Configure the GlobalProtect App for Android

You can deploy and configure the GlobalProtect app on Android For Work devices from any third-party mobile device management (MDM) system supporting Android For Work App data restrictions.
On Android devices, traffic is routed through the VPN tunnel according to the access routes configured on the GlobalProtect gateway. From your third-party MDM that manages Android for Work devices, you can further refine the traffic that is routed though the VPN tunnel.
In an environment where the device is corporately owned, the device owner manages the entire device including all the apps installed on that device. By default, all installed apps can send traffic through the VPN tunnel according to the access routes defined on the gateway.
In a bring-your-own-device (BYOD) environment, the device is not corporately owned and uses a Work Profile to separate business and personal apps. By default only managed apps in the Work Profile can send traffic through the VPN tunnel according to the access routes defined on the gateway. Apps installed on the personal side of the device can not send traffic through the VPN tunnel set by the managed GlobalProtect app installed in the Work Profile.
To route traffic from an even smaller set of apps, you can enable Per-App VPN so that GlobalProtect only routes traffic from specific managed apps. For Per-App VPN, you can whitelist or blacklist specific managed apps from having their traffic routed through the VPN tunnel.
As part of the VPN configuration, you can also specify how the user connects to the VPN. When you configure the VPN connection method as user-logon, the GlobalProtect app will establish a connection automatically. When you configure the VPN connection method as on-demand, users can initiate a connection manually when attempting to connect to the VPN remotely.
The VPN connect method defined in the MDM takes precedence over the connect method defined in the GlobalProtect portal configuration.
Removing the VPN configuration automatically restores the GlobalProtect app to the original configuration settings.
To configure the GlobalProtect app for Android, configure the following Android App Restrictions.
Key
Value Type
Example
portal
String
10.1.8.190
username
String
john
password
String
Passwd!234
certificate
String (in Base64)
DAFDSaweEWQ23wDSAFD….
client_certificate_passphrase
String
PA$$W0RD$123
app_list*
String
whiltelist | blacklist: com.google.calendar; com.android.email; com.android.chrome
connect_method
String
user-logon | on-demand
remove_vpn_config_via_ restriction
Boolean
true | false
*The app_list key specifies the configuration for Per-App VPN. Begin the string with either the whitelist or blacklist, and follow it with an array of app names separated by semicolon. The whitelist specifies the apps that will use the VPN tunnel for network communication. The network traffic for any other app that is not in the whitelist or expressly listed in the blacklist will not go through the VPN tunnel.

Related Documentation