Configure an Always On VPN Configuration for Chromebooks Using the Google Admin Console

Chromebooks support Always On VPN through extended support for the GlobalProtect app for Android. In an Always On VPN configuration, the secure GlobalProtect connection is always on. Traffic that matches specific filters (such as port and IP address) configured on the GlobalProtect gateway is always routed through the VPN tunnel. By enabling your end users to run the GlobalProtect app for Android on their Chromebooks, you can ensure that they are always connected to GlobalProtect and have access to always on security.
The GlobalProtect app for Android is supported only on certain Chromebooks.
Chromebooks that do not support Android applications must continue to use the GlobalProtect app for Chrome. However, these Chromebooks will not support Always On VPN.
If the GlobalProtect app for Android is installed on a Chromebook for Always On VPN capability, the GlobalProtect app for Chrome should not be installed on the same Chromebook.
Use the following steps to configure an Always On VPN configuration for Chromebooks using the Google Admin console:
The following steps are applicable only if you Deploy the GlobalProtect App for Android on Managed Chromebooks Using the Google Admin Console. AirWatch does not currently support Always On VPN configurations for the GlobalProtect app for Android on managed Chromebooks.
  1. From your Palo Alto Networks firewall, Set Up Access to the GlobalProtect Portal.
    • To configure the GlobalProtect connection to be always on, set the
      Connect Method
      to
      User-logon (Always On)
      .
      enable-always-on-vpn-app-config.png
    • To prevent users from disabling the GlobalProtect app, set the
      Allow User to Disable GlobalProtect App
      option to
      Disallow
      .
      disallow-app-disable.png
  2. Enable transparent authentication for GlobalProtect.
    To prevent users from skipping GlobalProtect authentication prompts and thereby bypass the GlobalProtect connection upon disconnecting from GlobalProtect, configure one of the following options for transparent authentication:
    • Enable users to authenticate to GlobalProtect transparently using client certificate authentication.
    • Enable the GlobalProtect app to save both the username and password for transparent login.
      1. From your portal agent configuration (
        Network
        GlobalProtect
        Portals
        <portal-config>
        Agent
        <agent-config>
        ), select
        Authentication
        .
      2. Set the
        Save User Credentials
        option to
        Yes
        .
        enable-always-on-vpn-save-credentials.png
      3. Click
        OK
        twice to save the portal agent configuration.
  3. Commit
    your changes on the firewall.
  4. Prevent Chromebook users from bypassing GlobalProtect using Chrome OS VPN settings.
    1. Log in to the Google Admin console as an administrator.
    2. Force GlobalProtect app installation on all managed Chromebooks.
    3. Blacklist the Chrome settings (
      chrome://settings
      ) to prevent users from modifying any VPN settings:
      1. Select
        Device Management
        Chrome management
        User Settings
        .
      2. In the Content > URL Blocking area, enter
        chrome://settings
        in the
        URL Blacklist
        text box.
        google-admin-console-url-blocking.png
    4. SAVE
      your changes.

Related Documentation