You can deploy and configure the GlobalProtect app on
Android For Work endpoints from any third-party mobile device management
(MDM) system supporting Android For Work App data restrictions.
On Android endpoints, traffic is routed through the VPN tunnel
according to the access routes configured on the GlobalProtect gateway.
From your third-party MDM that manages Android for Work endpoints,
you can further refine the traffic that is routed though the VPN
In an environment where the endpoint is corporately owned, the
endpoint owner manages the entire endpoint, including all the apps
installed on that endpoint. By default, all installed apps can send
traffic through the VPN tunnel according to the access routes defined
on the gateway.
In a bring-your-own-device (BYOD) environment, the endpoint is
not corporately owned and uses a Work Profile to separate business
and personal apps. By default, only managed apps in the Work Profile
can send traffic through the VPN tunnel according to the access
routes defined on the gateway. Apps installed on the personal side
of the endpoint cannot send traffic through the VPN tunnel set by
the managed GlobalProtect app that is installed in the Work Profile.
To route traffic from an even smaller set of apps, you can enable
Per-App VPN so that GlobalProtect only routes traffic from specific
managed apps. For Per-App VPN, you can allow list or block list
specific managed apps from having their traffic routed through the
As part of the VPN configuration, you can also specify how the
user connects to the VPN. When you configure the connect method
, the GlobalProtect app establishes
a connection automatically. When you configure the connect method
, users must initiate a connection
The VPN connect method defined in the MDM takes precedence over
the connect method defined in the GlobalProtect portal configuration.
Removing the VPN configuration automatically restores the GlobalProtect
app to its original configuration settings.
To configure the GlobalProtect app for Android, configure the
following Android App Restrictions.
IP address or fully qualified domain name
(FQDN) of the portal.
Username for the user.
Password for the user.
Mobile ID as configured in third-party MDM
service to uniquely identify a mobile device. GlobalProtect uses
this mobile ID to retrieve device information.
String (in Base64)
Client certificate (cert) used to authenticate
the agent and the portal.
Key associated with the client certificate.
Configuration for Per-App VPN. Begin the
string with either the allow list or block list, and follow it with
an array of app names separated by semicolons. The allow list specifies
the apps that will use the VPN tunnel for network communication.
The network traffic for any other app that is not in the allow list
or expressly listed in the block list will not go through the VPN tunnel.
allow list | block list: com.google.calendar; com.android.email; com.android.chrome
Either user-logon to automatically connect
the user to the GlobalProtect portal using their windows credentials
or on-demand to manually connect the user to the gateway.
user-logon | on-demand
remove_vpn_ config_via_ restriction
Permanently remove all GlobalProtect VPN