
To setup a new Tunnel profile within the UEM console, navigate to:
. Under the section of client-side configurations, you will see it includes the original device traffic rule sets and the new Tunnel profiles.
From here, admins can manage their standalone enrollment client profiles and will no longer need to configure the VPN payload under the Device Profiles. The setup wizard will walk you through the first-time profile creation.
Select
Windows
from the Platform drop-down menu
Enter a
Connection Name
for the profile.
Select the appropriate
Full Device DTR
for this profile.
Click
Save
.
The profile will then be associated to All devices at the Organization Group (OG).
Minimum Requirements for Standalone Enrollment
:
UEM Console 2203+
Windows 10+
Current Limitations for Standalone Enrollment
Only one Tunnel Profile per platform can be set up at a particular Organization Group (OG).
The Tunnel client will only configure if it is enrolled at the OG where the Tunnel Profile is set up.
The profile is assigned to All devices at that OG, support for Assignment Groups is planned for a future release.
TrustedNetworkProbeUrl
Use this attribute to detect if your device is connected to a trusted network, based on your device's ability to reach a private URL. You can specify a comma-separated list for redundancy.
DnsSearchDomain
Use this attribute for resolving shortnames by using the search domains.
ServerCertSN
Use this attribute for setting a third-party certificate for the server authentication. If you do not know your subject CN name, you can open the certificate on the Windows device and go to the
Details
tab. You can find a row named Subject which contains the CN name of the certificate.
StartTunnelPreLogon
Use this attribute to enable the Tunnel service to start before you login. This may be useful for specific domain authentication scenarios.
PreferExternalDNS
Use this attribute to prefer external DNS response over internal DNS response when DNS response is received from both.
PreferInternalDNS
Use this attribute to prefer internal DNS response over external DNS response when DNS response is received from both.
For example, you can enter the following XML code in the
Custom Configuration XML
text box.
<?xml version="1.0" encoding="utf-16"?>
<CustomConfiguration>
<TrustedNetworkProbeUrl>http://probeurl</TrustedNetworkProbeUrl>
<ServerCertSN>SubjectNameofCertificate</ServerCertSN>
<DnsSearchDomain>domainname</DnsSearchDomain>
<PreferExternalDNS>true</PreferExternalDNS>
<PreferInternalDNS>true</PreferInternalDNS>
</CustomConfiguration>
Note:
Use the
PreferInternalDNS
or
PreferExternalDNS
XML code in the Configuration XML. If both the XML codes are used in the Configuration XML, then the
PreferInternalDNS
XML code takes precedence.
Network Settings for Windows Tunnel Profiles
The MDM Tunnel profile and the Tunnel profile for Standalone Enrollment support the following Custom Configurations.
Trusted Network Detection
Enter comma-separated trusted networks (For example, acme.com, abc.net ).
VMware Tunnel
is disabled when the device is on a trusted network.
Note:
Alternatively from the Probe URL, trusted networks can be detected based on DNS connection-suffix. Probe URLs takes precedence over connection suffixes, and the Probe URL is the primary recommendation.
DNS Resolution via Tunnel Gateway
Enhanced Domain Resolution
: If enabled, all the domains resolve though the
VMware Tunnel
server based on destination defined in the device traffic rule regardless of the application originating the traffic.
Note:
This option is supported only on Windows Tunnel Desktop client 2.1 and above.
Domain / Add New Domain
: In the
DNS Resolution via
Tunnel
Gateway
section, select
Add New Domain
to add domains to resolve through the
VMware Tunnel
server.
Any domains added resolve though
VMware Tunnel
server regardless of the application originating the traffic. For example,
vmware.com
resolves through the
VMware Tunnel
server if you use Chrome's allowlist or the denylist from the Edge application.
Note:
If the Enhanced domain Resolution option is enabled, this option is hidden.
