Configure the GlobalProtect App for Windows 10 UWP Using
Using the GlobalProtect app for Windows 10 UWP as the secure connection between the endpoint and the firewall allows consistent inspection of traffic and enforcement of network security policy for threat prevention.
The GlobalProtect app for Windows 10 UWP supports the following configurations using AirWatch:
- Per-App VPN—Specifies which managed apps on the endpoint can send traffic through the secure tunnel. Unmanaged apps will continue to connect directly to the Internet instead of through the secure connection.
- Device-Level VPN—Sends all traffic that matches specific filters (such as port and IP address) through the VPN irrespective of app. Device-level VPN configurations also support the ability to force the secure connection to beAlways On. For even tighter security requirements, you can enable theVPN Lockdownoption which both forces the secure connection to always be on and connected and disables network access when the app is not connected. This configuration is similar to theEnforce GlobalProtect for Network Accessoption that you would typically configure in a GlobalProtect portal configuration.
Because AirWatch does not yet list GlobalProtect as an official connection provider for Windows endpoints, you must select an alternate VPN provider, edit the settings for the GlobalProtect app, and import the configuration back into the VPN profile as described in the following workflow.
- Download the GlobalProtect app for Windows 10 UWP:
- From the AirWatch console, add a new Windows 10 UWP profile:
- Navigate to.DevicesProfilesList View
- Select.AddAdd Profile
- SelectWindowsas the platform andWindows Phoneas the configuration type.
- ConfigureGeneralprofile settings such as a meaningfulNamefor this configuration and a briefDescriptionof the profile that indicates its purpose.
- Save and Publishthis profile to the assigned Smart Groups.
- To configure the VPN connection settings, selectVPNand then clickConfigure.
- Select Configure Connection Info, including:
- Connection Name—Enter the name of the connection name that the endpoint will display.
- Connection Type—Select an alternate provider (do not select IKEv2, L2TP, PPTP, or Automatic as these do not have the associated vendor settings required for the GlobalProtect VPN profile).You must select the alternate vendor because AirWatch does not yet list GlobalProtect as an official connection provider for Windows endpoints.
- Server—Enter the hostname or IP address of the GlobalProtect portal to which to connect.
- Configure the authentication settings for the VPN connection:
- Select theAuthentication Typeto choose the method to authenticate end users.
- To permit GlobalProtect to save user credentials, enableRemember Credentialsin the Policies area.
- Configure VPN traffic rules to apply device wide or on a per-app basis:
- Add New Per-App VPN Rule—Specify rules for specific legacy apps (typically .exe files) or modern apps (typically downloaded from the Microsoft Store) that determine whether to automatically establish the VPN connection when the app is launched and whether to send app traffic through the VPN. You can also configure specific traffic filters to route only app traffic through the VPN if it matches match criteria such as IP address and port.
- Add New Device-Wide VPN Rule—Specify routing filters to send traffic matching a specific route through the VPN. These rules are not bound by application and are evaluated across the endpoint. If the traffic matches the match criteria, it is routed through the VPN.
- (Device-level VPN only) If desired, configure your preference ofAlways-Onconnection:
- To maintain the VPN connection always, enable either of the following options:
- Always On—Force the secure connection to be always on.
- VPN Lockdown—Force the secure connection to be always on and connected, and disable the network access when the app is not connected. TheVPN Lockdownoption in AirWatch is similar to theEnforce GlobalProtect for Network Accessoption that you would configure in a GlobalProtect portal configuration.
- SpecifyTrusted Networkaddresses if you want GlobalProtect to connect only when it detects a trusted network connection.
- Save & Publishyour changes.
- To adapt the configuration for GlobalProtect, edit the VPN profile in XML.To minimize additional edits in the raw XML, review the settings in your VPN profile before you export the configuration. If you need to change a setting after you export the VPN profile, you can make the changes in the raw XML or, you can update the setting in the VPN profile and perform this step again.
- In the, select the radio button next to the new profile you added in the previous steps, and then select </> XML at the top of the table. AirWatch opens the XML view of the profile.DevicesProfilesList View
- Export the profile and then open it in a text editor of your choice.
- Edit the following settings for GlobalProtect:
Save your changes to the exported profile.Return to AirWatch and the.DevicesProfilesList ViewCreate (select) and name a new profile.AddAdd ProfileWindowsWindows PhoneSelect, and then copy and paste the edited configuration.Custom SettingsConfigureSave & Publishyour changes.
- In the LoclURI element that specifies the PluginPackageFamilyName, change the element to:<LocURI>./Vendor/MSFT/VPNv2/PaloAltoNetworks/PluginProfile/PluginPackageFamilyName</LocURI>In the Data element that follows, change the value to:<Data>PaloAltoNetworks.GlobalProtect_rn9aeerfb38dg</Data>
- Clean up the original profile: Select the original profile from the, selectDevicesProfilesList View. AirWatch moves the profile to the Inactive list.More ActionsDeactivate
- Test the configuration.
Recommended For You
Recommended videos not found.