Hi Mark,

Was it hard getting it going with the per-app VPN? Was there any documentation you followed for this?

Thanks

Hi Ichijima,

I looked at that document and contacted VMware support today on it and they said that These are Microsoft preview APIs, so integration will fail. As of now, we are not aware, when MS is planning on fixing this as MS hasn't provided this information to us.

I have a ticket into MS support to see what they have to say.

As when trying to add the VMware Workspace One mobile compliance in the Azure AD it only has Airwatch and not the WS1 UEM. I think our tenant needs to be flighted(not sure what that means).

I guess I wait to hear what MS says.

Thanks

These are Microsoft preview APIs, so integration will fail.
As of now, we are not aware, when MS is planning on fixing this as MS hasn't provided this information to us.

Hi,

It depends on if you already have something that can provide per-app VPN functionality, like WS1 Tunnel. If so, it is not that difficult to implement. If you don't have something that can provide per-app VPN already, you'll have to investigate that first.

I didn't really follow any documentation; but I can give you some guidance if you really want to pursue it.

Mark

Hi

Azure AD conditional access using Workspace ONE UEM (AirWatch) is a preview feature.

Use compliance data in Azure AD Conditional Access policies by integrating Workspace ONE UEM with Mi...

I was surprised to find this document at the end of March 2020.

But,I haven't actually used this feature, so I'm not sure how it works.

We expect more information using this feature.

This is great news; looks like they are finally making progress on this. Based on that link, it seems to require that you are using Workspace ONE Intelligence - is that right? Our UEM console (1907) does not even have the option that they are referring to (Navigate to Monitor > Intelligence, check the Opt-in box).

Sorry for the thread necro, but in case you missed it, here are some details on how the Compliance API works with WS1 UEM.

There are still limitations on the AAD side related to _identfying_ the device (WS1 send compliance info for all devices to AAD, but AAD doesn no know _which_ device is coming to it, unless you implement some workarounds) - you can read this all in the blog.

https://digitalworkspace.one/2020/05/12/compliance-api-msft/

Hi Mark,

did you do this for iOS only or for Android as well? We had no issues running this on iOS but on Android, we find that Azure does not pick up the tunnel URL. I know on iOS we had to add login.microsoftonline.com to Safari managed domains, but not sure if we need something similar for Android? 

Hi,

I specified the "login.microsoftonline.com" domain for All Apps in the Device Traffic Rules for VMware Tunnel in Settings. The Office apps on Android use this as well as Chrome, which I configured for per-app VPN.

Mark

Thanks Mark.

Did the same i.e. configured the iOS and Android office apps to go via the per-app Tunnel. Additionally, configured Chrome in the Work Profile to go via the Tunnel and added login.microsoftonline.com for Safari to go via the Tunnel.

This was fine on iOS. On Android, I found that when I tried to go to login.microsoftonline.com via the managed Chrome browser, Azure picked up my tunnel IP. However, when I tried to login to Word in the Work Profile, Azure picked up the device IP and not the Tunnel IP.

I also tried by manually adding Chrome and Word to the Device Traffic Rules configured to Tunnel login.microsoftonline.com.

Any ideas or suggestions?

Strange that it works for Chrome but not the Office apps. I'm not sure I'll be able to help. We are using the Work Managed Device mode for enrollment of all of our corporate owned Android devices, which is the only type of devices that we allow per-app VPN functionality. For BYOD, we do utilize Work Profile mode, but I've never configured per-app VPN for those devices.

Right okay. I’ve ensured that default work profile browser was set to chrome (just to be sure) as well.

no worries, shall keep at it and post back when/if we get it to work. 

thank you