Deploy the GlobalProtect App for Android on Managed Chromebooks Using the Google Admin Console

The Google Admin console enables you to manage Chromebook settings and apps from a central, web-based location. Starting with GlobalProtect app 5.0, you can deploy the GlobalProtect app for Android on managed Chromebooks and configure the associated VPN settings from the console.
Use the following steps to deploy the GlobalProtect app for Android on managed Chromebooks using the Google Admin console:
  1. Allow Android apps to be installed on Chromebooks.
    Before you or your end users can download and install the GlobalProtect app for Android on Chromebooks, you must first allow Android apps to be installed on supported Chromebooks.
    1. Log in to the Google Admin console as an administrator.
    2. From the console, select Device ManagementChrome management to view and modify the Chrome management settings.
    3. Select User Settings.
    4. In the Android applications area, AllowAndroid applications on Chrome Devices.
      google-admin-allow-android-app-on-chrome-device.png
  2. Enable the Google Admin console to manage Android apps.
    1. From the Chrome management settings (Device ManagementChrome management), select Android application settings.
    2. In the Enable Android applications for your domain area, select the option to Enable Android applications to be managed through the Admin Console.
    3. (Optional) Select the option to Enable Android reporting for users and devices. This option allows you to monitor whether force-installed apps install correctly on your endpoints.
      enable-google-to-manage-android-apps.png
  3. Approve the GlobalProtect app for Chromebook users.
    1. From the Chrome management settings (Device ManagementChrome management), select App Management.
    2. Configure the following app management filters:
      • Set the App Type to Android Apps.
      • Set the Type to Approved Android Apps.
        google-admin-approved-android-apps-no-gp.png
    3. Click the add ( google-admin-add-button.png ) button to add GlobalProtect to the list of approved Android apps.
    4. When the Google Play store launches, search for GlobalProtect and then click the GlobalProtect app icon.
      google-admin-add-gp.png
    5. Click APPROVE to add the GlobalProtect app.
      google-admin-approve-gp.png
    6. When prompted, click APPROVE to accept the app permissions on behalf of your organization.
    7. Click OK.
  4. Determine how the GlobalProtect app is installed on Chromebooks.
    After you approve the GlobalProtect app, you must specify how the app is installed on your Chromebooks. To prevent users from bypassing GlobalProtect by uninstalling the app, force all Chromebooks to install the GlobalProtect app automatically when users log in to their Chromebook.
    You can also enable your users to install the GlobalProtect app manually. However, this option will allow your users to uninstall the GlobalProtect app from their Chromebooks.
    1. From the app management settings (Device ManagementChrome managementApp Management), select GlobalProtect from the Apps list.
      google-admin-approved-android-apps.png
    2. Select User Settings.
      google-admin-user-settings.png
    3. Select your organizational unit from the Orgs list.
    4. Enable Force Installation and Pin to taskbar.
      google-admin-force-install.png
    5. SAVE your changes.
  5. Apply a managed configuration to the GlobalProtect app.
    If you have enabled the GlobalProtect app to force install, you can apply a managed configuration file to the app. The managed configuration file contains values for configurable app settings.
    1. From the App Management settings (Device ManagementChrome managementApp Management), select GlobalProtect from the Apps list.
    2. Select User Settings.
    3. Select your organizational unit from the Orgs list.
    4. Click UPLOAD CONFIGURATION FILE to select and upload your managed configuration file.
      You can configure the following settings in the managed configuration file:
      Setting
      Description
      Value Type
      Example
      portal
      IP address or fully qualified domain name (FQDN) of the portal.
      String
      acme.portal.com
      username
      Username for portal authentication.
      String
      user123
      password
      Password for portal authentication.
      String
      password123
      certificate
      Client certificate for portal authentication.
      String (in Base64)
      DAFDSaweEWQ23wDSAFD…
      client_certificate
      _passphrase
      Client certificate passphrase for portal authentication.
      String
      PA$$W0RD$123
      app_list
      Blacklist or whitelist that enables you to control which application traffic can go through the VPN tunnel in a per-app VPN configuration.
      String
      whiltelist | blacklist: com.google.calendar; com.android.email; com.android.chrome
      connect_method
      VPN connection method.
      String
      user-logon | on-demand
      mobile_id
      Unique identifier used to identify mobile endpoints, as configured in a third-party MDM system.
      String
      5188a8193be43f42d332dde5cb2c941e
      remove_vpn_config
      _via_restriction
      Flag to remove the VPN configuration.
      Boolean
      true | false
      In addition, the file must be in JSON format, as shown in the following sample configuration:
      {
      	"portal": "acme.portal.com",
      	"username": "user123"
      }
    5. SAVE your changes.

Related Documentation