Enrollment using Standalone WSO VPN Tunnel Client

Now you can use VPN tunnel in standalone mode without fully managing Windows or macOS.

The standalone VPN client is a all-in-one client comes with enrollment, certificate retrieval and VPN profile installation capability.

This is particular useful for cases like BYOD devices, legacy full device VPN replacement and VPN add-on to devices already managed by other UEM solution.

If you have already been using tunnel for managed devices, you are only a few steps away from making it available for non-managed devices.

Enable non-managed enrollment mode:

Create tunnel profile for non-managed device. The way to do is exactly the same as creating tunnel profile for managed devices.

Device enrolled using tunnel client is marked as “Managed by App Level”. Administrator can block a device or have certificate revoked from a device.

Now, we can have the tunnel installer downloaded to install tunnel. Please make sure it is the standalone version.

User can get his device enrolled with the standalone tunnel client.

It also supports modern authentication like WSO Access, Azure AD and other SAML IdP.

Reference: https://airwatchhk.wixsite.com/euc852/post/wso-uem-azure-ad-saml-sso

This is a demo video showing how to get a windows devices enrolled with standalone VPN client and get access to internal URL right away.

To provide secure and seamless user experience, tunnel authentication is certificate based. Client certificate is issued with device UDID. This is to make sure the certificate can only be used on one particular device.

Certificate pinning is implemented on both server side and client.

Server retrieves allowed device list from UEM console together with the device certificate thumbprint.

For troubleshooting, you can get the client side debugg log turned on

Reference:

https://techzone.vmware.com/resource/deploying-vmware-workspace-one-tunnel-workspace-one-operational-tutorial#supported-platforms