Delegate GlobalProtect Certificates for Android Endpoints Using Workspace ONE
Focus
Focus
GlobalProtect

Delegate GlobalProtect Certificates for Android Endpoints Using Workspace ONE

Table of Contents

Delegate GlobalProtect Certificates for Android Endpoints Using Workspace ONE

When you have more than one client certificate available for GlobalProtect client authentication on Android endpoints, the Choose Certificate pop-up prompt appears, prompting GlobalProtect app users to manually select a specific client certificate.
Starting with Android 8 or a later release, you can delegate certificate selection to GlobalProtect app 5.2.5 or a later release. You can use Workspace ONE to grant permission to the GlobalProtect app for certificate delegation as part of the VPN profile that is pushed from the mobile device management (MDM) server. This enables the GlobalProtect app to select a client certificate based on the client certificate alias without first prompting GlobalProtect app users to manually select a certificate on their Android endpoint. As a result, the Choose Certificate pop-up prompt does not appear on the Android endpoint. If you delegate certificate selection from the MDM server using any other method, the certificates cannot be used by the GlobalProtect app.
  1. Download the GlobalProtect app for Android.
  2. From the Workspace ONE console, modify an existing Android profile or add a new one.
    1. Select
      Resources
      Profiles & Baselines
      Profiles
      , and then
      ADD
      a new profile.
    2. Select
      Android
      from the platform list.
  3. Configure any of the
    General
    settings that are appropriate for your company.
    Setting
    Description
    Name
    Enter the name of the profile.
    Description
    Enter a brief description of the profile that indicates its purpose.
    OEM Settings
    Specify whether to enable or disable the
    OEM Settings
    .
    Profile Scope
    Select either
    Production,
    Staging
    , or
    Both
    .
    Assignment Type
    Determine how the profile is deployed to endpoints. Select
    Auto
    to deploy the profile to all endpoints automatically,
    Optional
    to enable the end user to install the profile from the Self-Service Portal (SSP) or to manually deploy the profile to individual endpoints, or
    Compliance
    to deploy the profile when an end user violates a compliance policy applicable to the endpoint.
    Allow Removal
    Determine whether to remove the profile of the end user. Select
    Always
    to enable the end user to manually remove the profile at any time,
    Never
    to prevent the end user from removing the profile, or
    With Authorization
    to enable the end user to remove the profile with the authorization of the administrator. Choosing
    With Authorization
    adds a required Password to enter.
    Managed By
    Enter the Organization Group with administrative access to the profile.
    Smart Groups
    Add the Smart Groups to which you want the profile added. This field includes an option to create a new Smart Group, which can be configured with specs for minimum OS, device models, ownership categories, organization groups, and more.
    Exclusions
    Indicate whether you want to include any exclusions. If you select
    Yes
    , the
    Excluded Groups
    field displays, enabling you to select the Smart Groups that you wish to exclude from the assignment of this profile.
  4. For your GlobalProtect deployment, configure the
    Credentials
    settings to upload a client certificate manually and to create a credentials profile:
    1. Select
      Resources
      Profiles & Baselines
      Profiles
      Add Profile
      .
    2. Select the
      Platform
      (
      Android
      ).
    3. Select
      Credentials
      , and then
      Configure
      .
    4. Set the
      Credential Source
      to
      Upload
      .
    5. Enter a
      Credential Name
      .
    6. Click
      UPLOAD
      to locate and select the certificate that you want to upload.
    7. After you select a certificate, click
      SAVE
      .
    8. Click
      SAVE AND PUBLISH
      to save your changes.
    9. Click
      PUBLISH
      to push the endpoint to the
      Assigned Smart Groups
      that will have access to this app.
  5. Verify the credentials profile and universally unique identifier (UUID) attribute.
    1. Select
      Resources
      Profiles & Baselines
      Profiles
      .
    2. Select the radio button next to the new credentials profile you added from the previous step, and then select
      </>XML
      at the top of the table.
      You can modify the
      arbitrary_key_name
      and
      UUID_from_profile
      elements to avoid conflicting parameter and key name settings with existing key value pairs (KVPs) that you applied to a managed configuration file of the GlobalProtect app, as shown in the following sample configuration.
      <characteristicuuid=“0105beb7-eced-4ac0-9b0f-94fe8cf71864” type=“com.airwatch.android.androidwork.app:your_package_id”> <parm name=“arbitrary_key_name” value=“UUID_from_profile” type=“certificate-alias” /> </characteristic>
  6. Create a custom settings profile to suppress certificate selection notifications on the GlobalProtect app for Android endpoints.
    1. Select
      Resources
      Profiles & Baselines
      Profiles
      Add Profile
      .
    2. Select the
      Platform
      (
      Android
      ).
    3. Select
      Custom Settings
      Configure
      , and then copy and paste the edited configuration.
    4. Click
      SAVE AND PUBLISH
      to save your changes.
  7. Configure the VPN profile settings to modify the settings for an existing managed app.
    After configuring the settings for the app, you can publish the app to a group of users and Workspace ONE can intercept the certificate selection request to provide the correct certificate to GlobalProtect.
    1. Select
      Apps
      Native
      Public
      .
    2. To modify the settings for an existing app, locate the app in the list of Public apps (List View) and then select the edit ( ) icon in the actions menu next to the row.
    3. Select the existing app from the list of Public apps (List View).
    4. Select
      Assignment
      , and then an existing assignment.
      The
      Distribution
      window displays the
      Assigned Smart Groups
      that have access to the GlobalProtect app.
    5. Select
      Application Configuration
      . For details about the other relevant settings in the application configuration that are relevant for your company, see Deploy the GlobalProtect Mobile App Using Workspace ONE.
    6. In the
      Client Certificate Alias
      field, specify the same UUID value that you used for the credential profile. The
      Client Certificate Alias
      is the unique UUID value used to identify the client certificate during portal or gateway authentication.
    7. Click
      Edit
      to modify the settings.

Recommended For You