Configure a Per-App VPN Configuration for Android Endpoints
You can enable access to internal resources from your managed mobile endpoints by configuring GlobalProtect VPN access using AirWatch. In a per-app VPN configuration, you can specify which managed apps can send traffic through the GlobalProtect VPN tunnel. Unmanaged apps will continue to connect directly to the internet instead of through the GlobalProtect VPN tunnel.
Use the following steps to configure a per-app VPN configuration for Android endpoints using AirWatch:
- Download the GlobalProtect app for Android:
- From the AirWatch console, modify an existing Android profile or add a new one.
- Select, and thenDevicesProfiles & ResourcesProfilesADDa new profile.
- SelectAndroid (Legacy)from the platform list.
- Configure theGeneralsettings:
- Enter aNamefor the profile.
- (Optional) Enter a briefDescriptionof the profile that indicates its purpose.
- (Optional) Select theProfile Scope, eitherProduction,Staging, orBoth.
- (Optional) Select anAssignment Typeto determine how the profile is deployed to endpoints. SelectAutoto deploy the profile to all endpoints automatically,Optionalto enable the end user to install the profile from the Self-Service Portal (SSP) or to manually deploy the profile to individual endpoints, orComplianceto deploy the profile when an end user violates a compliance policy applicable to the endpoint.
- (Optional) Select whether or not you want toAllow Removalof the profile by the end user. SelectAlwaysto enable the end user to manually remove the profile at any time,Neverto prevent the end user from removing the profile, orWith Authorizationto enable the end user to remove the profile with the authorization of the administrator. ChoosingWith Authorizationadds a required Password.
- (Optional) In theManaged Byfield, enter the Organization Group with administrative access to the profile.
- (Optional) In theAssigned Groupsfield, add the Smart Groups to which you want the profile added. This field includes an option to create a new Smart Group, which can be configured with specs for minimum OS, device models, ownership categories, organization groups, and more.
- (Optional) Indicate whether you want to include anyExclusionsto the assignment of this profile. If you selectYes, theExcluded Groupsfield displays, enabling you to select the Smart Groups that you wish to exclude from the assignment of this profile.
- Configure theCredentialssettings:All per-app VPN configurations require certificate-based authentication.
- To pull client certificates from AirWatch users:
- Set theCredential SourcetoUser Certificate.
- Select theS/MIME Signing Certificate(default).
- To upload a client certificate manually:
- Set theCredential SourcetoUpload.
- Enter aCredential Name.
- ClickUPLOADto locate and select the certificate that you want to upload.
- After you select a certificate, clickSAVE.
- To use a predefined certificate authority and template:
- Set theCredential SourcetoDefined Certificate Authority.
- Select theCertificate Authorityfrom which you want obtain certificates.
- Select theCertificate Templatefor the certificate authority.
- Configure theVPNsettings:
- Set the networkConnection TypetoGlobalProtect.
- Enter theConnection Namethat the endpoint displays.
- In theServerfield, enter the hostname or IP address of the GlobalProtect portal to which users connect.
- EnablePer-App VPN Rulesto route all traffic for managed apps through the GlobalProtect VPN tunnel.
- In the Authentication area, set theUser Authenticationmethod toCertificate.All per-app VPN configurations require certificate-based authentication.
- Enter theUser namefor the VPN account or click the add (+) button to view supported lookup values that you can insert.
- When prompted, select theIdentity Certificatethat GlobalProtect will use to authenticate users. TheIdentity Certificateis the same certificate that you configured in theCredentialssettings.
- SAVE & PUBLISHyour changes.
- Configure per-app VPN settings for a new managed app or modify the settings for an existing managed app.After configuring the settings for the app and enabling per-app VPN, you can publish the app to a group of users and enable the app to send traffic through the GlobalProtect VPN tunnel.
- Select.APPS & BOOKSApplicationsNativePublic
- To add a new app, selectADD APPLICATION. To modify the settings for an existing app, locate the app in the list of Public apps (List View) and then select the edit ( ) icon in the actions menu next to the row.
- In theManaged Byfield, select the organization group that will manage this app.
- Set thePlatformtoAndroid.
- Select your preferredSourcefor locating the app:
- SEARCH APP STORE—Enter theNameof the app.
- IMPORT FROM PLAY—Import a company-approved app from Google Play.
- ClickNEXT.If you chose to search Google Play, click the app icon from the list of search results. If the app has not already been approved for your company, you mustAPPROVEthe app. After the app is approved,SELECTthe app.If you chose to import the app from Google Play, select the app from the list of approved company apps and then clickIMPORT. If you do not see the app in the list, contact your Android for Work administrator to approve the app.
- Select the newly added app from the list of Public apps (List View).
- From the, clickApplicationsDetails ViewASSIGNat the top-right corner of the screen.
- SelectAssignmentsand then clickADD ASSIGNMENTto add the Smart Groups that will have access to this app.
- In theSelect Assignment Groupsfield, select the Smart Groups that you want to grant access to this app.
- Select theApp Delivery Method. If you selectAUTO, the app is automatically deployed to the specified Smart Groups. If you selectON DEMAND, the app must be deployed manually.
- Set theManaged Accessoption toENABLED. This option gives users access to the app based on the management policies that you apply.
- Configure the remaining settings as needed.
- ADDthe new assignment.
- (Optional) To exclude certain Smart Groups from accessing the app, selectExclusionsand then select the Smart Groups that you want to exclude from theExclusionfield.
- SAVE & PUBLISHthe configuration to the assigned Smart Groups.
Recommended For You
Recommended videos not found.