Configure a Per-App VPN Configuration for Android Endpoints Using Workspace ONE

1. Download the GlobalProtect app for Android:

   • Deploy the GlobalProtect Mobile App Using Workspace ONE.
   • Download the GlobalProtect app directly from Google Play.
2. From the Workspace ONE console, modify an existing Android profile or add a new one.

   1. Select DevicesProfiles & ResourcesProfiles, and then ADD a new profile.
   2. Select Android (Legacy) from the platform list.
3. Configure the General settings:

   1. Enter a Name for the profile.
   2. (Optional) Enter a brief Description of the profile that indicates its purpose.
   3. (Optional) Select the Profile Scope, either Production, Staging, or Both.
   4. (Optional) Select an Assignment Type to determine how the profile is deployed to endpoints. Select Auto to deploy the profile to all endpoints automatically, Optional to enable the end user to install the profile from the Self-Service Portal (SSP) or to manually deploy the profile to individual endpoints, or Compliance to deploy the profile when an end user violates a compliance policy applicable to the endpoint.
   5. (Optional) Select whether or not you want to Allow Removal of the profile by the end user. Select Always to enable the end user to manually remove the profile at any time, Never to prevent the end user from removing the profile, or With Authorization to enable the end user to remove the profile with the authorization of the administrator. Choosing With Authorization adds a required Password.
   6. (Optional) In the Managed By field, enter the Organization Group with administrative access to the profile.
   7. (Optional) In the Assigned Groups field, add the Smart Groups to which you want the profile added. This field includes an option to create a new Smart Group, which can be configured with specs for minimum OS, device models, ownership categories, organization groups, and more.
   8. (Optional) Indicate whether you want to include any Exclusions to the assignment of this profile. If you select Yes, the Excluded Groups field displays, enabling you to select the Smart Groups that you wish to exclude from the assignment of this profile.

4. Configure the Credentials settings:

   All per-app VPN configurations require certificate-based authentication.

   • To pull client certificates from Workspace ONE users:
     1. Set the Credential Source to User Certificate.
     2. Select the S/MIME Signing Certificate (default).

   • To upload a client certificate manually:
     1. Set the Credential Source to Upload.
     2. Enter a Credential Name.
     3. Click UPLOAD to locate and select the certificate that you want to upload.
     4. After you select a certificate, click SAVE.

   • To use a predefined certificate authority and template:
     1. Set the Credential Source to Defined Certificate Authority.
     2. Select the Certificate Authority from which you want obtain certificates.
     3. Select the Certificate Template for the certificate authority.

5. Configure the VPN settings:

   1. Set the network Connection Type to GlobalProtect.
   2. Enter the Connection Name that the endpoint displays.
   3. In the Server field, enter the hostname or IP address of the GlobalProtect portal to which users connect.
   4. Enable Per-App VPN Rules to route all traffic for managed apps through the GlobalProtect VPN tunnel.
   5. In the Authentication area, set the User Authentication method to Certificate.
      All per-app VPN configurations require certificate-based authentication.
   6. Enter the User name for the VPN account or click the add (+) button to view supported lookup values that you can insert.
   7. When prompted, select the Identity Certificate that GlobalProtect will use to authenticate users. The Identity Certificate is the same certificate that you configured in the Credentials settings.

6. SAVE & PUBLISH your changes.
7. Configure per-app VPN settings for a new managed app or modify the settings for an existing managed app.

   After configuring the settings for the app and enabling per-app VPN, you can publish the app to a group of users and enable the app to send traffic through the GlobalProtect VPN tunnel.

   1. Select APPS & BOOKSApplicationsNativePublic.
   2. To add a new app, select ADD APPLICATION. To modify the settings for an existing app, locate the app in the list of Public apps (List View) and then select the edit (

      ) icon in the actions menu next to the row.
   3. In the Managed By field, select the organization group that will manage this app.
   4. Set the Platform to Android.
   5. Select your preferred Source for locating the app:

      • SEARCH APP STORE—Enter the Name of the app.
      • ENTER URL—Enter the Google Play URL for the app (for example, to search for the Box app by URL, enter https://play.google.com/store/apps/details?id=com.box.android).
      • IMPORT FROM PLAY—Import a company-approved app from Google Play.

   6. Click NEXT.

      If you chose to search Google Play, click the app icon from the list of search results. If the app has not already been approved for your company, you must APPROVE the app. After the app is approved, SELECT the app.

      If you chose to import the app from Google Play, select the app from the list of approved company apps and then click IMPORT. If you do not see the app in the list, contact your Android for Work administrator to approve the app.

   7. Select the newly added app from the list of Public apps (List View).
   8. From the ApplicationsDetails View, click ASSIGN at the top-right corner of the screen.
   9. Select Assignments and then click ADD ASSIGNMENT to add the Smart Groups that will have access to this app.

      1. In the Select Assignment Groups field, select the Smart Groups that you want to grant access to this app.
      2. Select the App Delivery Method. If you select AUTO, the app is automatically deployed to the specified Smart Groups. If you select ON DEMAND, the app must be deployed manually.
      3. Set the Managed Access option to ENABLED. This option gives users access to the app based on the management policies that you apply.
      4. Configure the remaining settings as needed.
      5. ADD the new assignment.

   10. (Optional) To exclude certain Smart Groups from accessing the app, select Exclusions and then select the Smart Groups that you want to exclude from the Exclusion field.
   11. SAVE & PUBLISH the configuration to the assigned Smart Groups.