Configure the GlobalProtect App for Android
You can deploy and configure the GlobalProtect app on Android For Work endpoints from any third-party mobile device management (MDM) system supporting Android For Work App data restrictions.
On Android endpoints, traffic is routed through the VPN tunnel according to the access routes configured on the GlobalProtect gateway. From your third-party MDM that manages Android for Work endpoints, you can further refine the traffic that is routed though the VPN tunnel.
In an environment where the endpoint is corporately owned, the endpoint owner manages the entire endpoint, including all the apps installed on that endpoint. By default, all installed apps can send traffic through the VPN tunnel according to the access routes defined on the gateway.
In a bring-your-own-device (BYOD) environment, the endpoint is not corporately owned and uses a Work Profile to separate business and personal apps. By default, only managed apps in the Work Profile can send traffic through the VPN tunnel according to the access routes defined on the gateway. Apps installed on the personal side of the endpoint cannot send traffic through the VPN tunnel set by the managed GlobalProtect app that is installed in the Work Profile.
To route traffic from an even smaller set of apps, you can enable Per-App VPN so that GlobalProtect only routes traffic from specific managed apps. For Per-App VPN, you can whitelist or blacklist specific managed apps from having their traffic routed through the VPN tunnel.
As part of the VPN configuration, you can also specify how the user connects to the VPN. When you configure the connect method as
user-logon, the GlobalProtect app establishes a connection automatically. When you configure the connect method as
on-demand, users must initiate a connection manually.
The VPN connect method defined in the MDM takes precedence over the connect method defined in the GlobalProtect portal configuration.
Removing the VPN configuration automatically restores the GlobalProtect app to its original configuration settings.
To configure the GlobalProtect app for Android, configure the following Android App Restrictions.
IP address or fully qualified domain name (FQDN) of the portal.
Username for the user.
Password for the user.
Mobile ID as configured in third-party MDM service to uniquely identify a mobile device. GlobalProtect uses this mobile ID to retrieve device information.
String (in Base64)
Client certificate (cert) used to authenticate the agent and the portal.
Key associated with the client certificate.
Configuration for Per-App VPN. Begin the string with either the whitelist or blacklist, and follow it with an array of app names separated by semicolons. The whitelist specifies the apps that will use the VPN tunnel for network communication. The network traffic for any other app that is not in the whitelist or expressly listed in the blacklist will not go through the VPN tunnel.
whitelist | blacklist: com.google.calendar; com.android.email; com.android.chrome
Either user-logon to automatically connect the user to the GlobalProtect portal using their windows credentials or on-demand to manually connect the user to the gateway.
user-logon | on-demand
remove_vpn_ config_via_ restriction
Permanently remove all GlobalProtect VPN configuration information.
true | false