Create an App Configuration on Android Endpoints Using Microsoft Intune

1. On the Apps page, click PolicyApp configuration policies and then click CreateManaged Devices.
2. Enter a name and description for the policy and select the platform (Android Enterprise) and profile type.
3. Click Select app next to Targeted app, select GlobalProtect, and click OK.

4. Click Next.
5. In Configuration settings format, select Use configuration designer and add the required keys.

   Key	Value Type	Description	Example
   portal Required attribute for all configurations	String	IP address or fully qualified domain name (FQDN) of the portal.	10.1.8.190
   app_list Required attribute for per-app configurations	String	Configuration for Per-App VPN. Begin the string with either the allowlist keyword or blocklist keyword followed by a colon, and follow it with an array of app names separated by semicolons. Add a semicolon at the end of the list too. The allow list specifies the apps that will use the GlobalProtect app for network communication. The network traffic for any other app that is not in the allow list or expressly listed in the block list will not go through the VPN tunnel.	allowlist | blocklist: com.google.calendar; com.android.email; com.android.chrome Default value: none.
   connect_method	String	Choose user-logon for always-on connect method. This automatically connects GlobalProtect with your credentials. On Android devices, GlobalProtect does not automatically connect when you open applications configured with an allowlist or blockist. Hence, we recommend setting the always on connect method for per-app configurations. Choose on-demand to ensure that users manually connect GlobalProtect through the application.	user-logon | on-demand Default value: blank, in which case the connect method specified on the portal configuration is used.
   username	String	Username for the user.	john
   password	String	Password for the user.	Password!1234
   managed	Boolean	Indicates whether the device is managed by an MDM.	true | false Default value: false
   mobile_id	String	The mobile ID is used as the host ID.	5188a8193be43f42d332dde5cb2c941e
   use_default_browser_for_saml	Boolean	Choose true to use the default browser for SAML authentication. Choose false to use the embedded browser for SAML authentication.	true | false Default value: false
   compliance	String	Indicates whether the device is compliant with compliance policies. This parameter is included in the HIP report and can be used to create security policies.	yes | no
   tag	String	Tag to identify a device. This parameter is included in the HIP report and can be used to create security policies. You can specify any value for this parameter.	HR_Department
   proxy-url	String	Indicates the URL for your proxy auto-configuration (PAC) file. You can specify the proxy settings when you configure the VPN profile on your Android endpoints. This key is available only from GlobalProtect app for Android version 6.1.7 and later.	proxy.pac proxy.pac
   ownership	String	Indicates whether the device is corporate owned or personal. This parameter is included in the HIP report and can be used to create security policies. You can specify any value for this parameter.	corp-owned

6. Click Next.
7. Assign the policy to the appropriate users or groups. To deploy the policy broadly to all applicable devices, select Add all users or Add all devices.
8. Click Next.
9. Review your settings and click Create.

   Proxy Auto Configuration (PAC) Deployment from GlobalProtect on Android Endpoints

   Starting from GlobalProtect Android app version 6.1.7, you can configure and deploy proxy auto-configuration (PAC) file URLs on Android endpoints, using the mobile device management (MDM) platforms. By pushing these configurations through mobile device management (MDM), the proxy settings are uniformly applied across all android endpoints, ensuring seamless deployment and consistent security measures.

   You can add the PAC file URL using the following values while creating an app configuration policy rule on Android endpoints using MDM platforms.

   Key: proxy-url

   Value Type: <String>, for example,

   http://pac./proxy.pac,

   https://pac./proxy.pac

   This feature extends the existing desktop capability of GlobalProtect to configure third-party proxies through proxy auto-configuration (PAC) file URLs to the Android mobile platform as well and it eliminates the need of other third- party tools for PAC file URL deployment.

   The supported PAC file URL method includes the Proxy Auto-configuration (PAC) standard and the feature is supported on Android version 11 and later.