AirWatch customers have per-app VPN functionality available for iOS and Android internal and public apps.

With the AirWatch Tunnel for Linux (previously: Mobile Access Gateway - MAG) component, customers can create secure per-app VPN tunnels into the corporate infrastructure, by providing seamless and effortless connectivity to their users.
The functionality is available from iOS 7 and Android 5 on.

The below video demonstrates the functionality on Android 5 from the end-user point of view and gives a quick overview on how to configure the AirWatch Admin console with the according functionality.

AirWatch per-app VPN for Android Video

Main benefits of per-app VPN by AirWatch

Increased security

Per-app VPN increases corporate security, as only specifically whitelisted internal or public applications can communicate through this tunnel. A traditional (full) VPN solution allows the entire device into the corporate network which gives any application on the device access to internal resources.
Additionally the access permissions for per-app VPN whitelisted apps can further be controlled/limited by utilizing VMware NSX network virtualization and security technology. NSX enables micro segmentation to ensure that applications can only access network resources which are required.

Multi-purpose infrastructure

The AirWatch solution is based on the AirWatch Mobile Access Gateway (MAG) for Linux and can be deployed as a single server solution or split up between DMZ and internal network in a relay-endpoint configuration to further enhance security. Additionally the AirWatch Tunnel can function as a secure provider for internal document access via AirWatch Secure Content Locker (SCL) and secure web browsing access via AirWatch Secure Browser app.

The same AirWatch Tunnel infrastructure can be utilized by any supported client operating system, which keeps the deployment costs very low.

Per-app VPN for internal apps does not require app-wrapping or SDK

Customers who develop their own applications, are often required to implement a 3rd party SDK or use an app-wrapping engine to provide VPN functionality for their custom apps.
This makes updates and future deployments complex, as newer versions of SDKs need to be embedded or each new version needs to be wrapped again, before it can be deployed. As AirWatch can apply the per-app VPN configuration "on the fly" by whitelisting the app identifier in the AirWatch Tunnel app, organizations can deploy new apps and updates with less effort and dependencies.

High level steps for implementation

The AirWatch documentation contains full details on how to install and configure all of the needed parts. The steps below are a high level summary to clarify the required components and configurations.

  1. Install and Configure the AirWatch Tunnel for Linux
  2. Create a new Profile with VPN payload and select the "AirWatch Tunnel" as the Connection Type
  3. Distribute and install the "AirWatch Tunnel" app to devices
  4. Add public or internal apps to the AirWatch console and select the Tunnel in the "Per app VPN Profile" selection (ADVANCED section in the app assignment).



To get help with any implementation questions, please CONTACT US.


About the author
Peter Giesa is AirWatch Certified Technical Post-Sales On-Prem Expert and works as Solution Architect & Senior Consultant for Aerion Solutions.

About Aerion Solutions
Aerion Solutions is AirWatch Elite Partner and VMware Enterprise Solution Provider in Finland with certified consultants and provides consulting and training services for AirWatch and VMware on-premise and SaaS implementations.