Configure Lockdown Mode for Always On Connect Method on Android Endpoints Using Microsoft Intune

Table of Contents

Create an App Configuration on Android Endpoints Using Microsoft Intune

Deploy a New Device Using Windows Autopilot and Microsoft Intune

Set up device restrictions for always-on.

For devices configured with always on connect method, you must enable lockdown, which forces the secure connection to always be on and connected in addition to disabling network access when the app is not connected.

For a demonstration of how to configure lockdown mode, watch this video.

On the Microsoft Intune admin center, navigate to DevicesAndroidConfiguration.
Click CreateNew Policy.
Set Platform to Android Enterprise and Profile type to Device restrictions and then click Create.
Enter a name and description and click Next.
Expand Connectivity and enable Always-on VPN (work profile-level).
Set the VPN client to Palo Alto Networks GlobalProtect.
Enable Lockdown mode if required.

The Lockdown mode is similar to the Enforce GlobalProtect for Network Access feature and ensures that all network traffic from Android endpoints passes through the GlobalProtect app, thereby enforcing security policies and preventing unauthorized access. When enabled, it blocks all network traffic on the endpoint until a connection to the GlobalProtect gateway is established.
Click Next.
Assign the policy to included user groups and click Next.
Review the settings and click Create.