VMware SASE with Workspace ONE Web App
For VMware Customers that are using the Secure Access Service Edge (SASE) already it is easy to activate this also for the VMware Web App. for more informations on SASE please check the VMware page for details, https://www.vmware.com/products/secure-access-service-edge-sase.html . I used Cloud Web Security to protect users from dangerous sites and secures the device and still having the capability of surfing to intranet without additional VPN. VMware Web App is a Secure Browser with VPN Capabilities build in and available for iOS and Android . I will show here the Settings for iOS, but Android is not that much different.
- iOS or Android Devices (no MDM enrollment required, also works in Hub Registered Mode).
- existing VMware SASE as Tunnel Endpoint in UEM setup (Velocloud)
- optional for Cloud Web Security Authentication a Certificate Authority is required if you want to do it passwordless
once the pre-reqs are met you can start on Setting it up.
I will not cover CWS / SASE setup here and also not show the settings for the integration of Workspace ONE Access this should be pre-Configured.
Creating SDK Profile
First of a ll we need to create a new SDK Profile for the Web App. You can use the default Profiles as well , but as I wanted to have a trusted CA added and also add a Authentication Certificate I decided to go with a separate SDK Profile.
This can be done in the Settings / Apps / Settings and Policies / Profiles :
once there , click to “Add Profile” :
as we need an SDK Profile select the first option:
if you use Android you need to repeat the steps for Android as well, while I have shown it here for iOS, so I selected iOS :
Give the Profile a name , so you know what settings it contains:
First of all select “Credentials” and add your CA with the Template. this Cert is used to authenticate against Workspace ONE Access , which is used in my Case to authenticate also against Cloud Web Security. Once done click to the little “+” in the corner
On the 2nd “Credentials” Setting you need to upload the Root CA (CRT File) from the Cloud Web Security to have the Certificate in the Truststore on the Web App. As CWS is acting as a proxy we need to make sure the Root CA is trusted.
Once uploaded got to the “Proxy” Settings , there tick the box for “Enable App Tunnel” , Select the “VMware Tunnel” (Important: not the VMware Tunnel -Proxy) , select the Required Device Traffic Rules.
Once done go to Authentication, Select the “Single-Sign-ON” & “Integrated Authentiation” as well as the Certificate that contains the Authentication Certificate (Important: Do not select the Root from CWS)
No you can add the settings you required for the App additionally like Restrictions etc.
Once done Save the Profile.
Assign the SDK Profile
Go to the Settings in the Workspace ONE UEM Console and select “Apps” , then Click to “Workspace ONE Web” :
If not done already Overwrite the Settings , select “Custom” as Application Profile and then Select the SDK Profile that we just created for iOS and if done for Android then as well:
Now you can add the other settings that you required on that use-case like setting the Browser Homepage etc.
Once done click to save.
Edit Device Traffic Rules
if not already done you need to add the Web App to the Device Traffic Rules and Specify the Rules.
This can be done in section the Settings , “System” , Enterprise Integration” & “VMware Tunnel” :
once there click to “Edit” on the Device traffic Ruleset box:
Click on the Name of the Device Traffic Ruleset that you added in the SDK Profile (you can also create a new one , just need to update SDK Profile then)
Make sure you have selected the “Per Application” mode and then Add the Web App for iOS (and Android if used) to the Ruleset. I added a Bypass for the DS Urls (*.awmdm.com) and the 2nd Rule is then tunnel all traffic with a “*” in the destination field. Once done just save that settings, so it gets consumed by the Devices later.
User Experience on the Device
when installing Web App (was already assigned) on the iOS Device the Homepage will be displayed & with the little icon in the left you can see it is tunnel to the SASE Endpoint:
Once I try to download a virus file or a Cloud Web Security Blocked Page it is protecting the User :
To show the user experience of protecting the user on a device it looks like this:
as you can see the investment for VMware SASE can not only leveraged by Fully managed devices, also BYOD Devices without management can consume this in a secure way. While this saves costings for the customer to host the Tunnel Endpoint it also has the whole benefits of the VeloCloud SD-WAN Product with faster access to you Datacenter or the main clouds like Azure or aws for example. Combining SASE and UEM as part of the Anywhere Workplace journey is really a great solution for every company.