App Tunneling
An application may require access to web services residing behind a corporate firewall.

A traditional full device VPN solution is not adequate due to manual steps required to enable the VPN on the device, and the security exposure by allowing personal apps the same access to the VPN as corporate apps. A more secure, seamless, targeted solution is required to allow only certain applications restricted access to certain intranet endpoints.

Implementation Summary:

  • The recommended approach for app tunneling is to configure a Per-App VPN profile through MDM to leverage native tunneling functionality provided by the operating system.
  • Alternative approaches are to integrate either the AirWatch SDK or use AirWatch App Wrapping.
Platform AppConfig Community AirWatch SDK AirWatch App Wrapping
iOS Recommended Supported Supported
Android Recommended Supported Supported

AppConfig Community (Recommended):

  • Use the AppConfig practice of configuring a Per-App VPN profile through your MDM console for your application.
  • All network traffic specific to the whitelisted applications defined in the profile will be redirected through the Tunnel proxy.
  • Requires iOS 7+ / Android 5.0+. (Android 4.x on roadmap)
  • Requires AirWatch Tunnel app to be present on device and the AirWatch Tunnel Server
  • Requires enrollment into MDM.
  • Requires no coding.

SDK (Supported):

  • Integrate the AirWatch SDK into your application and configure a SDK profile with Tunneling enabled and assign it to your application.
  • Ensure the networking classes and methods used by your applications are supported in the AirWatch SDK guide.
  • The SDK will redirect your app network traffic through a supported proxy to reach your targeted backend.
  • Requires coding and device entry in AirWatch system, no MDM required.

Wrapping (Supported):

  • Develop and compile your application.
  • Verify that the app is only using an approved MADP platform and coding techniques
  • Run the compiled binary through the AirWatch application wrapping engine.
  • Assign a wrapping profile to your application with a Tunnel policy.
  • Ensure the networking classes and methods used by your applications are supported in the AirWatch Wrapping guide.
  • The wrapped app will then redirect its app network traffic through a supported proxy to reach your targeted backend.
  • Requires neither coding nor MDM, only device entry in AirWatch system.
  • Applications often have to connect to backend server-side resources that are protected using either NTLM, Basic, Certificates, or Kerberos.
  • There is a best practice approach to accommodating each of the different authentication types.
  • For an optimal user experience, the user should only have to login once and access should be persisted thereafter for an extended period of time.
+

Questions? Comments? Leave them for us here.