macOS VPN Tunnel - MDM Managed - release 24.01

Introduction

With this latest Workspace ONE Tunnel release for macOS 24.01 we've added support for MDM Managed devices to do Full Device VPN. Before this release this was only possible with a Standalone enrollment, for more details see the following blog from my colleague Patrick Zoeller: 

https://digitalworkspace.one/2022/05/16/how-to-setup-vmware-tunnel-on-standalone-macos-devices/

With the 24.01 release this year we support all VPN Modes on macOS:

- Per App VPN

Similar like iPhone and iPads, VPN connected to one or more applications and disconnect when the application closes. Workspace ONE Tunnel application from the Mac App Store:

https://apps.apple.com/nl/app/tunnel-workspace-one/id1141174924?l=en-GB&mt=12

- Standalone Full Device VPN

Devices without MDM management but still require access to VPN.

- MDM Managed Full Device VPN

VPN for devices that are managed by MDM (with Workspace ONE UEM.)

In this blog i will cover the steps and requirements needed to configure MDM Managed Full Device VPN:

Requirements

• UEM 2310+
• Workspace ONE Tunnel 24.01
• MDM Managed Feature Flags enabled

Please work with your VMware EUC representative to get these Feature Flags enabled in your tenant. From the next UEM release it with be automatically enabled (24x release)

• MacOsTunnelSupportUnifiedClientFeatureFlag
• RemoveMacOSTunnelProfileDependencyFeatureFlag

• Workspace ONE Tunnel client from My Workspace ONE: 
  

The MDM Managed functionality was added to the Workspace ONE Tunnel application that is downloaded from My Workspace ONE.

This means that this application now support both Standalone VPN and MDM Managed Full Device VPN, no Per App VPN

Configuration

1. Tunnel configuration

You need to have a working Tunnel configuration in the UEM Console to get the tunnel to work. If you go to Groups and Settings - Configurations -  Tunnel. Make sure you have a working Tunnel configuration there:

2. Workspace ONE Tunnel application

Make sure you upload the latest Workspace ONE Tunnel application, downloaded from My Workspace ONE portal (link above)

Upload it via Internal Applications in Workspace ONE UEM:

Choose the file and make sure you upload the DMG file downloaded from My Workspace ONE Portal: Workspace ONE Tunnel 24.01 macOS

After you uploaded it make sure the correct version is in the console:

It should start deploy on your macOS device:

3. Tunnel profile

Create a new macOS User profile:

Search for the 'new' Tunnel payload:

Add the payload and configure the settings:

Make sure to type in a name for the Profile, assign it and deploy it. You can check on the macOS Device if the profile is deployed:

4. System Extension Profile

After you have deployed the application and profile, you would notice this error message on the macOS device:

To take care of that, you will need to deploy a System Extension profile. Create a new MacOS profile and make sure you choose Device Profile:

Search for the System Extension Payload and make sure you enter the following data:

Allowed System Extension Types:

• Team Identifier: S2ZMFGQM93
• Drivers: Toggle Off
• Endpoint Security: Toggle Off
• Network: Toggle On

Allowed System Extension:

• Team Identifier: S2ZMFGQM93
• Bundle Identifier: com.vmware.macos-tunnel.FullDeviceProxy

Assign and deploy the profile and make sure it gets deployed:

5. User Experience

After the installation has been completed, you can go to the Mac and open the Workspace ONE Tunnel application. The user would have to go through the welcome steps to make use of the application:

After that the Tunnel should be connected:

Release notes:

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/rn/vmware-workspace-one-tunnel-for-macos-release-notes/index.html

KB Article:

https://kb.vmware.com/s/article/97056

TechZone article:

https://techzone.vmware.com/resource/deploying-vmware-workspace-one-tunnel-workspace-one-operational-tutorial