GlobalProtect
Delegate GlobalProtect Certificates for Android Endpoints Using Workspace ONE
Table of Contents
Expand All
|
Collapse All
GlobalProtect Docs
-
- 10.1 & Later
- 9.1 (EoL)
-
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
-
- 6.1
- 6.0
- 5.1
-
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
Delegate GlobalProtect Certificates for Android Endpoints Using Workspace ONE
When you have more than one client certificate
available for GlobalProtect client authentication on Android endpoints,
the Choose Certificate pop-up prompt appears, prompting GlobalProtect
app users to manually select a specific client certificate.
Starting with Android 8 or a later release, you can delegate certificate selection to
GlobalProtect app 5.2.5 or a later release. You can use Workspace ONE to grant
permission to the GlobalProtect app for certificate delegation as part of the VPN
profile that is pushed from the mobile device management (MDM) server. This enables
the GlobalProtect app to select a client certificate based on the client certificate
alias without first prompting GlobalProtect app users to manually select a
certificate on their Android endpoint. As a result, the Choose Certificate pop-up
prompt does not appear on the Android endpoint. If you delegate certificate
selection from the MDM server using any other method, the certificates cannot be
used by the GlobalProtect app.
- Download the GlobalProtect app for Android.
- Download the GlobalProtect app directly from Google Play.
From the Workspace ONE console, modify an existing Android profile or add a new one.- Select ResourcesProfiles & BaselinesProfiles, and then ADD a new profile.Select Android from the platform list.Configure any of the General settings that are appropriate for your company.
Setting Description Name Enter the name of the profile.Description Enter a brief description of the profile that indicates its purpose.OEM Settings Specify whether to enable or disable the OEM Settings.Profile Scope Select either Production, Staging, or Both.Assignment Type Determine how the profile is deployed to endpoints. Select Auto to deploy the profile to all endpoints automatically, Optional to enable the end user to install the profile from the Self-Service Portal (SSP) or to manually deploy the profile to individual endpoints, or Compliance to deploy the profile when an end user violates a compliance policy applicable to the endpoint.Allow Removal Determine whether to remove the profile of the end user. Select Always to enable the end user to manually remove the profile at any time, Never to prevent the end user from removing the profile, or With Authorization to enable the end user to remove the profile with the authorization of the administrator. Choosing With Authorization adds a required Password to enter.Managed By Enter the Organization Group with administrative access to the profile.Smart Groups Add the Smart Groups to which you want the profile added. This field includes an option to create a new Smart Group, which can be configured with specs for minimum OS, device models, ownership categories, organization groups, and more.Exclusions Indicate whether you want to include any exclusions. If you select Yes, the Excluded Groups field displays, enabling you to select the Smart Groups that you wish to exclude from the assignment of this profile.For your GlobalProtect deployment, configure the Credentials settings to upload a client certificate manually and to create a credentials profile:- Select ResourcesProfiles & BaselinesProfilesAdd Profile.Select the Platform( Android).Select Credentials, and then Configure.Set the Credential Source to Upload.Enter a Credential Name.Click UPLOAD to locate and select the certificate that you want to upload.After you select a certificate, click SAVE.Click SAVE AND PUBLISH to save your changes.Click PUBLISH to push the endpoint to the Assigned Smart Groups that will have access to this app.Verify the credentials profile and universally unique identifier (UUID) attribute.
- Select ResourcesProfiles & BaselinesProfiles.Select the radio button next to the new credentials profile you added from the previous step, and then select </>XML at the top of the table.You can modify the arbitrary_key_name and UUID_from_profile elements to avoid conflicting parameter and key name settings with existing key value pairs (KVPs) that you applied to a managed configuration file of the GlobalProtect app, as shown in the following sample configuration.<characteristicuuid=“0105beb7-eced-4ac0-9b0f-94fe8cf71864” type=“com.airwatch.android.androidwork.app:your_package_id”> <parm name=“arbitrary_key_name” value=“UUID_from_profile” type=“certificate-alias” /> </characteristic>Create a custom settings profile to suppress certificate selection notifications on the GlobalProtect app for Android endpoints.
- Select ResourcesProfiles & BaselinesProfilesAdd Profile.Select the Platform (Android).Select Custom SettingsConfigure, and then copy and paste the edited configuration.Click SAVE AND PUBLISH to save your changes.Configure the VPN profile settings to modify the settings for an existing managed app.After configuring the settings for the app, you can publish the app to a group of users and Workspace ONE can intercept the certificate selection request to provide the correct certificate to GlobalProtect.
- Select Apps NativePublic.To modify the settings for an existing app, locate the app in the list of Public apps (List View) and then select the edit (Select the existing app from the list of Public apps (List View).Select Assignment, and then an existing assignment.The Distribution window displays the Assigned Smart Groups that have access to the GlobalProtect app.Select Application Configuration. For details about the other relevant settings in the application configuration that are relevant for your company, see Deploy the GlobalProtect Mobile App Using Workspace ONE.In the Client Certificate Alias field, specify the same UUID value that you used for the credential profile. The Client Certificate Alias is the unique UUID value used to identify the client certificate during portal or gateway authentication.Click Edit to modify the settings.