End-of-Life (EoL)

Configure the GlobalProtect App for Windows 10 UWP Using AirWatch

Using the GlobalProtect app for Windows10UWP as the secure connection between the endpoint and the firewall allows consistent inspection of traffic and enforcement of network security policy for threat prevention.
The GlobalProtect app for Windows 10 UWP supports the following configurations using AirWatch:
  • Per-App VPN
    —Specifies which managed apps on the endpoint can send traffic through the secure tunnel. Unmanaged apps will continue to connect directly to the Internet instead of through the secure connection.
  • Device-Level VPN
    —Sends all traffic that matches specific filters (such as port and IP address) through the VPN irrespective of app. Device-level VPN configurations also support the ability to force the secure connection to be
    Always On
    . For even tighter security requirements, you can enable the
    VPN Lockdown
    option which both forces the secure connection to always be on and connected and disables network access when the app is not connected. This configuration is similar to the
    Enforce GlobalProtect for Network Access
    option that you would typically configure in a GlobalProtect portal configuration.
Because AirWatch does not yet list GlobalProtect as an official connection provider for Windows endpoints, you must select an alternate VPN provider, edit the settings for the GlobalProtect app, and import the configuration back into the VPN profile as described in the following workflow.
  1. Download the GlobalProtect app for Windows 10 UWP:
  2. From the AirWatch console, add a new Windows 10 UWP profile:
    1. Navigate to
      Devices
      Profiles
      List View
      .
    2. Select
      Add
      Add Profile
      .
    3. Select
      Windows
      as the platform and
      Windows Phone
      as the configuration type.
    4. Configure
      General
      profile settings such as a meaningful
      Name
      for this configuration and a brief
      Description
      of the profile that indicates its purpose.
    5. Save and Publish
      this profile to the assigned Smart Groups.
  3. To configure the VPN connection settings, select
    VPN
    and then click
    Configure
    .
  4. Select Configure
    Connection Info
    , including:
    • Connection Name
      —Enter the name of the connection name that the endpoint will display.
    • Connection Type
      —Select an alternate provider (do not select
      IKEv2
      ,
      L2TP
      ,
      PPTP
      , or
      Automatic
      as these do not have the associated vendor settings required for the GlobalProtect VPN profile).
      You must select the alternate vendor because AirWatch does not yet list GlobalProtect as an official connection provider for Windows endpoints.
    • Server
      —Enter the hostname or IP address of the GlobalProtect portal to which to connect.
  5. Configure the authentication settings for the VPN connection:
    1. Select the
      Authentication Type
      to choose the method to authenticate end users.
    2. To permit GlobalProtect to save user credentials, enable
      Remember Credentials
      in the Policies area.
  6. Configure VPN traffic rules to apply device wide or on a per-app basis:
    • Add New Per-App VPN Rule
      —Specify rules for specific legacy apps (typically .exe files) or modern apps (typically downloaded from the Microsoft Store) that determine whether to automatically establish the VPN connection when the app is launched and whether to send app traffic through the VPN. You can also configure specific traffic filters to route only app traffic through the VPN if it matches match criteria such as IP address and port.
    • Add New Device-Wide VPN Rule
      —Specify routing filters to send traffic matching a specific route through the VPN. These rules are not bound by application and are evaluated across the endpoint. If the traffic matches the match criteria, it is routed through the VPN.
  7. (
    Device-level VPN only
    ) If desired, configure your preference of Always-On connection:
    1. To maintain the VPN connection always, enable either of the following options:
      • Always On
        —Force the secure connection to be always on.
      • VPN Lockdown
        —Force the secure connection to be always on and connected, and disable the network access when the app is not connected. The
        VPN Lockdown
        option in AirWatch is similar to the
        Enforce GlobalProtect for Network Access
        option that you would configure in a GlobalProtect portal configuration.
    2. Specify
      Trusted Network
      addresses if you want GlobalProtect to connect only when it detects a trusted network connection.
    3. Save & Publish
      your changes.
  8. To adapt the configuration for GlobalProtect, edit the VPN profile in XML.
    To minimize additional edits in the raw XML, review the settings in your VPN profile before you export the configuration. If you need to change a setting after you export the VPN profile, you can make the changes in the raw XML or, you can update the setting in the VPN profile and perform this step again.
    1. In the
      Devices
      Profiles
      List View
      , select the radio button next to the new profile you added in the previous steps, and then select
      </>XML
      at the top of the table. AirWatch opens the XML view of the profile.
    2. Export
      the profile and then open it in a text editor of your choice.
    3. Edit the following settings for GlobalProtect:
    • In the
      LoclURI
      element that specifies the
      PluginPackageFamilyName
      , change the element to:
      <LocURI>./Vendor/MSFT/VPNv2/PaloAltoNetworks/PluginProfile/PluginPackageFamilyName</LocURI>
    • In the
      Data
      element that follows, change the value to:
      <Data>PaloAltoNetworks.GlobalProtect_rn9aeerfb38dg</Data>
    1. Save your changes to the exported profile.
    2. Return to AirWatch and the
      Devices
      Profiles
      List View
      .
    3. Create (select
      Add
      Add Profile
      Windows
      Windows Phone
      ) and name a new profile.
    4. Select
      Custom Settings
      Configure
      , and then copy and paste the edited configuration.
    5. Save & Publish
      your changes.
  9. Clean up the original profile: Select the original profile from the
    Devices
    Profiles
    List View
    , select
    More Actions
    Deactivate
    . AirWatch moves the profile to the Inactive list.
  10. Test the configuration.

Recommended For You