Configure a Per-App VPN Configuration for Android Endpoints Using Workspace ONE
You can enable access to internal resources from your managed mobile endpoints by configuring
GlobalProtect VPN access using Workspace ONE. In a per-app VPN configuration, you
can specify which managed apps can send traffic through the GlobalProtect VPN
tunnel. Unmanaged apps will continue to connect directly to the internet instead of
through the GlobalProtect VPN tunnel.
Use the following steps to configure a per-app VPN configuration for Android endpoints using
Download the GlobalProtect app directly from Google Play.
From the Workspace ONE console, modify an existing Android profile or add a new
Profiles & Resources
, and then
a new profile.
from the platform
for the profile.
) Enter a brief
the profile that indicates its purpose.
) Select the
) Select an
determine how the profile is deployed to endpoints. Select
deploy the profile to all endpoints automatically,
enable the end user to install the profile from the Self-Service
Portal (SSP) or to manually deploy the profile to individual endpoints,
to deploy the profile when
an end user violates a compliance policy applicable to the endpoint.
) Select whether or not you want to
of the profile by the end user. Select
enable the end user to manually remove the profile at any time,
prevent the end user from removing the profile, or
to enable the end user to remove the profile
with the authorization of the administrator. Choosing
adds a required Password.
) In the
enter the Organization Group with administrative access to the profile.
) In the
add the Smart Groups to which you want the profile added. This field
includes an option to create a new Smart Group, which can be configured
with specs for minimum OS, device models, ownership categories,
organization groups, and more.
) Indicate whether you want to include
to the assignment of this
profile. If you select
field displays, enabling you to select the Smart
Groups that you wish to exclude from the assignment of this profile.
All per-app VPN configurations require certificate-based
To pull client certificates from Workspace ONE users:
S/MIME Signing Certificate
To upload a client certificate manually:
to locate and select
the certificate that you want to upload.
After you select a certificate, click
To use a predefined certificate authority and template:
which you want obtain certificates.
the certificate authority.
Set the network
field, enter the hostname
or IP address of the GlobalProtect portal to which users connect.
Per-App VPN Rules
all traffic for managed apps through the GlobalProtect VPN tunnel.
In the Authentication area, set the
All per-app VPN
configurations require certificate-based authentication.
for the VPN account
or click the add (
) button to view supported
lookup values that you can insert.
When prompted, select the
GlobalProtect will use to authenticate users. The
is the same certificate that you configured
SAVE & PUBLISH
Configure per-app VPN settings for a new managed app
or modify the settings for an existing managed app.
After configuring the settings for the app and enabling
per-app VPN, you can publish the app to a group of users and enable the
app to send traffic through the GlobalProtect VPN tunnel.
To add a new app, select
To modify the settings for an existing app, locate the app in the
list of Public apps (List View) and then select the edit (
in the actions menu next to the row.
the organization group that will manage this app.