GlobalProtect supports distinct VPN configurations to secure endpoint traffic, including an Always On mode and a Per-App mode. The Always On configuration maintains a constant connection, forcing all traffic that matches predefined gateway filters (such as specific ports and IP addresses) through the secure tunnel. In contrast, the Per-App VPN configuration, typically enabled for managed mobile endpoints using a solution like Microsoft Intune, provides granular control by allowing only specified managed applications to route traffic through the VPN tunnel for internal resource access, while all unmanaged app traffic bypasses the tunnel and connects directly to the internet.

When deployed with Microsoft Intune for Windows 10 UWP Endpoints endpoints, GlobalProtect supports the following connection methods:

• Always On
  In an Always On configuration, GlobalProtect automatically connects as soon as the you log in.
• Per-App
  In a per-app configuration, you can define which managed apps are allowed to route traffic through GlobalProtect. To do so, you can attach a VPN profile to an app, add URLs for the app you want access to, or do a combination of both.