Configure a Per-App VPN Configuration for Android Endpoints Using Workspace ONE
Updated on
Wed Nov 08 00:04:05 UTC 2023
Focus
Download PDF
Updated on
Wed Nov 08 00:04:05 UTC 2023
Focus
- Home
- GlobalProtect
- Mobile Device Management
- Manage the GlobalProtect App Using Workspace ONE
- Configure Workspace ONE for Android Endpoints
- Configure a Per-App VPN Configuration for Android Endpoints Using Workspace ONE
Download PDF
GlobalProtect
Table of Contents
You can enable access to internal resources from your managed mobile endpoints by configuring GlobalProtect VPN access using Workspace ONE. In a per-app VPN configuration, you can specify which managed apps can send traffic through the GlobalProtect VPN tunnel. Unmanaged apps will continue to connect directly to the internet instead of through the GlobalProtect VPN tunnel.
Use the following steps to configure a per-app VPN configuration for Android endpoints using Workspace ONE:
Download the GlobalProtect app for Android:
Deploy the GlobalProtect Mobile App Using Workspace ONE.
Download the GlobalProtect app directly from Google Play.
From the Workspace ONE console, modify an existing Android profile or add a new one.
Select
, and thenDevices
Profiles & Resources
Profiles
ADD
a new profile.Select
Android (Legacy)
from the platform list.
Configure the
General
settings:Enter a
Name
for the profile.(
Optional
) Enter a brief
Description
ofthe profile that indicates its purpose.(
Optional
) Select the
Profile Scope
,eitherProduction,
Staging
,orBoth
.(
Optional
) Select an
Assignment Type
todetermine how the profile is deployed to endpoints. SelectAuto
todeploy the profile to all endpoints automatically,Optional
toenable the end user to install the profile from the Self-ServicePortal (SSP) or to manually deploy the profile to individual endpoints,orCompliance
to deploy the profile whenan end user violates a compliance policy applicable to the endpoint.(
Optional
) Select whether or not you want to
AllowRemoval
of the profile by the end user. SelectAlways
toenable the end user to manually remove the profile at any time,Never
toprevent the end user from removing the profile, orWithAuthorization
to enable the end user to remove the profilewith the authorization of the administrator. ChoosingWithAuthorization
adds a required Password.(
Optional
) In the
Managed By
field,enter the Organization Group with administrative access to the profile.(
Optional
) In the
Assigned Groups
field,add the Smart Groups to which you want the profile added. This fieldincludes an option to create a new Smart Group, which can be configuredwith specs for minimum OS, device models, ownership categories,organization groups, and more.(
Optional
) Indicate whether you want to includeany
Exclusions
to the assignment of thisprofile. If you selectYes
, theExcludedGroups
field displays, enabling you to select the SmartGroups that you wish to exclude from the assignment of this profile.
Configure the
Credentials
settings:All per-app VPN configurations require certificate-basedauthentication.
To pull client certificates from Workspace ONE users:
Set the
Credential Source
toUserCertificate
.Select the
S/MIME Signing Certificate
(default).
To upload a client certificate manually:
Setthe
Credential Source
toUpload
.Enter a
Credential Name
.Click
UPLOAD
to locate and selectthe certificate that you want to upload.After you select a certificate, click
SAVE
.
To use a predefined certificate authority and template:
Set the
Credential Source
toDefinedCertificate Authority
.Select the
Certificate Authority
fromwhich you want obtain certificates.Select the
Certificate Template
forthe certificate authority.
Configure the
VPN
settings:Set the network
Connection Type
toGlobalProtect
.Enter the
Connection Name
that theendpoint displays.In the
Server
field, enter the hostnameor IP address of the GlobalProtect portal to which users connect.Enable
Per-App VPN Rules
to routeall traffic for managed apps through the GlobalProtect VPN tunnel.In the Authentication area, set the
User Authentication
methodtoCertificate
.All per-app VPNconfigurations require certificate-based authentication.
Enter the
User name
for the VPN accountor click the add (+
) button to view supportedlookup values that you can insert.When prompted, select the
Identity Certificate
thatGlobalProtect will use to authenticate users. TheIdentityCertificate
is the same certificate that you configuredin theCredentials
settings.
SAVE & PUBLISH
your changes.Configure per-app VPN settings for a new managed appor modify the settings for an existing managed app.
After configuring the settings for the app and enablingper-app VPN, you can publish the app to a group of users and enable theapp to send traffic through the GlobalProtect VPN tunnel.
Select
.APPS &BOOKS
Applications
Native
Public
To add a new app, select
ADD APPLICATION
.To modify the settings for an existing app, locate the app in thelist of Public apps (List View) and then select the edit () iconin the actions menu next to the row.In the
Managed By
field, selectthe organization group that will manage this app.Set the
Platform
toAndroid
.Select your preferred
Source
forlocating the app:SEARCH APP STORE
—Enter theName
ofthe app.ENTER URL
—Enter the Google Play URLfor the app (for example, to search for the Box app by URL, enter https://play.google.com/store/apps/details?id=com.box.android).IMPORT FROM PLAY
—Import a company-approvedapp from Google Play.
Click
NEXT
.If you chose to search Google Play, click the app iconfrom the list of search results. If the app has not already been approvedfor your company, you must
APPROVE
the app.After the app is approved,SELECT
the app.If youchose to import the app from Google Play, select the app from thelist of approved company apps and then click
IMPORT
.If you do not see the app in the list, contact your Android forWork administrator to approve the app.Select the newly added app from the list of Publicapps (List View).
From the
, clickApplications
Details View
ASSIGN
atthe top-right corner of the screen.Select
Assignments
and thenclickADD ASSIGNMENT
to add the Smart Groupsthat will have access to this app.In the
Select Assignment Groups
field,select the Smart Groups that you want to grant access to this app.Select the
App Delivery Method
. Ifyou selectAUTO
, the app is automaticallydeployed to the specified Smart Groups. If you selectONDEMAND
, the app must be deployed manually.Set the
Managed Access
option toENABLED
.This option gives users access to the app based on the managementpolicies that you apply.Configure the remaining settings as needed.
ADD
the new assignment.
(
Optional
) To exclude certain Smart Groupsfrom accessing the app, select
Exclusions
andthen select the Smart Groups that you want to exclude from theExclusion
field.SAVE & PUBLISH
the configurationto the assigned Smart Groups.
) iconin the actions menu next to the row.
"); adBlockNotification.append($( "Thanks for visiting https://docs.paloaltonetworks.com. To improve your experience when accessing content across our site, please add the domain to the allow list on your ad blocker application." )); let adBlockNotificationClose = $("x"); adBlockNotification.prepend(adBlockNotificationClose) $('body').append(adBlockNotification); setTimeout(function (e) { adBlockNotification.addClass('open'); }, 10); adBlockNotificationClose.on('click', function (e) { adBlockNotification.removeClass('open'); }) } }, 5000)
Recommended For You
{{ if(( raw.pantechdoctype != "techdocsAuthoredContentPage" && raw.objecttype != "Knowledge" && raw.pancommonsourcename != "TD pan.dev Docs")) { }} {{ if (raw.panbooktype) { }} {{ if (raw.panbooktype.indexOf('PANW Yellow Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Green Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Blue Theme') != -1){ }}
{{ } else { }}
{{ } }} {{ } else { }}
{{ } }} {{ } else { }} {{ if (raw.pantechdoctype == "pdf"){ }}
{{ } else if (raw.objecttype == "Knowledge") { }}
{{ } else if (raw.pancommonsourcename == "TD pan.dev Docs") { }}
{{ } else if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ } else { }}
{{ } }} {{ } }}
{{ if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } else { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } }}
{{ if (raw.pancommonsourcename != "TD pan.dev Docs"){ }} {{ if (raw.pandevdocsosversion){ }} {{ } else { }} {{ if ((_.size(raw.panosversion)>0) && !(_.isNull(raw.panconversationid )) && (!(_.isEmpty(raw.panconversationid ))) && !(_.isNull(raw.otherversions ))) { }} (See other versions) {{ } }} {{ } }} {{ } }}
{{ } }}{{ if (raw.pantechdoctype == "bookDetailPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "bookLandingPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "productLanding"){ }}
{{ } }}{{ if (raw.pantechdoctype == "techdocsAuthoredContentPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
