Configure a Per-App VPN Configuration for Android Devices Using AirWatch

Download the GlobalProtect app for Android.
Deploy the GlobalProtect Mobile App Using AirWatch.
Download the GlobalProtect app directly from Google Play.
From the AirWatch console, modify or add a new Android profile.
Navigate to
Devices
Profiles
List View
.
Select an existing profile to which to add the VPN configuration or add a new one (select
Add
Add Profile
).
Select
Android
as the platform and
Device
as the configuration type.
Configure
General
profile settings:
Name
—Provide a meaningful name for this configuration.
Version
—This field is auto-populated with the latest version number of the configuration profile.
Description
—A brief description of the profile that indicates its purpose.
Profile Scope—Scope for this profile, either
Production,
Staging
, or
Both
.
Assignment Type
—Determines how the profile is deployed to devices:
Auto
—The profile is deployed to all devices automatically.
Optional
—You can deploy the profile to specific devices, or you can allow the user to install the profile from the Self-Service Portal (SSP).
Compliance
—The profile is deployed when the end user violates a compliance policy applicable to the device.
Allow Removal
—Determines whether or not the end user can remove the profile from the device:
Always
—The end user can manually remove the profile at any time.
With Authorization
—The end user can remove the profile with the authorization of the administrator. Choosing this option adds a required
Password
field.
Never
—The end user cannot remove the profile from the device.
Managed By
—The Organization Group with administrative access to the profile.
Assigned Smart Group
—The Smart Group to which you want the device profile added. Includes an option to create a new Smart Group which you can configure with specs for organization groups, user groups, ownership categories, tags, minimum OS, device models, and more.
Exclusions
—Selecting
Yes
displays a new field
Excluded Smart Groups
that enables you to select those Smart Groups you wish to exclude from the assignment of this device profile.
Select
Save and Publish
to push this profile to the assigned Smart Groups.
Configure the per-app VPN settings in the Android profile.
Select
VPN
and then click
Configure
.
Configure
Connection Info
including:
Connection Type
—Select
GlobalProtect
as the network connection method.
Connection Name
—Enter the name of the connection name that the device will display.
Server
—Enter the hostname or IP address of the GlobalProtect portal to which to connect.
Enable
Per App VPN
to route all of the traffic for a managed app traffic through the GlobalProtect VPN.
Select the authentication method to use to authenticate users. For per-app VPN, you must use certificate-based authentication. Select
User Authentication: Certificate
, and then follow the prompts to upload an
Identity Certificate
to use for authentication.
Click
Save & Publish
.
Configure per-app VPN settings for a new managed app, or modify the settings for an existing managed apps.
On the main page, select
Apps & Books
Applications
List View
Public
.
To add a new app, select
Add Application
. Or, to modify the settings of an existing app, locate the app in the list of Public apps and then select the edit icon in the actions menu next to the row.
Select the organization group by which this app will be managed.
Select
Android
as the
Platform
.
Select your preferred method for locating the app, either by specifying a URL or importing the app from Google Play. To search by URL, you must also enter the Google Play Store URL for the app (for example, to search for the Box app by URL, enter https://play.google.com/store/apps/details?id=com.box.android).
Click
Next
. If you chose to
Import from Play
during the previous step, you must select the app from the list of approved company apps, and then click
Import
. If you do not see the app in the list, contact your Android for Work administrator to approve the app.
On the
Assignment
tab, select
Assigned Smart Groups
that will have access to this app.
On the
Deployment
tab, select the
Push Mode
, either
Auto
or
On Demand
.
Select
Use VPN
and then select the Android profile that you created in 3.
Only profiles that have per-app VPN enabled are available from the drop-down.
Save and Publish
this profile to the assigned Smart Groups.