Always On Security for Chromebooks

Chromebooks now support Always On VPN through extended support for the GlobalProtect app for Android.
Software Support: Starting with GlobalProtect™ App 5.0
OS Support: Google Chrome OS 45 and later releases
Chromebooks now support Always On VPN through extended support for the GlobalProtect app for Android. With this feature, you can enable your end users to run the GlobalProtect app for Android on their Chromebooks to ensure that they are always connected to GlobalProtect and have access to always on security regardless of where they are located. End users can install the app manually from the Google Play Store or you can push the app to managed Chromebooks using a mobile device management (MDM) system.
The GlobalProtect app for Android is supported only on certain Chromebooks.
Chromebooks that do not support Android applications must continue to use the GlobalProtect app for Chrome. However, these Chromebooks will not support Always On VPN.
If the GlobalProtect app for Android is installed on a Chromebook for Always On VPN capability, the GlobalProtect app for Chrome should not be installed on the same Chromebook.
When you configure GlobalProtect with an Always On VPN configuration, the GlobalProtect app automatically connects each time a user unlocks his or her endpoint. This enables you to monitor all user traffic continuously (including SaaS and internet traffic) and achieve consistent policy enforcement to prevent security threats. For example, an increasing number of schools are now supplying students with Chromebooks for online exams, homework assignments, and classroom communication. However, they must ensure that their students do not access harmful or inappropriate content from these Chromebooks. Though schools can enforce security policies and monitor user traffic while students are on campus (using URL filtering and threat prevention policies), they must also be able to provide the same level of security when their students are off campus. With this feature, they can deploy the GlobalProtect app for Android on these Chromebooks to ensure that their students are always connected to GlobalProtect for secure network access.
The following GlobalProtect features are supported when you use the GlobalProtect app for Android on Chromebooks. A - indicates that the feature is not supported.
Feature
Feature Support
Authentication
App login enhancements
5.0
Multi-factor authentication policy
SAML authentication
5.0
Expired Active Directory password change for remote users
5.0
Active Directory password change using the GlobalProtect Credential Provider
Single Sign-On (SSO)
SSO (Credential Provider)
Kerberos SSO
VPN Connections
IPSec
5.0
SSL
5.0
Clientless VPN
— (no client required)
Connect Methods
User-logon (always on)
5.0
Pre-logon (always-on)
Pre-logon (then on-demand)
On-demand
5.0
Connection Priority
External gateway priority by source region
5.0
Internal gateway selection by source IP address
Modes
Internal mode
5.0
External mode
5.0
Networking
IPv4 addressing
5.0
IPv6 addressing
Split tunnel based on access route
Split tunnel based on destination domain, client process, and video streaming application
Customization
GlobalProtect Credential Provider pre-logon connection status
Multiple portal support
Resilient VPN
5.0
Pre-logon tunnel rename timeout
Restrict transparent app upgrades to internal network connections
Enforce GlobalProtect for network access
Deployment of SSL Forward Proxy CA certificates in the trust store
HIP reports
5.0
Run scripts before and after sessions
Allow users to disable GlobalProtect
Welcome and help pages
5.0
Other
Automatic VPN Reconnect for Chromebooks
5.0
Refer to the following sections for more information on installing and managing the GlobalProtect app for Android on Chromebooks:

Related Documentation