Delegate GlobalProtect Certificates for Android Endpoints Using Workspace ONE
Focus
Focus
GlobalProtect

Delegate GlobalProtect Certificates for Android Endpoints Using Workspace ONE

Table of Contents

Delegate GlobalProtect Certificates for Android Endpoints Using Workspace ONE

When you have more than one client certificate available for GlobalProtect client authentication on Android endpoints, the Choose Certificate pop-up prompt appears, prompting GlobalProtect app users to manually select a specific client certificate.
Starting with Android 8 or a later release, you can delegate certificate selection to GlobalProtect app 5.2.5 or a later release. You can use Workspace ONE to grant permission to the GlobalProtect app for certificate delegation as part of the VPN profile that is pushed from the mobile device management (MDM) server. This enables the GlobalProtect app to select a client certificate based on the client certificate alias without first prompting GlobalProtect app users to manually select a certificate on their Android endpoint. As a result, the Choose Certificate pop-up prompt does not appear on the Android endpoint. If you delegate certificate selection from the MDM server using any other method, the certificates cannot be used by the GlobalProtect app.
  1. Download the GlobalProtect app for Android.
  2. From the Workspace ONE console, modify an existing Android profile or add a new one.
    1. Select ResourcesProfiles & BaselinesProfiles, and then ADD a new profile.
    2. Select Android from the platform list.
  3. Configure any of the General settings that are appropriate for your company.
    SettingDescription
    Name
    Enter the name of the profile.
    Description
    Enter a brief description of the profile that indicates its purpose.
    OEM Settings
    Specify whether to enable or disable the OEM Settings.
    Profile Scope
    Select either Production, Staging, or Both.
    Assignment Type
    Determine how the profile is deployed to endpoints. Select Auto to deploy the profile to all endpoints automatically, Optional to enable the end user to install the profile from the Self-Service Portal (SSP) or to manually deploy the profile to individual endpoints, or Compliance to deploy the profile when an end user violates a compliance policy applicable to the endpoint.
    Allow Removal
    Determine whether to remove the profile of the end user. Select Always to enable the end user to manually remove the profile at any time, Never to prevent the end user from removing the profile, or With Authorization to enable the end user to remove the profile with the authorization of the administrator. Choosing With Authorization adds a required Password to enter.
    Managed By
    Enter the Organization Group with administrative access to the profile.
    Smart Groups
    Add the Smart Groups to which you want the profile added. This field includes an option to create a new Smart Group, which can be configured with specs for minimum OS, device models, ownership categories, organization groups, and more.
    Exclusions
    Indicate whether you want to include any exclusions. If you select Yes, the Excluded Groups field displays, enabling you to select the Smart Groups that you wish to exclude from the assignment of this profile.
  4. For your GlobalProtect deployment, configure the Credentials settings to upload a client certificate manually and to create a credentials profile:
    1. Select ResourcesProfiles & BaselinesProfilesAdd Profile.
    2. Select the Platform( Android).
    3. Select Credentials, and then Configure.
    4. Set the Credential Source to Upload.
    5. Enter a Credential Name.
    6. Click UPLOAD to locate and select the certificate that you want to upload.
    7. After you select a certificate, click SAVE.
    8. Click SAVE AND PUBLISH to save your changes.
    9. Click PUBLISH to push the endpoint to the Assigned Smart Groups that will have access to this app.
  5. Verify the credentials profile and universally unique identifier (UUID) attribute.
    1. Select ResourcesProfiles & BaselinesProfiles.
    2. Select the radio button next to the new credentials profile you added from the previous step, and then select </>XML at the top of the table.
      You can modify the arbitrary_key_name and UUID_from_profile elements to avoid conflicting parameter and key name settings with existing key value pairs (KVPs) that you applied to a managed configuration file of the GlobalProtect app, as shown in the following sample configuration.
      <characteristicuuid=“0105beb7-eced-4ac0-9b0f-94fe8cf71864” type=“com.airwatch.android.androidwork.app:your_package_id”> <parm name=“arbitrary_key_name” value=“UUID_from_profile” type=“certificate-alias” /> </characteristic>
  6. Create a custom settings profile to suppress certificate selection notifications on the GlobalProtect app for Android endpoints.
    1. Select ResourcesProfiles & BaselinesProfilesAdd Profile.
    2. Select the Platform (Android).
    3. Select Custom SettingsConfigure, and then copy and paste the edited configuration.
    4. Click SAVE AND PUBLISH to save your changes.
  7. Configure the VPN profile settings to modify the settings for an existing managed app.
    After configuring the settings for the app, you can publish the app to a group of users and Workspace ONE can intercept the certificate selection request to provide the correct certificate to GlobalProtect.
    1. Select Apps NativePublic.
    2. To modify the settings for an existing app, locate the app in the list of Public apps (List View) and then select the edit (
      ) icon in the actions menu next to the row.
    3. Select the existing app from the list of Public apps (List View).
    4. Select Assignment, and then an existing assignment.
      The Distribution window displays the Assigned Smart Groups that have access to the GlobalProtect app.
    5. Select Application Configuration. For details about the other relevant settings in the application configuration that are relevant for your company, see Deploy the GlobalProtect Mobile App Using Workspace ONE.
    6. In the Client Certificate Alias field, specify the same UUID value that you used for the credential profile. The Client Certificate Alias is the unique UUID value used to identify the client certificate during portal or gateway authentication.
    7. Click Edit to modify the settings.