Deploy the GlobalProtect App For Android on Managed Chromebooks Using the Google Admin Console

The GlobalProtect app for Chrome OS is deprecated and replaced with the app for Android.
The Google Admin console enables you to manage Chromebook settings and apps from a central, web-based location. You can deploy the GlobalProtect app for Android on managed Chromebooks and configure the associated VPN settings from the console.
To set up the app for the user automatically, you can optionally use the Google Chromebook Management Console to configure and deploy settings to managed Chrome OS devices. You can use the Google Admin console to manage Chromebook settings and apps.
Follow these recommendations to deploy the GlobalProtect app for Android on managed Chromebooks:
  • You cannot push a unique certificate for authentication to the device using the Google Admin console.
  • From your Chromebook, press
    to open the terminal command line. Use the
    command to display the routes that are installed on the device. You can determine whether to include the access routes for split tunneling.
  • Because applications often use different file formats, you can use OpenSSL to convert the certificates from PKCS #12 format to Base64 format. Use the
    openssl base64 -A -in
Use the following steps to deploy the GlobalProtect app for Android on managed Chromebooks using the Google Admin console:
  1. Before you begin:
    • Configure the GlobalProtect gateways to support the GlobalProtect app for Android on managed Chromebooks. Refer to Configure a GlobalProtect Gateway.
    • Configure the portal and customize the GlobalProtect app for Android on managed Chromebooks. You must configure one or more gateways to which the GlobalProtect app can connect. Refer to Set Up Access to the GlobalProtect Portal. Refer to the Palo Alto Networks Compatibility Matrix for a list of features supported for Android on Chrome OS.
    • (Recommended)
      Enable SAML SSO for the GlobalProtect app for Android on Chromebooks for seamless authentication. We recommend that you set up SAML SSO to allow users to connect automatically after they log in to Chromebook without having to re-enter their credentials on the GlobalProtect app. This ensures that users have access to always on security. Refer to Set Up SAML Authentication.
    • When users connect to GlobalProtect for the first time on Android on managed Chromebooks, the following suppress VPN notification message must be acknowledged before the tunnel is set up:
  2. Approve the GlobalProtect app for Chromebook users.
    1. Log in to the Google Admin console as an administrator.
    2. From the Admin console, select
      Chrome management
      to view and modify the Chrome management settings.
    3. Select
      Apps & extensions
    4. In the Apps and extensions area, click the
      application settings page
    5. Click the add ( ) button to add GlobalProtect to the list of approved Android apps from the Google Playstore.
    6. When the Google Play store launches, search for
      and then click the GlobalProtect app icon.
    7. Click
      to add the GlobalProtect app.
      A message appears if the GlobalProtect app is successfully added as a result.
  3. Determine how the GlobalProtect app is installed on Chromebooks.
    After you approve the GlobalProtect app, you must specify how the app is installed on Chromebooks. To prevent users from bypassing GlobalProtect by uninstalling the app, force all Chromebooks to install the GlobalProtect app automatically when users log in to their Chromebook.
    1. From the app extension management settings (
      Device management
      Apps & extensions
      ), select
      from the Apps list.
    2. Select your organizational unit from the list on the left edge of the page.
    3. Select any of the following options:
      • (Recommended)
        Force install + pin
        —Enable and pin the force-installed GlobalProtect app to the taskbar. If you selected this option, users will not have the option to Sign Out of the app.
      • Force install
        —Use this option if you want to ensure that the GlobalProtect app is automatically installed on each Chromebook when users log in to their Chromebooks. To prevent users from uninstalling the GlobalProtect app and getting around the security and compliance requirements you want to enforce the
        Force install
        option. If you selected this option, users will not have the option to Sign Out of the app.
      • Allow install
        —Install this app manually from the Google Playstore. This option also allows users to uninstall the GlobalProtect app from their Chromebooks.
      • Block
        —Block users from installing this app.
    4. SAVE
      your changes.
  4. Apply a managed configuration to the GlobalProtect app.
    If you have enabled the GlobalProtect app to force install, you can apply a managed configuration file to the app. The managed configuration file contains values for configurable app settings.
    1. From the App Management settings (
      Device Management
      Chrome management
      Apps & Extensions
      ), select
      from the Apps list.
    2. Select your organizational unit from the list on the left edge of the page.
    3. Click the
      Upload from file
      icon on the right edge of the page to select and upload your managed configuration file. Or enter the name of the key value in JSON format, as shown in the following sample configuration.
      { "
      ": "
      ", "
      ": "
      " }
      The following table displays an example of the settings in the managed configuration file. For the settings that are relevant for your company, please contact your IT administrator.
      Value Type
      IP address or fully qualified domain name (FQDN) of the portal.
      Username for portal authentication.
      Password for portal authentication.
      Client certificate for portal authentication.
      String (in Base64)
      Client certificate passphrase for portal authentication.
      Block list or allow list that enables you to control which application traffic can go through the VPN tunnel in a per-app VPN configuration.
      allow list | block list:;;
      VPN connection method.
      user-logon | on-demand
      Unique identifier used to identify mobile endpoints, as configured in a third-party MDM system.
      Flag to remove the VPN configuration.
      true | false
      Flag to allow application traffic to bypass the VPN tunnel.
      true | false
      Unique name used to identify the client certificate during portal or gateway authentication.
      Company User client
      Flag to indicate whether the device is enrolled with an MDM server.
      true | false
      Ownership category of the device (for example,
      Employee Owned
      Compliance status that indicates whether the device is compliant with the compliance policies that you have defined.
      Tags to enable you to identify devices. Each tag must be separated by a comma.
    4. SAVE
      your changes.
  5. Enforce policies on the GlobalProtect app for Android on managed Chromebooks.

Recommended For You