Configure the GlobalProtect App for Windows 10 UWP Using AirWatch

Using the GlobalProtect app for Windows10UWP as the secure connection between the endpoint and the firewall allows consistent inspection of traffic and enforcement of network security policy for threat prevention.
The GlobalProtect app for Windows 10 UWP supports the following configurations using AirWatch:
  • Per-App VPN—Specifies which managed apps on the endpoint can send traffic through the secure tunnel. Unmanaged apps will continue to connect directly to the Internet instead of through the secure connection.
  • Device-Level VPN—Sends all traffic that matches specific filters (such as port and IP address) through the VPN irrespective of app. Device-level VPN configurations also support the ability to force the secure connection to be Always On. For even tighter security requirements, you can enable the VPN Lockdown option which both forces the secure connection to always be on and connected and disables network access when the app is not connected. This configuration is similar to the Enforce GlobalProtect for Network Access option that you would typically configure in a GlobalProtect portal configuration.
Because AirWatch does not yet list GlobalProtect as an official connection provider for Windows endpoints, you must select an alternate VPN provider, edit the settings for the GlobalProtect app, and import the configuration back into the VPN profile as described in the following workflow.
  1. Download the GlobalProtect app for Windows 10 UWP:
  2. From the AirWatch console, add a new Windows 10 UWP profile:
    1. Navigate to DevicesProfilesList View.
    2. Select AddAdd Profile.
    3. Select Windows as the platform and Windows Phone as the configuration type.
    4. Configure General profile settings such as a meaningful Name for this configuration and a brief Description of the profile that indicates its purpose.
    5. Save and Publish this profile to the assigned Smart Groups.
  3. To configure the VPN connection settings, select VPN and then click Configure.
  4. Select Configure Connection Info, including:
    • Connection Name—Enter the name of the connection name that the endpoint will display.
    • Connection Type—Select an alternate provider (do not select IKEv2, L2TP, PPTP, or Automatic as these do not have the associated vendor settings required for the GlobalProtect VPN profile).
      You must select the alternate vendor because AirWatch does not yet list GlobalProtect as an official connection provider for Windows endpoints.
    • Server—Enter the hostname or IP address of the GlobalProtect portal to which to connect.
  5. Configure the authentication settings for the VPN connection:
    1. Select the Authentication Type to choose the method to authenticate end users.
    2. To permit GlobalProtect to save user credentials, enable Remember Credentials in the Policies area.
  6. Configure VPN traffic rules to apply device wide or on a per-app basis:
    • Add New Per-App VPN Rule—Specify rules for specific legacy apps (typically .exe files) or modern apps (typically downloaded from the Microsoft Store) that determine whether to automatically establish the VPN connection when the app is launched and whether to send app traffic through the VPN. You can also configure specific traffic filters to route only app traffic through the VPN if it matches match criteria such as IP address and port.
    • Add New Device-Wide VPN Rule—Specify routing filters to send traffic matching a specific route through the VPN. These rules are not bound by application and are evaluated across the endpoint. If the traffic matches the match criteria, it is routed through the VPN.
  7. (Device-level VPN only) If desired, configure your preference of Always-On connection:
    1. To maintain the VPN connection always, enable either of the following options:
      • Always On—Force the secure connection to be always on.
      • VPN Lockdown—Force the secure connection to be always on and connected, and disable the network access when the app is not connected. The VPN Lockdown option in AirWatch is similar to the Enforce GlobalProtect for Network Access option that you would configure in a GlobalProtect portal configuration.
    2. Specify Trusted Network addresses if you want GlobalProtect to connect only when it detects a trusted network connection.
    3. Save & Publish your changes.
  8. To adapt the configuration for GlobalProtect, edit the VPN profile in XML.
    To minimize additional edits in the raw XML, review the settings in your VPN profile before you export the configuration. If you need to change a setting after you export the VPN profile, you can make the changes in the raw XML or, you can update the setting in the VPN profile and perform this step again.
    1. In the DevicesProfilesList View, select the radio button next to the new profile you added in the previous steps, and then select </>XML at the top of the table. AirWatch opens the XML view of the profile.
    2. Export the profile and then open it in a text editor of your choice.
    3. Edit the following settings for GlobalProtect:
    • In the LoclURI element that specifies the PluginPackageFamilyName, change the element to:
      <LocURI>./Vendor/MSFT/VPNv2/PaloAltoNetworks/PluginProfile/PluginPackageFamilyName</LocURI>
    • In the Data element that follows, change the value to:
      <Data>PaloAltoNetworks.GlobalProtect_rn9aeerfb38dg</Data>
    1. Save your changes to the exported profile.
    2. Return to AirWatch and the DevicesProfilesList View.
    3. Create (select AddAdd ProfileWindowsWindows Phone) and name a new profile.
    4. Select Custom SettingsConfigure, and then copy and paste the edited configuration.
    5. Save & Publish your changes.
  9. Clean up the original profile: Select the original profile from the DevicesProfilesList View, select More ActionsDeactivate. AirWatch moves the profile to the Inactive list.
  10. Test the configuration.

Related Documentation