Deploy the GlobalProtect Mobile App Using AirWatch

You can deploy the GlobalProtect app to managed endpoints that are enrolled with AirWatch. Endpoints running iOS or Android must download the AirWatch agent to enroll with the AirWatch MDM. Windows 10 endpoints do not require the AirWatch agent but require you to configure enrollment on the endpoint. After you deploy the app, configure and deploy a VPN profile to set up the GlobalProtect app for end users automatically.
If you want to run the GlobalProtect app for Android on managed Chromebooks, you can Deploy the GlobalProtect App for Android on Managed Chromebooks Using AirWatch.
  1. Before you begin, ensure that the endpoints to which you want to deploy the GlobalProtect app are enrolled with AirWatch:
    • Android and iOS
      —Download the AirWatch agent and follow the prompts to enroll.
    • Windows Phone and Windows 10 UWP
      —Configure the Windows 10 UWP endpoint to enroll with AirWatch (from the endpoint, select
      Settings
      Accounts
      Work access
      Connect
      ).
  2. From AirWatch, select
    Resources
    Apps
    Native
    Public
    Add Application
    .
  3. Select the organization group by which this app will be managed.
  4. Select the
    Platform
    (
    Apple iOS
    ,
    Android
    , or
    Windows Phone
    ).
  5. Search for the GlobalProtect app in the endpoint app store, or enter one of the following URLs for the GlobalProtect app page:
  6. Click
    Next
    . If you searched for the app in the endpoint app store, you must also
    Select
    the app from a list of search results.
    If you searched for the GlobalProtect app for Android and did not see the app in the list, contact your Android for Work administrator to add GlobalProtect to the list of approved company apps or use the app URL in the Google Play Store.
  7. On the
    Assignment
    tab, select the
    Assigned Smart Groups
    that will have access to this app.
  8. Choose the
    App Delivery Method
    , either
    Auto
    which pushes the app to the device automatically or
    On Demand
    .
  9. (
    GlobalProtect App for Android only
    ) For
    Android (Legacy)
    ,
    Enable
    the Application Configuration to use the UDID to identify the endpoint.
    To use HIP integration with MDM for your GlobalProtect deployment on iOS devices, you can specify the unique device identifier (UDID) attribute. For details, see Configure an Always On VPN Configuration for iOS Endpoints Using AirWatch.
    Add the following Key-Value pair:
    • Configuration Key—
      mobile_id
    • Value Type—
      String
    • Configuration Value—
      {DeviceUid}
    For
    Android
    , specify the settings in the application configuration that are relevant for your company.
    • Portal
      —IP address or fully qualified domain name (FQDN) of the portal.
    • Username
      —Username for portal authentication.
    • Password
      —Password for portal authentication.
    • Client Certificate
      —Client certificate for portal authentication.
    • App List
      —Begin the string with either the
      allowlist
      keyword or
      blocklist
      keyword followed by a colon, and follow it with an array of app names separated by semicolons. The block list or allow list enables you to control which application traffic can go through the VPN tunnel in a per-app VPN configuration (for example,
      allowlist| blocklist: com.google.calendar; com.android.email; com.android.chrome
      ).
    • Connection Method
      —VPN connection method (for example,
      user-logon | on-demand
      ).
    • Remove VPN Configuration Flag
      —Flag to remove the VPN configuration.
    • Mobile ID
      —Unique identifier used to identify mobile endpoints, as configured in a third-party MDM system.
    • Allow Network Bypass
      —Flag to allow application traffic to bypass the VPN tunnel.
    • Client Certificate Alias
      —Unique name to identify the client certificate during portal or gateway authentication.
    • Specify the
      Managed by MDM Flag
      to indicate whether the device is enrolled with an MDM server.
    • Device Ownership
      —Ownership category of the device (for example,
      Employee Owned
      ).
    • Device Compliance Status
      —Compliance status that indicates whether the device is compliant with the compliance policies that you have defined.
    • Tag
      —Tags to enable you to identify devices. Each tag must be separated by a comma.
    • Use Default Browser for SAML
      —Whether to enable or disable the default system browser for SAML authentication.
  10. Select
    Save & Publish
    to push the App Catalog to the endpoints in the Smart Groups you assigned in the
    Assignment
    section.

Recommended For You