Configure the GlobalProtect App for Android
Focus
Focus
GlobalProtect

Configure the GlobalProtect App for Android

Table of Contents

Configure the GlobalProtect App for Android

You can deploy and configure the GlobalProtect app on Android For Work endpoints from any third-party mobile device management (MDM) system supporting Android For Work App data restrictions.
On Android endpoints, traffic is routed through the VPN tunnel according to the access routes configured on the GlobalProtect gateway. From your third-party MDM that manages Android for Work endpoints, you can further refine the traffic that is routed though the VPN tunnel.
In an environment where the endpoint is corporately owned, the endpoint owner manages the entire endpoint, including all the apps installed on that endpoint. By default, all installed apps can send traffic through the VPN tunnel according to the access routes defined on the gateway.
In a bring-your-own-device (BYOD) environment, the endpoint is not corporately owned and uses a Work Profile to separate business and personal apps. By default, only managed apps in the Work Profile can send traffic through the VPN tunnel according to the access routes defined on the gateway. Apps installed on the personal side of the endpoint cannot send traffic through the VPN tunnel set by the managed GlobalProtect app that is installed in the Work Profile.
To route traffic from an even smaller set of apps, you can enable Per-App VPN so that GlobalProtect only routes traffic from specific managed apps. For Per-App VPN, you can allow list or block list specific managed apps from having their traffic routed through the VPN tunnel.
Endpoints running Android will not automatically launch the GlobalProtect app when the user launches an application in the allow list. However, endpoints running iOS will automatically launch the GlobalProtect app and establish the VPN tunnel when the user launches an application from the allow list.
As part of the VPN configuration, you can also specify how the user connects to the VPN. When you configure the connect method as user-logon, the GlobalProtect app establishes a connection automatically. When you configure the connect method as on-demand, users must initiate a connection manually.
The VPN connect method defined in the MDM takes precedence over the connect method defined in the GlobalProtect portal configuration.
Removing the VPN configuration automatically restores the GlobalProtect app to its original configuration settings.
To configure the GlobalProtect app for Android, configure the following Android App Restrictions.
Key
Value Type
Description
Example
portal
String
IP address or fully qualified domain name (FQDN) of the portal.
10.1.8.190
username
String
Username for the user.
john
password
String
Password for the user.
Passwd!234
mobile_id
String
Mobile ID as configured in third-party MDM service to uniquely identify a mobile device. GlobalProtect uses this mobile ID to retrieve device information.
5188a8193be43f42d332dde5cb2c941e
certificate
String (in Base64)
Client certificate (cert) used to authenticate the agent and the portal.
DAFDSaweEWQ23wDSAFD….
client_certificate_ passphrase
String
Key associated with the client certificate.
PA$$W0RD$123
app_list
String
Configuration for Per-App VPN. Begin the string with either the allowlist keyword or blocklist keyword followed by a colon, and follow it with an array of app names separated by semicolons. The allow list specifies the apps that will use the VPN tunnel for network communication. The network traffic for any other app that is not in the allow list or expressly listed in the block list will not go through the VPN tunnel.
allowlist | blocklist: com.google.calendar; com.android.email; com.android.chrome
The keywords allow list and block list changed to allowlist and blocklist in PAN-OS 10.1. You will need to change the setting on your MDM when you upgrade to 10.1.
connect_method
String
Either user-logon to automatically connect the user to the GlobalProtect portal using their windows credentials or on-demand to manually connect the user to the gateway.
user-logon | on-demand
remove_vpn_ config_via_ restriction
Boolean
Permanently remove all GlobalProtect VPN configuration information.
true | false