Prerequisite(s):
- Pulse Workspace or other third-party MDM solution (MobileIron and AirWatch instructions can be found here)
- Existing Pulse Connect Secure (PCS) device running 7.2 or later
- Recommended: Vpn On Demand (VOD) configuration with certificate authentication. If VOD is not configured, Per-App Vpn tunnel must be manually launched using the Pulse mobile app.
Note: For PCS 8.0R5 to 8.0R11 and 8.1R1 to 8.1R4, PAC license (Pulse AppConnect license) is required for each physical device that does accept AppConnect tunnels from mobile devices. (*Virtual Connect Secure deployments do not currently require the PAC license.)
- Login to Pulse Workspace admin console.
- From the top menu bar, select Policies.
- From the left pane, select Add.
- In the Policy Name field, enter a friendly name to help identify the policy.
- In the Has user tag and LDAP group fields, enter the user tag or LDAP groups to apply the policy to. These options can be modified in the future.
- Click Save.
- From the left pane, click on the friendly name for the policy.
- From the right pane, click the Properties tab.
- Under Policy Name, navigate to the VPN section and configure the following options:
- VPN Host = Sign-in page of the PCS device (fully qualified domain name or IP address)
- VPN Type = Pulse SSL
- Optional (VOD): VPN Safari Domains = Domain name(s) to automatically launch the tunnel (also referred to as VPN On Demand) **
- Optional (VOD): VPN Certificate Auth = Client certificate will be deployed to WorkSpace endpoints to support VOD scenario **
- Optional: VPN Realm = Realm name configure on the PCS device
- Optional: VPN Role = Role name configured on the PCS device
- From the right pane, click the iOS App Rules tab.
- Click Add.
- Under Add App Rule, enter the app name in the search box and hit the Enter key.
- From the list, select the app to configure for Per-App VPN.
- Click Next.
- For Rule Type, leave as Add.
- For Network Access, select Per App VPN.
- Click Save.
Per-App VPN configuration is complete for Pulse Workspace. The policy will remain in edited state until the policy is published. The administrator may make additional policies changes prior to pushing the policy. Once all changes are completed, click
Publish button.

For additional Pulse Workspace help documentation, please click
here.
- Login to PCS admin console.
- Navigate to Users > User Roles > New Role.
- In the Name field, enter a friendly name for the Per-App VPN role.
- Under Access features, select the checkbox for Secure Application Manager > Windows Version
- Click Save Changes.
- Navigate to Users > Resource Profiles > WSAM Destinations > New Profile.
- For the Name field, enter a friendly name for the profile.
- Under Destination, enter the list of IP addresses to tunnel through the Per-App VPN tunnel. (Note: FQDN names are supported starting in 8.2R3 and above for the Per-App tunnel)
- Click Save and Continue.
- Under Available Roles list, select the role created for Per-App VPN (above), then click Add.
- Click Save Changes.
Administrator may create a new sign-in page and user realm or use an existing sign-in page and user realm for Per-App VPN role. (Note: Sign-in page and User realm will need to match step 8 in the PWS configuration)
Optional configuration for VPN On Demand:
Please refer to
KB40360 - VPN On Demand with Pulse WorkSpace and Pulse Connect Secure