Delegate GlobalProtect Certificates for Android Endpoints Using Workspace ONE

When you have more than one client certificate available for GlobalProtect client authentication on Android endpoints, the Choose Certificate pop-up prompt appears, prompting GlobalProtect app users to manually select a specific client certificate.

Starting with Android 8 or a later release, you can delegate certificate selection to GlobalProtect app 5.2.5 or a later release. You can use Workspace ONE to grant permission to the GlobalProtect app for certificate delegation as part of the VPN profile that is pushed from the mobile device management (MDM) server. This enables the GlobalProtect app to select a client certificate based on the client certificate alias without first prompting GlobalProtect app users to manually select a certificate on their Android endpoint. As a result, the Choose Certificate pop-up prompt does not appear on the Android endpoint. If you delegate certificate selection from the MDM server using any other method, the certificates cannot be used by the GlobalProtect app.

1. Download the GlobalProtect app for Android.

   • Deploy the GlobalProtect Mobile App Using Workspace ONE.
   • Download the GlobalProtect app directly from Google Play.
2. From the Workspace ONE console, modify an existing Android profile or add a new one.

   1. Select ResourcesProfiles & BaselinesProfiles, and then ADD a new profile.
   2. Select Android from the platform list.

3. Configure any of the General settings that are appropriate for your company.

   Setting	Description
   Name	Enter the name of the profile.
   Description	Enter a brief description of the profile that indicates its purpose.
   OEM Settings	Specify whether to enable or disable the OEM Settings.
   Profile Scope	Select either Production, Staging, or Both.
   Assignment Type	Determine how the profile is deployed to endpoints. Select Auto to deploy the profile to all endpoints automatically, Optional to enable the end user to install the profile from the Self-Service Portal (SSP) or to manually deploy the profile to individual endpoints, or Compliance to deploy the profile when an end user violates a compliance policy applicable to the endpoint.
   Allow Removal	Determine whether to remove the profile of the end user. Select Always to enable the end user to manually remove the profile at any time, Never to prevent the end user from removing the profile, or With Authorization to enable the end user to remove the profile with the authorization of the administrator. Choosing With Authorization adds a required Password to enter.
   Managed By	Enter the Organization Group with administrative access to the profile.
   Smart Groups	Add the Smart Groups to which you want the profile added. This field includes an option to create a new Smart Group, which can be configured with specs for minimum OS, device models, ownership categories, organization groups, and more.
   Exclusions	Indicate whether you want to include any exclusions. If you select Yes, the Excluded Groups field displays, enabling you to select the Smart Groups that you wish to exclude from the assignment of this profile.

4. For your GlobalProtect deployment, configure the Credentials settings to upload a client certificate manually and to create a credentials profile:

   1. Select ResourcesProfiles & BaselinesProfilesAdd Profile.
   2. Select the Platform( Android).
   3. Select Credentials, and then Configure.
   4. Set the Credential Source to Upload.
   5. Enter a Credential Name.
   6. Click UPLOAD to locate and select the certificate that you want to upload.
   7. After you select a certificate, click SAVE.
   8. Click SAVE AND PUBLISH to save your changes.

   9. Click PUBLISH to push the endpoint to the Assigned Smart Groups that will have access to this app.

5. Verify the credentials profile and universally unique identifier (UUID) attribute.

   1. Select ResourcesProfiles & BaselinesProfiles.
   2. Select the radio button next to the new credentials profile you added from the previous step, and then select </>XML at the top of the table.

      You can modify the arbitrary_key_name and UUID_from_profile elements to avoid conflicting parameter and key name settings with existing key value pairs (KVPs) that you applied to a managed configuration file of the GlobalProtect app, as shown in the following sample configuration.

      <characteristicuuid=“0105beb7-eced-4ac0-9b0f-94fe8cf71864” type=“com.airwatch.android.androidwork.app:your_package_id”>
      <parm name=“arbitrary_key_name” value=“UUID_from_profile” type=“certificate-alias” />
      </characteristic>

6. Create a custom settings profile to suppress certificate selection notifications on the GlobalProtect app for Android endpoints.

   1. Select ResourcesProfiles & BaselinesProfilesAdd Profile.
   2. Select the Platform (Android).
   3. Select Custom SettingsConfigure, and then copy and paste the edited configuration.
   4. Click SAVE AND PUBLISH to save your changes.

7. Configure the VPN profile settings to modify the settings for an existing managed app.

   After configuring the settings for the app, you can publish the app to a group of users and Workspace ONE can intercept the certificate selection request to provide the correct certificate to GlobalProtect.

   1. Select Apps NativePublic.
   2. To modify the settings for an existing app, locate the app in the list of Public apps (List View) and then select the edit (

      ) icon in the actions menu next to the row.

   3. Select the existing app from the list of Public apps (List View).
   4. Select Assignment, and then an existing assignment.

      The Distribution window displays the Assigned Smart Groups that have access to the GlobalProtect app.

   5. Select Application Configuration. For details about the other relevant settings in the application configuration that are relevant for your company, see Deploy the GlobalProtect Mobile App Using Workspace ONE.
   6. In the Client Certificate Alias field, specify the same UUID value that you used for the credential profile. The Client Certificate Alias is the unique UUID value used to identify the client certificate during portal or gateway authentication.
   7. Click Edit to modify the settings.