Tunnel Communication Failures Post-Update

Hello,

We are experiencing intermittent tunnel communication failures in iOS devices following internal application updates or fresh installations. This issue occurs specifically with VMware Workspace ONE Advanced (includes AirWatch) - On Premise and Workspace ONE Tunnel. Our enterprise mobility management platform provides comprehensive tools for managing corporate-owned and BYOD devices across various operating systems.

Detailed Information:

Applications Involved:

  • VMware Workspace ONE Advanced (On-Premise): Manages and secures devices and applications.
  • Workspace ONE Tunnel: Enables per-app VPN services, routing traffic from specific managed applications through our VPN.

Problem Context:

After a recent update, and notably after introducing deeplinking capabilities which required making our public DNS changes to host the Apple-app-site-association file, iOS devices are not routing application traffic through the Workspace ONE Tunnel correctly. Instead, applications are bypassing VPN configurations and connecting directly to public networks, jeopardizing data security. This behavior is inconsistent and varies across devices. To illustrate, I have attached a diagram (Diagram 1) that shows the flow of traffic during the issue compared to normal operations.

Timeline and Troubleshooting Steps Taken:

Initial Report Date: February 2024, following the iOS update 17.3.1 and post-deeplinking modifications.

VMware Involvement: Multiple troubleshooting sessions, including log analysis and configuration reviews. VMware indicated the issue might not be directly related to their platform as the tunnel functions normally post-device restart.

Logs Reviewed: Application logs, network traces, and device management logs. No errors directly linked to VMware solutions were found. The logs showing the issue occurrence and after a device restart are included (see Logs Set A and Logs Set B).

Additional Information:

Devices Affected: Various iOS devices, total fleet approximately 1500 units.

Inconsistencies: The issue manifests inconsistently across different organizational groups (OGs) and is not tied to a specific app version or device model. Developer Notes: The issue does not occur when applications are deployed via Xcode during testing phases. It only arises when apps are updated in a live environment. Request for Assistance: We request Apple’s assistance in investigating potential iOS-specific causes or configurations contributing to this issue, particularly in the context of the deeplinking changes. A joint troubleshooting session is proposed to further diagnose and address the problem. Prompt support in resolving this issue, given its impact on our operations, would be greatly appreciated.

Attachments:

Diagram 1&2: Traffic Routing During Issue vs. Normal Operation Diagram 3: Our App communications diagram Logs Set A: Device Logs When Issue Occurs Logs Set B: Device Logs After Restart

(Set A) After restart - no issue .log https://drive.google.com/file/d/1Q2COgXkMa3KnN1N-ggZKwYhHP7KC-Hwy/view?usp=sharing

(Set B) before restart.log https://drive.google.com/file/d/1uS9kAV6zJyRvVRQoWQNKdWBBR7sxM6Js/view?usp=sharing

Any suggestions? Thank you!

I’d like to clarify the parties involved here. Reading your post initially I thought that you might be developing the VPN software involved, but then I saw this:

VMware indicated …

which suggests that’s not the case. So who the parties involved, and which component of this system are each of them developing?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Tunnel Communication Failures Post-Update
 
 
Q