Network File Share via Per-App VPN using Workspace ONE

I’m writing this post in the midst of the world trying to get a handle of the COVID-19 pandemic (date and time check: March 18, 2020). Because of COVID-19, a lot of countries have enforced social distancing and quarantine measures. Businesses are affected, and a lot of organizations now encourage working from home.

Some of my customers who didn’t really consider giving their employees the ability to work remotely suddenly find themselves in a bind. Because now, it’s not just simply an option or nice-to-have feature, but a must-have requirement! And one of the asks I get recently is for end-users to be able to access their network file shares in their office PCs. Some folks don’t necessarily have all their files in the cloud, so this is still relevant.

So if you’re already using Workspace ONE UEM for managing Windows 10 devices and wondering if you can get access to network file shares, you’ve come to the right place. Because yes, you CAN!

Of course, we need a few things:

  1. Workspace ONE UEM
  2. VMware Tunnel deployed with per-app VPN enabled
  3. Enrolled Windows 10 machine with VMware Tunnel desktop client v1.2+
  4. Shared folder in your corporate network

This post assumes you already have the per-app VPN configured working for Windows 10 in your environment. If you haven’t, refer to VMware documentation here and here. This guide by Pim Van de Vis is an easy one to follow walks you through the steps.


  1. In the Workspace ONE UEM console, go to Groups and Settings\ All Settings\ System\ Enterprise Integration\ VMware Tunnel. [Pro Tip: Going to Groups & Settings\Configuration\ Tunnel takes you to the same spot]
  2. Navigate to Device Traffic Rules and select Edit
  3. Click Add Windows or MacOS Application
  1. Add SYSTEM as a Windows application. Refer to the screenshot below. Click Save.

BONUS: You can also use Windows Remote Desktop, like in the screenshot below.

  1. In the device traffic rules, add SYSTEM (and Remote Desktop, if you added it) in the application list with action defined as Tunnel. This means that if the you launch the application, traffic to the whitelisted destinations will be via Tunnel. Rest of the traffic will fall to the default rule. In this case, bypass. Any other apps with the VPN profile will also fall to the default bypass rule.
  1. After you click Save and Publish, the updated rules will be pushed to the devices. Check that your Windows Tunnel Client app has updated rules. Note that you’ll only see it green/ connected when you try to launch an app in the device traffic rules that uses the tunnel.

Testing Time!

Open File Explorer and type the ip or computer name in your corporate network. After authenticating with your Windows credentials (and assuming your account is allowed access to the folders) you will be able to view/ edit documents.
As with any VMware Tunnel implementation, ensure that you practice principle of least privilege. Consult with your network team to only allow the Tunnel appliance access to the resources your end-users are meant to get to.
Credits to Alex Loh for helping test this out and providing all the screenshots.

Above post is also found in the VMware Technology Network Page, where you can find other blogs and articles on Workspace ONE.

related articles

March 31, 2020 – Excellent guide on VMware Techzone for configuring and deploying VMware Tunnel on Windows 10, MacOS, iOS, and Android.

One comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s