Install GlobalProtect for IoT on Android

To use GlobalProtect for IoT on Android devices, you must build the app and GlobalProtect configuration into the Android operating system image as a system application. To enable GlobalProtect to operate in headless mode you must deploy a pre-configuration file with the GlobalProtect app package.
  1. Add the GlobalProtect.apk as a pre-built system app in your Android OS image.
    1. From the Support Site, select
      Updates
      Software Updates
      and download the GlobalProtect APK.
    2. Decode the APK file in the
      android_src_tree_root/packages/app/
      directory.
      The decoder unpacks the app into a GlobalProtect folder.
    3. In the GlobalProtect folder, create the
      Android.mk
      file. This file defines the sources and shared libraries that the encoder will use to the build system.
      Edit the file to include the following:
      LOCAL_PATH := $(call my-dir) include $(CLEAR_VARS) LOCAL_MODULE_TAGS := optional LOCAL_MODULE := GlobalProtect LOCAL_SRC_FILES := $(LOCAL_MODULE).apk LOCAL_MODULE_CLASS := APPS LOCAL_MODULE_SUFFIX := $(COMMON_ANDROID_PACKAGE_SUFFIX) LOCAL_CERTIFICATE := PRESIGNED include $(BUILD_PREBUILT)
    4. For any additional MK files in
      android_src_tree_root/vendor/
      , add the following line:
      PRODUCT_PACKAGES += GlobalProtect
    5. Add libgpjni.so to either
      /system/lib
      or
      /system/lib64
      , depending which CPU architecture the IoT device supports. The libgpjni.so file can be retrieved from the lib directory after GlobalProtect.apk is decoded by apktool.
  2. Modify the Android Framework source code to preauthorize the permission request popup for VPN connection.
    Edit the
    android_src_tree_root/frameworks/base/services/core/java/com/android/server/connectivity/Vpn.java
    file to include the following code segment:
    private boolean isVpnUserPreConsented(String packageName) {
    if (“com.paloaltonetworks.globalprotect”.equals(packageName)){ Log.v(TAG, "IoT, isVpnUserPreConsented always true"); return true; }
    AppOpsManager appOps = (AppOpsManager) mContext.getSystemService(Context.APP_OPS_SERVICE); // Verify that the caller matches the given package and has permission to activate VPNs. return appOps.noteOpNoThrow(AppOpsManager.OP_ACTIVATE_VPN,Binder.getCallingUid(), packageName) == AppOpsManager.MODE_ALLOWED; } }
  3. Customize Android behavior to suppress the GlobalProtect icon in the notification bar for Android 8.0 and later releases.
    Edit the
    android_src_tree_root/frameworks/base/services/core/java/com/android/server/am/ActiveServices.java
    file to include the following code segment.
    if ( r.packageName.equals("com.paloaltonetworks.globalprotect") ) { Slog.d(TAG, "not to show the foreground service running notification for IoT"); } else {
    r.postNotification();
    }
  4. Configure the VPN settings you want to predeploy for Android IoT devices.
    1. Create a configuration file (
      globalprotect.conf
      ) in the following format and edit the IP address of the GlobalProtect portal, and authentication settings, either: username and password, or client certificate path (client-cert-path) and pass-phrase file (client-cert-passphrase).
      Username-password based authentication
      <?xml version="1.0" encoding="UTF-8"?> <GlobalProtect> <PanSetup> <Portal>192.168.1.23</Portal> </PanSetup> <Settings> <head-less>yes</head-less> <os-type>IoT</os-type> <username>user1</username> <password>mypassw0rd</password> <log-path-service>/home/gptest/Desktop/data/gps</log-path-service> <log-path-agent>/home/gptest/Desktop/data/gpadata</log-path-agent> </Settings> </GlobalProtect>
      Client-certificate based authentication
      <?xml version="1.0" encoding="UTF-8"?> <GlobalProtect> <PanSetup> <Portal>192.168.1.23</Portal> </PanSetup> <Settings> <head-less>yes</head-less> <os-type>IoT</os-type> <client-cert-path>/home/gptest/Desktop/data/pan_client_cert.pfx</client-cert-path> <client-cert-passphrase>/home/gptest/Desktop/data/pan_client_cert_passcode.dat</client-cert-passphrase> <username>user1</username> <password>paloalto</password> <log-path-service>/home/gptest/Desktop/data/gps</log-path-service> <log-path-agent>/home/gptest/Desktop/data/gpadata</log-path-agent> </Settings> </GlobalProtect>
    2. Encode the
      globalprotect.conf
      file in Base64 format and save it to the
      android_src_tree_root/system/config/
      directory.
      If desired, you can save the file to an alternate location. However, you must edit the location of this configuration in the
      android_src_tree_root/assets/gp_conf_location.txt
      file.
  5. Build the GlobalProtect APK file.
  6. Sign the GlobalProtect APK file.
  7. Push the new OS to Android devices as part of the system image and then push the new OS to the Android devices.

Recommended For You