>
    Strata Copilot
    Create an App Configuration on Android Endpoints Using Microsoft Intune
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect Administrator's Guide
    4. GlobalProtect Apps
    5. Deploy the GlobalProtect App on Mobile Devices
    6. Manage the GlobalProtect App Using Microsoft Intune
    7. Configure the GlobalProtect App on Android Endpoints Using Microsoft Intune
    8. Create an App Configuration on Android Endpoints Using Microsoft Intune
    Download PDF
    GlobalProtect

    Create an App Configuration on Android Endpoints Using Microsoft Intune

    Table of Contents

    Create an App Configuration on Android Endpoints Using Microsoft Intune

    Create a configuration policy on Microsoft Intune.
    Where Can I Use This?What Do I Need?
    • NGFW (managed by Panorama or Strata Cloud Manager)
    • Prisma Access (managed by Panorama or Strata Cloud Manager)
    • GlobalProtect Gateway license or Prisma Access license with the Mobile User subscription
    You can create a app configuration in Microsoft Intune to allow administrators to customize and manage GlobalProtect app settings for Android devices without requiring users to manually configure the GlobalProtect app themselves. This policy enables IT admins to specify configuration settings that can control app behavior, enable specific features, and enhance security across managed devices.
    For a demonstration of how to create a configuration policy for your Android device on Intune, watch this video.

    1. On the Apps page, click PolicyApp configuration policies and then click CreateManaged Devices.
    2. Enter a name and description for the policy and select the platform (Android Enterprise) and profile type.
    3. Click Select app next to Targeted app, select GlobalProtect, and click OK.
    4. Click Next.
    5. In Configuration settings format, select Use configuration designer and add the required keys.
      Key
      Value Type
      		Description
      Example
      portal
      Required attribute for all configurations
      String
      IP address or fully qualified domain name (FQDN) of the portal.
      10.1.8.190
      app_list
      Required attribute for per-app configurations
      String
      Configuration for Per-App VPN. Begin the string with either the allowlist keyword or blocklist keyword followed by a colon, and follow it with an array of app names separated by semicolons. Add a semicolon at the end of the list too. The allow list specifies the apps that will use the GlobalProtect app for network communication. The network traffic for any other app that is not in the allow list or expressly listed in the block list will not go through the VPN tunnel.
      allowlist | blocklist: com.google.calendar; com.android.email; com.android.chrome
      Default value: none.
      connect_method
      String
      • Choose user-logon for always-on connect method. This automatically connects GlobalProtect with your credentials.
        On Android devices, GlobalProtect does not automatically connect when you open applications configured with an allowlist or blockist. Hence, we recommend setting the always on connect method for per-app configurations.
      • Choose on-demand to ensure that users manually connect GlobalProtect through the application.
      user-logon | on-demand
      Default value: blank, in which case the connect method specified on the portal configuration is used.
      username
      String
      		Username for the user.
      john
      password
      String
      		Password for the user.
      Password!1234
      managed
      Boolean
      Indicates whether the device is managed by an MDM.
      true | false
      Default value: false
      mobile_id
      String
      The mobile ID is used as the host ID.
      5188a8193be43f42d332dde5cb2c941e
      use_default_browser_for_saml
      Boolean
      • Choose true to use the default browser for SAML authentication.
      • Choose false to use the embedded browser for SAML authentication.
      true | false
      Default value: false
      compliance
      String
      Indicates whether the device is compliant with compliance policies. This parameter is included in the HIP report and can be used to create security policies.
      yes | no
      tag
      String
      Tag to identify a device. This parameter is included in the HIP report and can be used to create security policies. You can specify any value for this parameter.
      HR_Department
      proxy-url
      String
      Indicates the URL for your proxy auto-configuration (PAC) file. You can specify the proxy settings when you configure the VPN profile on your Android endpoints. This key is available only from GlobalProtect app for Android version 6.1.7 and later.
      http://example.com/proxy.pac
      https://example.com/proxy.pac
      ownership
      String
      Indicates whether the device is corporate owned or personal. This parameter is included in the HIP report and can be used to create security policies. You can specify any value for this parameter.
      corp-owned
    6. Click Next.
    7. Assign the policy to the appropriate users or groups. To deploy the policy broadly to all applicable devices, select Add all users or Add all devices.
    8. Click Next.
    9. Review your settings and click Create.
      Proxy Auto Configuration (PAC) Deployment from GlobalProtect on Android Endpoints
      Starting from GlobalProtect Android app version 6.1.7, you can configure and deploy proxy auto-configuration (PAC) file URLs on Android endpoints, using the mobile device management (MDM) platforms. By pushing these configurations through mobile device management (MDM), the proxy settings are uniformly applied across all android endpoints, ensuring seamless deployment and consistent security measures.
      You can add the PAC file URL using the following values while creating an app configuration policy rule on Android endpoints using MDM platforms.
      Key: proxy-url
      Value Type: <String>, for example,
      http://pac./proxy.pac,
      https://pac./proxy.pac
      This feature extends the existing desktop capability of GlobalProtect to configure third-party proxies through proxy auto-configuration (PAC) file URLs to the Android mobile platform as well and it eliminates the need of other third- party tools for PAC file URL deployment.
      The supported PAC file URL method includes the Proxy Auto-configuration (PAC) standard and the feature is supported on Android version 11 and later.

    © 2026 Palo Alto Networks, Inc. All rights reserved.