GlobalProtect
Install GlobalProtect for IoT on Android
Table of Contents
Expand All
|
Collapse All
GlobalProtect Docs
-
9.1 (EoL)
- 10.1 & Later
- 9.1 (EoL)
-
-
-
- Deploy App Settings in the Windows Registry
- Deploy App Settings from Msiexec
- Deploy Scripts Using the Windows Registry
- Deploy Scripts Using Msiexec
- SSO Wrapping for Third-Party Credential Providers on Windows Endpoints
- Enable SSO Wrapping for Third-Party Credentials with the Windows Registry
- Enable SSO Wrapping for Third-Party Credentials with the Windows Installer
-
- Mobile Device Management Overview
- Set Up the MDM Integration With GlobalProtect
- Qualified MDM Vendors
-
- Remote Access VPN (Authentication Profile)
- Remote Access VPN (Certificate Profile)
- Remote Access VPN with Two-Factor Authentication
- Always On VPN Configuration
- Remote Access VPN with Pre-Logon
- GlobalProtect Multiple Gateway Configuration
- GlobalProtect for Internal HIP Checking and User-Based Access
- Mixed Internal and External Gateway Configuration
- Captive Portal and Enforce GlobalProtect for Network Access
-
-
- End User Experience
- Management and Logging in Panorama
-
- View a Graphical Display of GlobalProtect User Activity in PAN-OS
- View All GlobalProtect Logs on a Dedicated Page in PAN-OS
- Event Descriptions for the GlobalProtect Logs in PAN-OS
- Filter GlobalProtect Logs for Gateway Latency in PAN-OS
- Restrict Access to GlobalProtect Logs in PAN-OS
- Forward GlobalProtect Logs to an External Service in PAN-OS
- Configure Custom Reports for GlobalProtect in PAN-OS
- Monitoring and High Availability
-
- About GlobalProtect Cipher Selection
- Cipher Exchange Between the GlobalProtect App and Gateway
-
- Reference: GlobalProtect App Cryptographic Functions
-
- Reference: TLS Ciphers Supported by GlobalProtect Apps on macOS Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Windows 10 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Windows 7 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Android 6.0.1 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on iOS 10.2.1 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Chromebooks
- Ciphers Used to Set Up IPsec Tunnels
- SSL APIs
-
6.3
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
-
- Download and Install the GlobalProtect App for Windows
- Use Connect Before Logon
- Use Single Sign-On for Smart Card Authentication
- Use the GlobalProtect App for Windows
- Report an Issue From the GlobalProtect App for Windows
- Disconnect the GlobalProtect App for Windows
- Uninstall the GlobalProtect App for Windows
- Fix a Microsoft Installer Conflict
-
- Download and Install the GlobalProtect App for macOS
- Use the GlobalProtect App for macOS
- Report an Issue From the GlobalProtect App for macOS
- Disconnect the GlobalProtect App for macOS
- Uninstall the GlobalProtect App for macOS
- Remove the GlobalProtect Enforcer Kernel Extension
- Enable the GlobalProtect App for macOS to Use Client Certificates for Authentication
-
6.1
- 6.1
- 6.0
- 5.1
-
6.3
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
End-of-Life (EoL)
Install GlobalProtect for IoT on Android
To use GlobalProtect for IoT on Android devices,
you must build the app and GlobalProtect configuration into the
Android operating system image as a system application. To enable
GlobalProtect to operate in headless mode you must deploy a pre-configuration
file with the GlobalProtect app package.
- Add the GlobalProtect.apk as a pre-built system
app in your Android OS image.
- From the Support Site, select UpdatesSoftware Updates and download the GlobalProtect APK.
- Decode the APK file in the android_src_tree_root/packages/app/ directory.The decoder unpacks the app into a GlobalProtect folder.
- In the GlobalProtect folder, create the Android.mk file.
This file defines the sources and shared libraries that the encoder
will use to the build system.Edit the file to include the following:
LOCAL_PATH := $(call my-dir) include $(CLEAR_VARS) LOCAL_MODULE_TAGS := optional LOCAL_MODULE := GlobalProtect LOCAL_SRC_FILES := $(LOCAL_MODULE).apk LOCAL_MODULE_CLASS := APPS LOCAL_MODULE_SUFFIX := $(COMMON_ANDROID_PACKAGE_SUFFIX) LOCAL_CERTIFICATE := PRESIGNED include $(BUILD_PREBUILT)
- For any additional MK files in android_src_tree_root/vendor/,
add the following line:
PRODUCT_PACKAGES += GlobalProtect
- Add libgpjni.so to either /system/lib or /system/lib64, depending which CPU architecture the IoT device supports. The libgpjni.so file can be retrieved from the lib directory after GlobalProtect.apk is decoded by apktool.
- Modify the Android Framework source code to preauthorize
the permission request popup for VPN connection. Edit the android_src_tree_root/frameworks/base/services/core/java/com/android/server/connectivity/Vpn.java file to include the following code segment:
private boolean isVpnUserPreConsented(String packageName) { if (“com.paloaltonetworks.globalprotect”.equals(packageName)){ Log.v(TAG, "IoT, isVpnUserPreConsented always true"); return true; } AppOpsManager appOps = (AppOpsManager) mContext.getSystemService(Context.APP_OPS_SERVICE); // Verify that the caller matches the given package and has permission to activate VPNs. return appOps.noteOpNoThrow(AppOpsManager.OP_ACTIVATE_VPN,Binder.getCallingUid(), packageName) == AppOpsManager.MODE_ALLOWED; } } - Customize Android behavior to suppress the GlobalProtect
icon in the notification bar for Android 8.0 and later releases.Edit the android_src_tree_root/frameworks/base/services/core/java/com/android/server/am/ActiveServices.java file to include the following code segment.
if ( r.packageName.equals("com.paloaltonetworks.globalprotect") ) { Slog.d(TAG, "not to show the foreground service running notification for IoT"); } else { r.postNotification(); }
- Configure the VPN settings you want to predeploy for
Android IoT devices.
- Create a configuration file (globalprotect.conf)
in the following format and edit the IP address of the GlobalProtect
portal, and authentication settings, either: username and password,
or client certificate path (client-cert-path) and pass-phrase file
(client-cert-passphrase). Username-password based authentication
<?xml version="1.0" encoding="UTF-8"?> <GlobalProtect> <PanSetup> <Portal>192.168.1.23</Portal> </PanSetup> <Settings> <head-less>yes</head-less> <os-type>IoT</os-type> <username>user1</username> <password>mypassw0rd</password> <log-path-service>/home/gptest/Desktop/data/gps</log-path-service> <log-path-agent>/home/gptest/Desktop/data/gpadata</log-path-agent> </Settings> </GlobalProtect>Client-certificate based authentication<?xml version="1.0" encoding="UTF-8"?> <GlobalProtect> <PanSetup> <Portal>192.168.1.23</Portal> </PanSetup> <Settings> <head-less>yes</head-less> <os-type>IoT</os-type> <client-cert-path>/home/gptest/Desktop/data/pan_client_cert.pfx</client-cert-path> <client-cert-passphrase>/home/gptest/Desktop/data/pan_client_cert_passcode.dat</client-cert-passphrase> <username>user1</username> <password>paloalto</password> <log-path-service>/home/gptest/Desktop/data/gps</log-path-service> <log-path-agent>/home/gptest/Desktop/data/gpadata</log-path-agent> </Settings> </GlobalProtect> - Encode the globalprotect.conf file
in Base64 format and save it to the android_src_tree_root/system/config/ directory.If desired, you can save the file to an alternate location. However, you must edit the location of this configuration in the android_src_tree_root/assets/gp_conf_location.txt file.
- Create a configuration file (globalprotect.conf)
in the following format and edit the IP address of the GlobalProtect
portal, and authentication settings, either: username and password,
or client certificate path (client-cert-path) and pass-phrase file
(client-cert-passphrase).
- Build the GlobalProtect APK file.
- Sign the GlobalProtect APK file.
- Push the new OS to Android devices as part of the system image and then push the new OS to the Android devices.