>
    Strata Copilot
    Install GlobalProtect for IoT on Android
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect Administrator's Guide
    4. GlobalProtect for IoT Devices
    5. Install GlobalProtect for IoT on Android
    Download PDF
    GlobalProtect

    Install GlobalProtect for IoT on Android

    Table of Contents

    Install GlobalProtect for IoT on Android

    Where Can I Use This?What Do I Need?
    • NGFW (managed by Panorama or Strata Cloud Manager)
    • Prisma Access (managed by Panorama or Strata Cloud Manager)
    • Android operating system
    • GlobalProtect Gateway license or Prisma Access license with the Mobile User subscription
    To use GlobalProtect for IoT on Android devices, you must build the app and GlobalProtect configuration into the Android operating system image as a system application. To enable GlobalProtect to operate in headless mode you must deploy a pre-configuration file with the GlobalProtect app package.
    1. Add the GlobalProtect.apk as a pre-built system app in your Android OS image.
      1. From the Support Site, select UpdatesSoftware Updates and download the GlobalProtect APK.
      2. Decode the APK file in the android_src_tree_root/packages/app/ directory.
        The decoder unpacks the app into a GlobalProtect folder.
      3. In the GlobalProtect folder, create the Android.mk file. This file defines the sources and shared libraries that the encoder will use to the build system.
        Edit the file to include the following:
        LOCAL_PATH := $(call my-dir)
include $(CLEAR_VARS)
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE := GlobalProtect
LOCAL_SRC_FILES := $(LOCAL_MODULE).apk
LOCAL_MODULE_CLASS := APPS
LOCAL_MODULE_SUFFIX := $(COMMON_ANDROID_PACKAGE_SUFFIX)
LOCAL_CERTIFICATE := PRESIGNED
include $(BUILD_PREBUILT)
      4. For any additional MK files in android_src_tree_root/vendor/, add the following line:
        PRODUCT_PACKAGES += GlobalProtect
      5. Add libgpjni.so to either /system/lib or /system/lib64, depending which CPU architecture the IoT device supports. The libgpjni.so file can be retrieved from the lib directory after GlobalProtect.apk is decoded by apktool.
    2. Modify the Android Framework source code to preauthorize the permission request popup for VPN connection.
      Edit the android_src_tree_root/frameworks/base/services/core/java/com/android/server/connectivity/Vpn.java file to include the following code segment:
      private boolean isVpnUserPreConsented(String packageName) {

    if (“com.paloaltonetworks.globalprotect”.equals(packageName)){
        Log.v(TAG, "IoT, isVpnUserPreConsented always true");
    return true;
    }
    AppOpsManager appOps =
        (AppOpsManager) mContext.getSystemService(Context.APP_OPS_SERVICE);

    // Verify that the caller matches the given package and has permission to activate VPNs.
    return appOps.noteOpNoThrow(AppOpsManager.OP_ACTIVATE_VPN,Binder.getCallingUid(),
        packageName) == AppOpsManager.MODE_ALLOWED;
    }
}
    3. Customize Android behavior to suppress the GlobalProtect icon in the notification bar for Android 8.0 and later releases.
      Edit the android_src_tree_root/frameworks/base/services/core/java/com/android/server/am/ActiveServices.java file to include the following code segment.
      if ( r.packageName.equals("com.paloaltonetworks.globalprotect") ) {
    Slog.d(TAG, "not to show the foreground service running notification for IoT");
} else {
    r.postNotification();
}
    4. Configure the VPN settings you want to predeploy for Android IoT devices.
      1. Create a configuration file (globalprotect.conf) in the following format and edit the IP address of the GlobalProtect portal, and authentication settings, either: username and password, or client certificate path (client-cert-path) and pass-phrase file (client-cert-passphrase).
        Username-password based authentication
        <?xml version="1.0" encoding="UTF-8"?>

<GlobalProtect>
    <PanSetup>
                <Portal>192.168.1.23</Portal>
    </PanSetup>
        <Settings>
                <head-less>yes</head-less>
                <os-type>IoT</os-type> 
                <username>user1</username>
                <password>mypassw0rd</password>
                <log-path-service>/home/gptest/Desktop/data/gps</log-path-service>
                <log-path-agent>/home/gptest/Desktop/data/gpadata</log-path-agent>
        </Settings>
</GlobalProtect>
        Client-certificate based authentication
        <?xml version="1.0" encoding="UTF-8"?>

<GlobalProtect>
    <PanSetup>
                <Portal>192.168.1.23</Portal>
    </PanSetup>
        <Settings>
                <head-less>yes</head-less>
                <os-type>IoT</os-type> 
                <client-cert-path>/home/gptest/Desktop/data/pan_client_cert.pfx</client-cert-path>
                <client-cert-passphrase>/home/gptest/Desktop/data/pan_client_cert_passcode.dat</client-cert-passphrase>
                <username>user1</username>
                <password>paloalto</password>
                <log-path-service>/home/gptest/Desktop/data/gps</log-path-service>
                <log-path-agent>/home/gptest/Desktop/data/gpadata</log-path-agent>
        </Settings>
</GlobalProtect>
      2. Encode the globalprotect.conf file in Base64 format and save it to the android_src_tree_root/system/config/ directory.
        If desired, you can save the file to an alternate location. However, you must edit the location of this configuration in the android_src_tree_root/assets/gp_conf_location.txt file.
    5. Build the GlobalProtect APK file.
    6. Sign the GlobalProtect APK file.
    7. Push the new OS to Android devices as part of the system image and then push the new OS to the Android devices.

    © 2026 Palo Alto Networks, Inc. All rights reserved.