>
    Strata Copilot
    Deploy the GlobalProtect Mobile App Using Workspace ONE
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect Administrator's Guide
    4. GlobalProtect Apps
    5. Deploy the GlobalProtect App on Mobile Devices
    6. Manage the GlobalProtect App Using Workspace ONE
    7. Deploy the GlobalProtect Mobile App Using Workspace ONE
    Download PDF
    GlobalProtect

    Deploy the GlobalProtect Mobile App Using Workspace ONE

    Table of Contents

    Deploy the GlobalProtect Mobile App Using Workspace ONE

    You can deploy the GlobalProtect app to managed endpoints that are enrolled with Workspace ONE. Endpoints running iOS or Android must download the Workspace ONE agent to enroll with the Workspace ONE MDM. Windows 10 endpoints do not require the Workspace ONE agent but require you to configure enrollment on the endpoint. After you deploy the app, configure and deploy a VPN profile to set up the GlobalProtect app for end users automatically.
    If you want to run the GlobalProtect app for Android on managed Chromebooks, you can Deploy the GlobalProtect App for Android on Managed Chromebooks Using Workspace ONE.
    1. Before you begin, ensure that the endpoints to which you want to deploy the GlobalProtect app are enrolled with Workspace ONE:
      • Android and iOS—Download the Workspace ONE agent and follow the prompts to enroll.
      • Windows Phone and Windows 10 UWP—Configure the Windows 10 UWP endpoint to enroll with Workspace ONE (from the endpoint, select SettingsAccountsWork accessConnect).
    2. Add the GlobalProtect app to Workspace ONE:
      1. From Workspace ONE, select ResourcesApps NativePublicAdd Application.
      2. In the Managed by field, select the organization group by which this app will be managed.
      3. Select the Platform (Apple iOS, Android, or Windows Desktop).
      4. Search for the GlobalProtect app in the endpoint app store, or enter one of the following URLs for the GlobalProtect app page:
      5. Click Next. If you searched for the app in the endpoint app store, you must also Select the app from a list of search results, and then SAVE & ASSIGN to configure deployment options.
        If you searched for the GlobalProtect app for Android and did not see the app in the list, contact your Android for Work administrator to add GlobalProtect to the list of approved company apps or use the app URL in the Google Play Store.
    3. Configure deployment options for the GlobalProtect app:
      If you added the app previously but did not assign the app to any Smart Groups, select the GlobalProtect link from the list of apps (ResourcesApps NativePublic). In the Details View, select AssignAdd Assignment.
      1. On the Distribution tab, specify the following information:
        1. Enter a Name for the assignment.
        2. Select one or more Assignment Groups that will have access to the GlobalProtect app.
        3. Choose the App Delivery Method, either Auto, which pushes the app to the device automatically, or On Demand, which deploys the app when needed.
      2. (GlobalProtect App for iOS or Android only) On the Application Configuration tab, enable the application configuration to use the UDID to identify the endpoint.
        • iOS—To use HIP integration with MDM for your GlobalProtect deployment on iOS devices, you can specify the unique device identifier (UDID) attribute. For details, see Configure an Always On VPN Configuration for iOS Endpoints Using Workspace ONE.
          Toggle on Send Configuration and add the following key-value pairs:
          • Configuration Keymobile_id
          • Value TypeString
          • Configuration Value{DeviceUid}
        • Android—Toggle on Send Configuration and specify the settings in the application configuration that are relevant for your company:
          • Portal—IP address or fully qualified domain name (FQDN) of the portal.
          • Username—Username for portal authentication.
          • Password—Password for portal authentication.
          • Client Certificate—Client certificate for portal authentication.
          • Client Certificate Passphrase—Passphrase for the client certificate.
          • App List—Begin the string with either the allowlist keyword or blocklist keyword followed by a colon, and follow it with an array of app names separated by semicolons. The block list or allow list enables you to control which application traffic can go through the VPN tunnel in a per-app VPN configuration (for example, allowlist| blocklist: com.google.calendar; com.android.email; com.android.chrome).
          • Connection Method—VPN connection method (for example, user-logon | on-demand).
          • Remove VPN Configuration Flag—Flag to remove the VPN configuration.
          • Mobile ID—Unique identifier used to identify mobile endpoints, as configured in a third-party MDM system.
          • Allow Network Bypass—Flag to allow application traffic to bypass the VPN tunnel.
          • Client Certificate Alias—Unique name to identify the client certificate during portal or gateway authentication.
          • Specify the Managed by MDM Flag to indicate whether the device is enrolled with an MDM server.
          • Device Ownership—Ownership category of the device (for example, Employee Owned).
          • Device Compliance Status—Compliance status that indicates whether the device is compliant with the compliance policies that you have defined.
          • Tag—Tags to enable you to identify devices. Each tag must be separated by a comma.
          • Use Default Browser for SAML—Whether to enable or disable the default system browser for SAML authentication.
    4. Click Create and then Save to preview the assigned devices.
    5. Click Publish to push the App Catalog to the endpoints in the Smart Groups that you assigned.

    © 2026 Palo Alto Networks, Inc. All rights reserved.