Configure an Always On VPN Configuration for Windows 10 UWP Endpoints Using AirWatch

In an Always On VPN configuration, the secure GlobalProtect connection is always on. Traffic that matches specific filters (such as port and IP address) configured on the GlobalProtect gateway is always routed through the VPN tunnel. For even tighter security requirements, you can enable VPN lockdown, which forces the secure connection to always be on and connected in addition to disabling network access when the app is not connected. This configuration is similar to the Enforce GlobalProtect for Network Access option that you would typically configure in a GlobalProtect portal configuration.
Because AirWatch does not yet list GlobalProtect as an official connection provider for Windows endpoints, you must select an alternate VPN provider, edit the settings for the GlobalProtect app, and import the configuration back into the VPN profile as described in the following workflow.
Use the following steps to configure an Always On VPN configuration for Windows 10 UWP endpoints using AirWatch:
  1. Download the GlobalProtect app for Windows 10 UWP:
  2. From the AirWatch console, modify an existing Windows 10 UWP profile add a new one.
    1. Select DevicesProfiles & ResourcesProfiles, and then ADD a new profile.
    2. Select Windows as the platform and Windows Phone as the device type.
      airwatch-add-windows-profile.png
      airwatch-add-windows-phone.png
  3. Configure the General settings:
    1. Enter a Name for the profile.
    2. (Optional) Enter a brief Description of the profile that indicates its purpose.
    3. (Optional) Set the Deployment method to Managed to enable the profile to be removed automatically upon unenrollment
    4. (Optional) Select an Assignment Type to determine how the profile is deployed to endpoints. Select Auto to deploy the profile to all endpoints automatically, Optional to enable the end user to install the profile from the Self-Service Portal (SSP) or to manually deploy the profile to individual endpoints, or Compliance to deploy the profile when an end user violates a compliance policy applicable to the endpoint.
    5. (Optional) In the Managed By field, enter the Organization Group with administrative access to the profile.
    6. (Optional) In the Assigned Groups field, add the Smart Groups to which you want the profile added. This field includes an option to create a new Smart Group, which can be configured with specs for minimum OS, device models, ownership categories, organization groups, and more.
    7. (Optional) Indicate whether you want to include any Exclusions to the assignment of this profile. If you select Yes, the Excluded Groups field displays, enabling you to select the Smart Groups that you wish to exclude from the assignment of this profile.
    8. (Optional) If you Enable Scheduling and install only during selected time periods, you can apply a time schedule (DevicesProfiles & ResourcesProfiles SettingsTime Schedules) to the profile installation, which limits the periods of time during which the profile can be installed on endpoints. When prompted, enter the schedule name in the Assigned Schedules field.
    airwatch-windows-general-settings.png
  4. (Optional) If your GlobalProtect deployment requires client certificate authentication, configure the Credentials settings:
    • To pull client certificates from AirWatch users:
      1. Set the Credential Source to User Certificate.
      2. Select the S/MIME Signing Certificate (default).
      airwatch-windows-credentials-user-cert.png
    • To upload a client certificate manually:
      1. Set the Credential Source to Upload.
      2. Enter a Credential Name.
      3. Click UPLOAD to locate and select the certificate that you want to upload.
      4. After you select a certificate, click SAVE.
      5. Select the Key Location where you want to store the certificate’s private key:
        • TPM Required—Store the private key on a Trusted Platform Module. If a Trusted Platform Module is not available on the endpoint, the private key cannot be installed.
        • TPM If Present—Store the private key on a Trusted Platform Module if one is available on the endpoint. If a Trusted Platform Module is not available on the endpoint, the private key is stored in the endpoint software.
        • Software—Store the private key in the endpoint software.
        • Passport—Save the private key to Microsoft Passport. To use this option, AirWatch Protection Agent must be installed on the endpoint.
      6. Set the Certificate Store to Personal.
      airwatch-windows-credentials-upload.png
    • To use a predefined certificate authority and template:
      1. Set the Credential Source to Defined Certificate Authority.
      2. Select the Certificate Authority from which you want obtain certificates.
      3. Select the Certificate Template for the certificate authority.
      4. Select the Key Location where you want to store the certificate’s private key:
        • TPM Required—Store the private key on a Trusted Platform Module. If a Trusted Platform Module is not available on the endpoint, the private key cannot be installed.
        • TPM If Present—Store the private key on a Trusted Platform Module if one is available on the endpoint. If a Trusted Platform Module is not available on the endpoint, the private key is stored in the endpoint software.
        • Software—Store the private key in the endpoint software.
        • Passport—Save the private key to Microsoft Passport. To use this option, AirWatch Protection Agent must be installed on the endpoint.
      5. Set the Certificate Store to Personal.
      airwatch-windows-credentials-CA.png
  5. Configure the VPN settings:
    1. Enter the Connection Name that the endpoint displays.
    2. Select an alternate Connection Type provider (do not select IKEv2, L2TP, PPTP, or Automatic, as these do not have the associated vendor settings required for the GlobalProtect VPN profile).
      You must select an alternate vendor because AirWatch has not yet listed GlobalProtect as an official connection provider for Windows endpoints.
    3. In the Server field, enter the hostname or IP address of the GlobalProtect portal to which users connect.
    4. In the Authentication area, select an Authentication Type to specify the method authenticate end users.
      airwatch-windows-vpn-settings.png
    5. (Optional) To permit GlobalProtect to save user credentials, ENABLE the option to Remember Credentials in the Policies area.
    6. (Optional) In the VPN Traffic Rules area, ADD NEW DEVICE WIDE VPN RULE to send traffic matching a specific route through the VPN tunnel. These rules are not bound by application but are evaluated across the endpoint. If the traffic matches the specified match criteria, it is routed through the VPN tunnel.
      Add match criteria by clicking ADD NEW FILTER and then entering a Filter Type and corresponding Filter Value.
      airwatch-windows-device-wide-vpn-rule.png
    7. To maintain the GlobalProtect connection always, configure either of the following options in the Policies area:
      • ENABLE Always On to force the secure connection to be always on.
      • ENABLEVPN Lockdown to force the secure connection to be always on and connected, and to disable network access when the app is not connected. The VPN Lockdown option in AirWatch is similar to the Enforce GlobalProtect for Network Access option that you would configure in a GlobalProtect portal configuration.
      airwatch-windows-enable-always-on.png
    8. (Optional) Specify Trusted Network addresses if you want GlobalProtect to connect only when it detects a trusted network connection.
  6. SAVE & PUBLISH your changes.
  7. To set the connection type provider to GlobalProtect, edit the VPN profile in XML.
    To minimize additional edits in the raw XML, review the settings in your VPN profile before you export the configuration. If you need to change a setting after you export the VPN profile, you can make the changes in the raw XML or, you can update the setting in the VPN profile and perform this step again.
    1. In the DevicesProfilesList View, select the radio button next to the new profile you added in the previous steps, and then select </>XML at the top of the table. AirWatch opens the XML view of the profile.
    2. Export the profile and then open it in a text editor of your choice.
    3. Edit the following settings for GlobalProtect:
    • In the LoclURI element that specifies the PluginPackageFamilyName, change the element to:
      <LocURI>./Vendor/MSFT/VPNv2/PaloAltoNetworks/PluginProfile/PluginPackageFamilyName</LocURI>
    • In the Data element that follows, change the value to:
      <Data>PaloAltoNetworks.GlobalProtect_rn9aeerfb38dg</Data>
    1. Save your changes to the exported profile.
    2. Return to AirWatch and select DevicesProfilesList View.
    3. Create and name a new profile (select ADDAdd ProfileWindowsWindows Phone).
    4. Select Custom SettingsConfigure, and then copy and paste the edited configuration.
    5. SAVE & PUBLISH your changes.
  8. Clean up the original profile by selecting the original profile from DevicesProfilesList View, and then selecting More ActionsDeactivate. AirWatch moves the profile to the Inactive list.
  9. Test the configuration.

Related Documentation