Configure a Per-App VPN Configuration for Android Devices Using AirWatch

You can easily enable access to internal resources from your managed mobile endpoints by configuring GlobalProtect VPN access using AirWatch. In a per-app VPN configuration, you can specify which managed apps on the endpoint can send traffic through the GlobalProtect VPN tunnel. Unmanaged apps will continue to connect directly to the Internet instead of through the GlobalProtect VPN tunnel.
  1. Download the GlobalProtect app for Android:
  2. From the AirWatch console, modify or add a new Android profile.
    1. Navigate to DevicesProfilesList View.
    2. Select an existing profile to which to add the VPN configuration or add a new one (select AddAdd Profile).
    3. Select Android as the platform and Device as the configuration type.
  3. Configure General profile settings:
    • Name—Provide a meaningful name for this configuration.
    • Version—This field is auto-populated with the latest version number of the configuration profile.
    • Description—A brief description of the profile that indicates its purpose.
    • Profile Scope—Scope for this profile, either Production,Staging, or Both.
    • Assignment Type—Determines how the profile is deployed to endpoints. Select Auto to deploy the profile to all endpoints automatically, Optional to enable the end user to install the profile from the Self-Service Portal (SSP) or to manually deploy the profile to individual endpoints, or Compliance to deploy the profile when an end user violates a compliance policy applicable to the endpoint.
    • Managed By—The Organization Group with administrative access to the profile.
    • Assigned Smart Group—The Smart Group to which you want the device profile added. Includes an option to create a new Smart Group which can be configured with specs for minimum OS, device models, ownership categories, organization groups and more.
    • Allow Removal—Determines whether or not the profile can be removed by the endpoint's end user. Select Always to enable the end user to manually remove the profile at any time, Never to prevent the end user from removing the profile from the endpoint, or With Authorization to enable the end user to remove the profile with the authorization of the administrator. Choosing With Authorization adds a required Password.
    • Exclusions—When you select Yes, the AirWatch console displays an Excluded Smart Groups field which you can use to select those Smart Groups you wish to exclude from the assignment of this device profile.
  4. Save and Publish this profile to the assigned Smart Groups.
  5. To configure the VPN settings:
    1. Select VPN and then click Configure.
    2. Configure Connection Info, including:
    • Connection Type—Select GlobalProtect as the network connection method.
    • Connection Name—Enter the name of the connection name that the endpoint will display.
    • Server—Enter the hostname or IP address of the GlobalProtect portal to which to connect.
    • Enable Per App VPN to route all of the traffic for a managed app traffic through the GlobalProtect VPN.
    1. Select the authentication method to use to authenticate users. For per-app VPN, you must use certificate-based authentication. Select User Authentication: Certificate, and then follow the prompts to upload an Identity Certificate to use for authentication.
    2. Save & Publish this profile to the assigned Smart Groups.
  6. Configure per-app VPN settings for a new managed app, or modify the settings for an existing managed apps:
    1. On the main page, select Apps & BooksApplicationsList ViewPublic.
    2. To add a new app, select Add Application. Or, to modify the settings of an existing app, locate the app in the list of Public apps and then select the edit icon airwatch-edit-icon.png in the actions menu next to the row.
    3. Select the organization group by which this app will be managed.
    4. Select Android as the Platform.
    5. Select your preferred method for locating the app, either by specifying a URL or importing the app from the app store (Google Play). To search by URL, you must also enter the Google Play Store URL for the app (for example, to search for the Box app by URL, enter
    6. Click Next. If you chose to import the app from Google Play in the previous step, you must Select the app from the list of approved company apps. If you do not see the app in the list, contact your Android for Work administrator to approve the app.
    7. On the Assignment tab, select Assigned Smart Groups that will have access to this app.
    8. On the Deployment tab, select the Push Mode, either Auto or On Demand.
    9. Select Use VPN and then select the Android profile that you created earlier in this workflow.
    Only profiles that have per-app VPN enabled are available from the drop-down.
    1. Save & Publish the configuration to the assigned Smart Groups.
  7. Configure Authentication information:
    1. Choose the method to authenticate end users: Password or Certificate.
    2. Enter the Username of the VPN account or click add ( “+” ) to view supported lookup values that you can insert.
    3. Enter a Password or upload an Identity Certificate that GlobalProtect will use to authenticate users.
  8. Save & Publish this profile to the assigned Smart Groups.

Related Documentation