GlobalProtect
Configure the GlobalProtect App for Android
Table of Contents
Expand All
|
Collapse All
GlobalProtect Docs
-
9.1 (EoL)
- 10.1 & Later
- 9.1 (EoL)
-
-
-
- Deploy App Settings in the Windows Registry
- Deploy App Settings from Msiexec
- Deploy Scripts Using the Windows Registry
- Deploy Scripts Using Msiexec
- SSO Wrapping for Third-Party Credential Providers on Windows Endpoints
- Enable SSO Wrapping for Third-Party Credentials with the Windows Registry
- Enable SSO Wrapping for Third-Party Credentials with the Windows Installer
-
- Mobile Device Management Overview
- Set Up the MDM Integration With GlobalProtect
- Qualified MDM Vendors
-
- Remote Access VPN (Authentication Profile)
- Remote Access VPN (Certificate Profile)
- Remote Access VPN with Two-Factor Authentication
- Always On VPN Configuration
- Remote Access VPN with Pre-Logon
- GlobalProtect Multiple Gateway Configuration
- GlobalProtect for Internal HIP Checking and User-Based Access
- Mixed Internal and External Gateway Configuration
- Captive Portal and Enforce GlobalProtect for Network Access
-
-
- End User Experience
- Management and Logging in Panorama
-
- View a Graphical Display of GlobalProtect User Activity in PAN-OS
- View All GlobalProtect Logs on a Dedicated Page in PAN-OS
- Event Descriptions for the GlobalProtect Logs in PAN-OS
- Filter GlobalProtect Logs for Gateway Latency in PAN-OS
- Restrict Access to GlobalProtect Logs in PAN-OS
- Forward GlobalProtect Logs to an External Service in PAN-OS
- Configure Custom Reports for GlobalProtect in PAN-OS
- Monitoring and High Availability
-
- About GlobalProtect Cipher Selection
- Cipher Exchange Between the GlobalProtect App and Gateway
-
- Reference: GlobalProtect App Cryptographic Functions
-
- Reference: TLS Ciphers Supported by GlobalProtect Apps on macOS Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Windows 10 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Windows 7 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Android 6.0.1 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on iOS 10.2.1 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Chromebooks
- Ciphers Used to Set Up IPsec Tunnels
- SSL APIs
-
6.3
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
-
- Download and Install the GlobalProtect App for Windows
- Use Connect Before Logon
- Use Single Sign-On for Smart Card Authentication
- Use the GlobalProtect App for Windows
- Report an Issue From the GlobalProtect App for Windows
- Disconnect the GlobalProtect App for Windows
- Uninstall the GlobalProtect App for Windows
- Fix a Microsoft Installer Conflict
-
- Download and Install the GlobalProtect App for macOS
- Use the GlobalProtect App for macOS
- Report an Issue From the GlobalProtect App for macOS
- Disconnect the GlobalProtect App for macOS
- Uninstall the GlobalProtect App for macOS
- Remove the GlobalProtect Enforcer Kernel Extension
- Enable the GlobalProtect App for macOS to Use Client Certificates for Authentication
-
6.1
- 6.1
- 6.0
- 5.1
-
6.3
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
End-of-Life (EoL)
Configure the GlobalProtect App for Android
You can deploy and configure the GlobalProtect app on
Android For Work endpoints from any third-party mobile device management
(MDM) system supporting Android For Work App data restrictions.
On Android endpoints, traffic is routed through the VPN tunnel
according to the access routes configured on the GlobalProtect gateway.
From your third-party MDM that manages Android for Work endpoints,
you can further refine the traffic that is routed though the VPN
tunnel.
In an environment where the endpoint is corporately owned, the
endpoint owner manages the entire endpoint, including all the apps
installed on that endpoint. By default, all installed apps can send
traffic through the VPN tunnel according to the access routes defined
on the gateway.
In a bring-your-own-device (BYOD) environment, the endpoint is
not corporately owned and uses a Work Profile to separate business
and personal apps. By default, only managed apps in the Work Profile
can send traffic through the VPN tunnel according to the access
routes defined on the gateway. Apps installed on the personal side
of the endpoint cannot send traffic through the VPN tunnel set by
the managed GlobalProtect app that is installed in the Work Profile.
To route traffic from an even smaller set of apps, you can enable
Per-App VPN so that GlobalProtect only routes traffic from specific
managed apps. For Per-App VPN, you can allow list or block list
specific managed apps from having their traffic routed through the
VPN tunnel.
As part of the VPN configuration, you can also specify how the
user connects to the VPN. When you configure the connect method
as user-logon, the GlobalProtect app establishes
a connection automatically. When you configure the connect method
as on-demand, users must initiate a connection
manually.
The VPN connect method defined in the MDM takes precedence over
the connect method defined in the GlobalProtect portal configuration.
Removing the VPN configuration automatically restores the GlobalProtect
app to its original configuration settings.
To configure the GlobalProtect app for Android, configure the
following Android App Restrictions.
Key | Value Type | Description | Example |
|---|---|---|---|
portal | String | IP address or fully qualified domain name
(FQDN) of the portal. | 10.1.8.190 |
username | String | Username for the user. | john |
password | String | Password for the user. | Passwd!234 |
mobile_id | String | Mobile ID as configured in third-party MDM
service to uniquely identify a mobile device. GlobalProtect uses
this mobile ID to retrieve device information. | 5188a8193be43f42d332dde5cb2c941e |
certificate | String (in Base64) | Client certificate (cert) used to authenticate
the agent and the portal. | DAFDSaweEWQ23wDSAFD…. |
client_certificate_ passphrase | String | Key associated with the client certificate. | PA$$W0RD$123 |
app_list | String | Configuration for Per-App VPN. Begin the
string with either the allow list or block list, and follow it with
an array of app names separated by semicolons. The allow list specifies
the apps that will use the VPN tunnel for network communication.
The network traffic for any other app that is not in the allow list
or expressly listed in the block list will not go through the VPN tunnel. | allow list | block list: com.google.calendar; com.android.email; com.android.chrome |
connect_method | String | Either user-logon to automatically connect
the user to the GlobalProtect portal using their windows credentials
or on-demand to manually connect the user to the gateway. | user-logon | on-demand |
remove_vpn_ config_via_ restriction | Boolean | Permanently remove all GlobalProtect VPN
configuration information. | true | false |