GlobalProtect
Install GlobalProtect for IoT on Android
Table of Contents
Expand All
|
Collapse All
GlobalProtect Docs
-
- 10.1 & Later
- 9.1 (EoL)
-
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
-
- 6.1
- 6.0
- 5.1
-
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
Install GlobalProtect for IoT on Android
To use GlobalProtect for IoT on Android devices,
you must build the app and GlobalProtect configuration into the
Android operating system image as a system application. To enable
GlobalProtect to operate in headless mode you must deploy a pre-configuration
file with the GlobalProtect app package.
- Add the GlobalProtect.apk as a pre-built system app in your Android OS image.
- From the Support Site, select UpdatesSoftware Updates and download the GlobalProtect APK.Decode the APK file in the android_src_tree_root/packages/app/ directory.The decoder unpacks the app into a GlobalProtect folder.In the GlobalProtect folder, create the Android.mk file. This file defines the sources and shared libraries that the encoder will use to the build system.Edit the file to include the following:
LOCAL_PATH := $(call my-dir) include $(CLEAR_VARS) LOCAL_MODULE_TAGS := optional LOCAL_MODULE := GlobalProtect LOCAL_SRC_FILES := $(LOCAL_MODULE).apk LOCAL_MODULE_CLASS := APPS LOCAL_MODULE_SUFFIX := $(COMMON_ANDROID_PACKAGE_SUFFIX) LOCAL_CERTIFICATE := PRESIGNED include $(BUILD_PREBUILT)
For any additional MK files in android_src_tree_root/vendor/, add the following line:PRODUCT_PACKAGES += GlobalProtect
Add libgpjni.so to either /system/lib or /system/lib64, depending which CPU architecture the IoT device supports. The libgpjni.so file can be retrieved from the lib directory after GlobalProtect.apk is decoded by apktool.Modify the Android Framework source code to preauthorize the permission request popup for VPN connection.Edit the android_src_tree_root/frameworks/base/services/core/java/com/android/server/connectivity/Vpn.java file to include the following code segment:private boolean isVpnUserPreConsented(String packageName) { if (“com.paloaltonetworks.globalprotect”.equals(packageName)){ Log.v(TAG, "IoT, isVpnUserPreConsented always true"); return true; } AppOpsManager appOps = (AppOpsManager) mContext.getSystemService(Context.APP_OPS_SERVICE); // Verify that the caller matches the given package and has permission to activate VPNs. return appOps.noteOpNoThrow(AppOpsManager.OP_ACTIVATE_VPN,Binder.getCallingUid(), packageName) == AppOpsManager.MODE_ALLOWED; } }
Customize Android behavior to suppress the GlobalProtect icon in the notification bar for Android 8.0 and later releases.Edit the android_src_tree_root/frameworks/base/services/core/java/com/android/server/am/ActiveServices.java file to include the following code segment.if ( r.packageName.equals("com.paloaltonetworks.globalprotect") ) { Slog.d(TAG, "not to show the foreground service running notification for IoT"); } else { r.postNotification(); }
Configure the VPN settings you want to predeploy for Android IoT devices.- Create a configuration file (globalprotect.conf) in the following format and edit the IP address of the GlobalProtect portal, and authentication settings, either: username and password, or client certificate path (client-cert-path) and pass-phrase file (client-cert-passphrase).Username-password based authentication
<?xml version="1.0" encoding="UTF-8"?> <GlobalProtect> <PanSetup> <Portal>192.168.1.23</Portal> </PanSetup> <Settings> <head-less>yes</head-less> <os-type>IoT</os-type> <username>user1</username> <password>mypassw0rd</password> <log-path-service>/home/gptest/Desktop/data/gps</log-path-service> <log-path-agent>/home/gptest/Desktop/data/gpadata</log-path-agent> </Settings> </GlobalProtect>
Client-certificate based authentication<?xml version="1.0" encoding="UTF-8"?> <GlobalProtect> <PanSetup> <Portal>192.168.1.23</Portal> </PanSetup> <Settings> <head-less>yes</head-less> <os-type>IoT</os-type> <client-cert-path>/home/gptest/Desktop/data/pan_client_cert.pfx</client-cert-path> <client-cert-passphrase>/home/gptest/Desktop/data/pan_client_cert_passcode.dat</client-cert-passphrase> <username>user1</username> <password>paloalto</password> <log-path-service>/home/gptest/Desktop/data/gps</log-path-service> <log-path-agent>/home/gptest/Desktop/data/gpadata</log-path-agent> </Settings> </GlobalProtect>
Encode the globalprotect.conf file in Base64 format and save it to the android_src_tree_root/system/config/ directory.If desired, you can save the file to an alternate location. However, you must edit the location of this configuration in the android_src_tree_root/assets/gp_conf_location.txt file.Build the GlobalProtect APK file.Sign the GlobalProtect APK file.Push the new OS to Android devices as part of the system image and then push the new OS to the Android devices.