Delegate GlobalProtect Certificates for Android Endpoints Using Workspace ONE
When you have more than one client certificate
available for GlobalProtect client authentication on Android endpoints,
the Choose Certificate pop-up prompt appears, prompting GlobalProtect
app users to manually select a specific client certificate.
Starting with Android 8 or a later release, you can delegate certificate selection to
GlobalProtect app 5.2.5 or a later release. You can use Workspace ONE to grant
permission to the GlobalProtect app for certificate delegation as part of the VPN
profile that is pushed from the mobile device management (MDM) server. This enables
the GlobalProtect app to select a client certificate based on the client certificate
alias without first prompting GlobalProtect app users to manually select a
certificate on their Android endpoint. As a result, the Choose Certificate pop-up
prompt does not appear on the Android endpoint. If you delegate certificate
selection from the MDM server using any other method, the certificates cannot be
used by the GlobalProtect app.
Download the GlobalProtect app directly from Google Play.
From the Workspace ONE console, modify an existing Android profile or add a new
one.
Select ResourcesProfiles & BaselinesProfiles, and then ADD a new profile.
Select Android from the platform list.
Configure any of the General settings
that are appropriate for your company.
Setting
Description
Name
Enter the name of the profile.
Description
Enter a brief description of the profile
that indicates its purpose.
OEM Settings
Specify whether to enable or disable the OEM
Settings.
Profile Scope
Select either Production,Staging,
or Both.
Assignment Type
Determine how the profile is deployed to endpoints.
Select Auto to deploy the profile to all
endpoints automatically, Optional to enable
the end user to install the profile from the Self-Service Portal
(SSP) or to manually deploy the profile to individual endpoints,
or Compliance to deploy the profile when
an end user violates a compliance policy applicable to the endpoint.
Allow Removal
Determine whether to remove the profile
of the end user. Select Always to enable
the end user to manually remove the profile at any time, Never to
prevent the end user from removing the profile, or With
Authorization to enable the end user to remove the profile
with the authorization of the administrator. Choosing With
Authorization adds a required Password to enter.
Managed By
Enter the Organization Group with administrative
access to the profile.
Smart Groups
Add the Smart Groups to which you want the
profile added. This field includes an option to create a new Smart
Group, which can be configured with specs for minimum OS, device models,
ownership categories, organization groups, and more.
Exclusions
Indicate whether you want to include any exclusions.
If you select Yes, the Excluded
Groups field displays, enabling you to select the Smart
Groups that you wish to exclude from the assignment of this profile.
For your GlobalProtect deployment, configure the Credentials settings
to upload a client certificate manually and to create a credentials
profile:
Click UPLOAD to locate and
select the certificate that you want to upload.
After you select a certificate, click SAVE.
Click SAVE AND PUBLISH to save
your changes.
Click PUBLISH to push the endpoint
to the Assigned Smart Groups that will have
access to this app.
Verify the credentials profile and universally unique
identifier (UUID) attribute.
Select ResourcesProfiles & BaselinesProfiles.
Select the radio button next to the new credentials
profile you added from the previous step, and then select </>XML at the
top of the table.
You can modify the arbitrary_key_name and UUID_from_profile elements
to avoid conflicting parameter and key name settings with existing
key value pairs (KVPs) that you applied to a managed configuration
file of the GlobalProtect app, as shown in the following sample
configuration.
Select Custom SettingsConfigure, and then copy and
paste the edited configuration.
Click SAVE AND PUBLISH to save
your changes.
Configure the VPN profile settings to modify the settings
for an existing managed app.
After configuring the settings for the app, you can publish the app to a group of users and
Workspace ONE can intercept the certificate selection request to provide the
correct certificate to GlobalProtect.
Select Apps NativePublic.
To modify the settings for an existing app, locate
the app in the list of Public apps (List View) and then select the
edit (
) icon
in the actions menu next to the row.
Select the existing app from the list of Public apps
(List View).
Select Assignment, and then
an existing assignment.
The Distribution window displays
the Assigned Smart Groups that have access
to the GlobalProtect app.
In the Client Certificate Alias field, specify
the same UUID value that you used for the credential profile. The Client
Certificate Alias is the unique UUID value used to identify
the client certificate during portal or gateway authentication.