Deploy the GlobalProtect App for Android on Managed Chromebooks Using the Google Admin Console

The Google Admin console enables you to manage Chromebook settings and apps from a central, web-based location. You can deploy the GlobalProtect app for Android on managed Chromebooks and configure the associated VPN settings from the console.
To set up the app for the user automatically, you can optionally use the Google Chromebook Management Console to configure and deploy settings to managed Chrome OS devices. You can use the Google Admin console to manage Chromebook settings and apps.
Follow these recommendations to deploy the GlobalProtect app for Android on managed Chromebooks:
  • You cannot push a unique certificate for authentication to the device using the Google Admin console.
  • From your Chromebook, press
    CTRL+ALT+T
    to open the terminal command line. Use the
    route
    command to display the routes that are installed on the device. You can determine whether to include the access routes for split tunneling.
  • Because applications often use different file formats, you can use OpenSSL to convert the certificates from PKCS #12 format to Base64 format. Use the
    openssl base64 -A -in
    <certificate-in-p12-format>
    -out
    <cert.txt>
    command.
Use the following steps to deploy the GlobalProtect app for Android on managed Chromebooks using the Google Admin console:
  1. Before you begin:
    • Configure the GlobalProtect gateways to support the GlobalProtect app for Android on managed Chromebooks. Refer to Configure a GlobalProtect Gateway.
    • Configure the portal and customize the GlobalProtect app for Android on managed Chromebooks. You must configure one or more gateways to which the GlobalProtect app can connect. Refer to Set Up Access to the GlobalProtect Portal. Refer to the Palo Alto Networks Compatibility Matrix for a list of features supported for Android on Chrome OS.
    • (Recommended)
      Enable SAML SSO for the GlobalProtect app for Android on Chromebooks for seamless authentication. We recommend that you set up SAML SSO to allow users to connect automatically after they log in to Chromebook without having to re-enter their credentials on the GlobalProtect app. This ensures that users have access to always on security. Refer to Set Up SAML Authentication.
    • When users connect to GlobalProtect for the first time on Android on managed Chromebooks, the following suppress VPN notification message must be acknowledged before the tunnel is set up:
      google-admin-first-time-tunnel.png
  2. Approve the GlobalProtect app for Chromebook users.
    1. Log in to the Google Admin console as an administrator.
    2. From the Admin console, select
      Devices
      Chrome management
      to view and modify the Chrome management settings.
    3. Select
      Apps & extensions
      .
    4. In the Apps and extensions area, click the
      application settings page
      link.
    5. Click the add ( google-admin-add-button.png ) button to add GlobalProtect to the list of approved Android apps from the Google Playstore.
    6. When the Google Play store launches, search for
      GlobalProtect
      and then click the GlobalProtect app icon.
      google-admin-add-gp.png
    7. Click
      Select
      to add the GlobalProtect app.
      A message appears if the GlobalProtect app is successfully added as a result.
      google-admin-approve-gp.png
  3. Determine how the GlobalProtect app is installed on Chromebooks.
    After you approve the GlobalProtect app, you must specify how the app is installed on Chromebooks. To prevent users from bypassing GlobalProtect by uninstalling the app, force all Chromebooks to install the GlobalProtect app automatically when users log in to their Chromebook.
    1. From the app extension management settings (
      Device management
      Chrome
      Apps & extensions
      ), select
      GlobalProtect
      from the Apps list.
    2. Select your organizational unit from the list on the left edge of the page.
    3. Select any of the following options:
      • (Recommended)
        Force install + pin
        —Enable and pin the force-installed GlobalProtect app to the taskbar. If you selected this option, users will not have the option to Sign Out of the app.
      • Force install
        —Use this option if you want to ensure that the GlobalProtect app is automatically installed on each Chromebook when users log in to their Chromebooks. To prevent users from uninstalling the GlobalProtect app and getting around the security and compliance requirements you want to enforce the
        Force install
        option. If you selected this option, users will not have the option to Sign Out of the app.
      • Allow install
        —Install this app manually from the Google Playstore. This option also allows users to uninstall the GlobalProtect app from their Chromebooks.
      • Block
        —Block users from installing this app.
      google-admin-force-install.png
    4. SAVE
      your changes.
  4. Apply a managed configuration to the GlobalProtect app.
    If you have enabled the GlobalProtect app to force install, you can apply a managed configuration file to the app. The managed configuration file contains values for configurable app settings.
    1. From the App Management settings (
      Device Management
      Chrome management
      Apps & Extensions
      ), select
      GlobalProtect
      from the Apps list.
    2. Select your organizational unit from the list on the left edge of the page.
    3. Click the
      Upload from file
      icon on the right edge of the page to select and upload your managed configuration file. Or enter the name of the key value in JSON format, as shown in the following sample configuration.
      { "
      portal
      ": "
      acme.portal.com
      ", "
      username
      ": "
      user123
      " }
      The following table displays an example of the settings in the managed configuration file. For the settings that are relevant for your company, please contact your IT administrator.
      Setting
      Description
      Value Type
      Example
      portal
      IP address or fully qualified domain name (FQDN) of the portal.
      String
      acme.portal.com
      username
      Username for portal authentication.
      String
      user123
      password
      Password for portal authentication.
      String
      password123
      client_certificate
      Client certificate for portal authentication.
      String (in Base64)
      DAFDSaweEWQ23wDSAFD…
      client_certificate
      _passphrase
      Client certificate passphrase for portal authentication.
      String
      PA$$W0RD$123
      app_list
      Block list or allow list that enables you to control which application traffic can go through the VPN tunnel in a per-app VPN configuration.
      String
      allow list| block list: com.google.calendar; com.android.email; com.android.chrome
      connect_method
      VPN connection method.
      String
      user-logon | on-demand
      mobile_id
      Unique identifier used to identify mobile endpoints, as configured in a third-party MDM system.
      String
      5188a8193be43f42d332
      dde5cb2c941e
      remove_vpn_config
      _via_restriction
      Flag to remove the VPN configuration.
      Boolean
      true | false
      allow_vpn_bypass
      Flag to allow application traffic to bypass the VPN tunnel.
      Boolean
      true | false
      cert_alias
      Unique name used to identify the client certificate during portal or gateway authentication.
      String
      Company User client
      managed
      Flag to indicate whether the device is enrolled with an MDM server.
      Boolean
      true | false
      ownership
      Ownership category of the device (for example,
      Employee Owned
      ).
      String
      byod
      compliance
      Compliance status that indicates whether the device is compliant with the compliance policies that you have defined.
      String
      yes
      tag
      Tags to enable you to identify devices. Each tag must be separated by a comma.
      String
      GuestAccount,SatelliteOffice
    4. SAVE
      your changes.
  5. Enforce policies on the GlobalProtect app for Android on managed Chromebooks.

Recommended For You