Configure the GlobalProtect App for Android

You can deploy and configure the GlobalProtect app on Android For Work endpoints from any third-party mobile device management (MDM) system supporting Android For Work App data restrictions.
On Android endpoints, traffic is routed through the VPN tunnel according to the access routes configured on the GlobalProtect gateway. From your third-party MDM that manages Android for Work endpoints, you can further refine the traffic that is routed though the VPN tunnel.
In an environment where the endpoint is corporately owned, the endpoint owner manages the entire endpoint, including all the apps installed on that endpoint. By default, all installed apps can send traffic through the VPN tunnel according to the access routes defined on the gateway.
In a bring-your-own-device (BYOD) environment, the endpoint is not corporately owned and uses a Work Profile to separate business and personal apps. By default, only managed apps in the Work Profile can send traffic through the VPN tunnel according to the access routes defined on the gateway. Apps installed on the personal side of the endpoint cannot send traffic through the VPN tunnel set by the managed GlobalProtect app that is installed in the Work Profile.
To route traffic from an even smaller set of apps, you can enable Per-App VPN so that GlobalProtect only routes traffic from specific managed apps. For Per-App VPN, you can whitelist or blacklist specific managed apps from having their traffic routed through the VPN tunnel.
As part of the VPN configuration, you can also specify how the user connects to the VPN. When you configure the connect method as
user-logon
, the GlobalProtect app establishes a connection automatically. When you configure the connect method as
on-demand
, users must initiate a connection manually.
The VPN connect method defined in the MDM takes precedence over the connect method defined in the GlobalProtect portal configuration.
Removing the VPN configuration automatically restores the GlobalProtect app to its original configuration settings.
To configure the GlobalProtect app for Android, configure the following Android App Restrictions.
Key
Value Type
Description
Example
portal
String
IP address or fully qualified domain name (FQDN) of the portal.
10.1.8.190
username
String
Username for the user.
john
password
String
Password for the user.
Passwd!234
mobile_id
String
Mobile ID as configured in third-party MDM service to uniquely identify a mobile device. GlobalProtect uses this mobile ID to retrieve device information.
5188a8193be43f42d332dde5cb2c941e
certificate
String (in Base64)
Client certificate (cert) used to authenticate the agent and the portal.
DAFDSaweEWQ23wDSAFD….
client_certificate_ passphrase
String
Key associated with the client certificate.
PA$$W0RD$123
app_list
String
Configuration for Per-App VPN. Begin the string with either the whitelist or blacklist, and follow it with an array of app names separated by semicolons. The whitelist specifies the apps that will use the VPN tunnel for network communication. The network traffic for any other app that is not in the whitelist or expressly listed in the blacklist will not go through the VPN tunnel.
whitelist | blacklist: com.google.calendar; com.android.email; com.android.chrome
connect_method
String
Either user-logon to automatically connect the user to the GlobalProtect portal using their windows credentials or on-demand to manually connect the user to the gateway.
user-logon | on-demand
remove_vpn_ config_via_ restriction
Boolean
Permanently remove all GlobalProtect VPN configuration information.
true | false

Related Documentation