GlobalProtect 3.1.3 now extends its Windows 10 support to include Windows 10 phones. The new GlobalProtect app takes advantage of the Universal Windows Platform (UWP) technology which provides a common platform for apps to run across all Windows devices. The new GlobalProtect app for Windows 10 UWP extends enterprise security protection by enabling enforcement of the same next-generation firewall-based policies that are enforced within the physical perimeter.
The app is ideal for Windows 10 mobile devices but can also be used on laptops or desktops running Windows 10. For a fuller feature set, we recommend using the standard GlobalProtect app.
GlobalProtect App for Windows 10 UWP Feature Support
The following table lists the features that are supported by the GlobalProtect app for Windows 10 UWP versus the features that are supported by the standard GlobalProtect app for Windows in version 3.1.3. For additional feature support, see What Features Does GlobalProtect Support?. A indicates the feature is supported; A – indicates the feature is not supported.
Choose the GlobalProtect app that is right for your feature requirements and devices.
Feature Windows UWP Windows
Devices
Windows 10 phones
Windows 10 tablets
Windows 10 laptops and desktops
Split Tunneling
App-level VPN
Device-level VPN
Connect Methods
User-logon (always on) (Always On configured from third-party endpoint management system)
Pre-logon (always-on)
Pre-logon (then on-demand)
On-demand
Modes
Internal mode
External mode
Single Sign-On (SSO)
SSO (Credential Provider)
Kerberos SSO
Customization
Enforce GlobalProtect for network access (VPN Lockdown configured from third-party endpoint management system)
Native Windows 10 user interface
Deployment of SSL forward proxy CA certificates in the trust store
HIP reports (Host information only; Notifications not supported)
Script actions that run before and after sessions
Certificate selection by OID
Allow users to disable GlobalProtect
Welcome and help pages
Endpoint management system (EDM/MDM) support
Prerequisites for GlobalProtect App for Windows 10 UWP
The GlobalProtect app 3.1.3 is available for devices running Windows 10 UWP or later releases. GlobalProtect portals and gateways support the GlobalProtect app for Windows 10 UWP in PAN-OS 6.1 and later releases with content update 612-3527 and later releases. The GlobalProtect app for Windows 10 UWP requires a gateway subscription for each gateway that supports Windows 10 UWP devices.
Configure the GlobalProtect App for Windows 10 UWP
Configure Gateways to Support the GlobalProtect App for Windows 10 UWP
Configuring a gateway that supports the GlobalProtect app for Windows 10 UWP is similar to configuring a gateway that supports mobile devices: Each gateway that supports Windows 10 UWP endpoints requires a gateway subscription. In addition, you can optionally configure specific authentication or client settings that only apply to Windows 10 UWP endpoints.
Configure Gateways to Support the GlobalProtect App for Windows 10 UWP
Complete the prerequisite tasks for setting up a GlobalProtect gateway. Configure GlobalProtect Gateways
Install a gateway subscription for each gateway that supports Windows 10 UWP devices. Activate Licenses
( Optional ) Tailor a gateway configuration to Windows 10 UWP endpoints. When you configure a gateway you can specify client authentication settings that apply specifically to Windows 10 UWP. For example, you could configure Windows and Mac endpoints to use two-factor authentication and Windows 10 UWP endpoints to use certificate-based authentication. You can also configure client settings—such as specific IP pools, access routes, cookie authentication, or split tunneling—for Windows 10 UWP endpoints. Select Network > GlobalProtect > Gateways, and then select or Add a gateway configuration. Add a Client Authentication configuration for Windows 10 UWP endpoints: Select Authentication and Add a new Client Authentication configuration. Enter a Name to identify the Client Authentication configuration, set OS to WindowsUWP, specify the Authentication Profile to use for authenticating users on this gateway and optionally enter an authentication message to provide users with instructions or additional information. Kerberos and single sign-on are not supported with the GlobalProtect app for Windows 10 UWP. Click OK. To configure specific client settings that apply to only Windows 10 UWP endpoints, configure a new Client Settings configuration: Select Agent and Add a new Client Settings configuration. Configure the Client Authentication settings as desired. Select User/User Group, Add an OS, and select WindowsUWP. Click OK. Click OK.
Save your changes. Commit the configuration.
Configure the Portal to Support the GlobalProtect App for Windows 10 UWP
To support the GlobalProtect app for Windows 10 UWP, you must configure one or more external (auto-discovery) gateways to which the app can connect and then configure the portal and app settings. The portal sends configuration information and information about the available gateways to the app.
After receiving the configuration from the GlobalProtect portal, the app auto-discovers the gateways listed in the client configuration and selects the best gateway.
The following workflow shows how to configure the GlobalProtect portal to support the GlobalProtect app for Windows 10 UWP.
Configure the Portal to Support the GlobalProtect App for Windows 10 UWP
If you have not already done so, complete the prerequisite tasks for setting up a GlobalProtect portal. Configure the GlobalProtect Portal
( Optional ) Define client settings for Windows 10 UWP users to authenticate to the portal. Select Network > GlobalProtect > Portals, and then select a portal configuration. Configure Client Authentication settings that apply to Windows 10 UWP endpoints when users access the portal: Select Authentication and then Add a new Client Authentication configuration. Enter a Name to identify the Client Authentication configuration, set OS to WindowsUWP, specify the Authentication Profile to use for authenticating users on this portal and optionally enter an authentication message to provide users with instructions or additional information. Kerberos and single sign-on are not supported with the GlobalProtect app for Windows 10 UWP.
Customize an agent configuration for Windows 10 UWP endpoints. Whether you modify an existing configuration or create a new one depends on your environment. For example, if you use OS-specific gateways or want to collect host information that is specific to Windows 10 UWP endpoints, consider creating a new agent configuration. If you use an existing configuration that contains settings that are not supported, the GlobalProtect app for Windows 10 UWP automatically discards these settings (see GlobalProtect App for Windows 10 UWP Feature Support). For example if you select the Always On Connect Method, the app defaults to the On Demand Connect Method. Define a GlobalProtect Agent Configuration: Select Agent and select an existing or Add a new portal agent configuration. Configure the Authentication settings for Windows 10 UWP endpoints including whether to use client certificates, save user credentials, use authentication cookies, or require dynamic passwords. Windows 10 UWP endpoints support two-factor authentication using dynamic passwords on the portal and external gateways (auto-discovery) only. The options to save and clear credentials on Windows 10 UWP endpoints are not supported; however, if you enable the option to save credentials in the agent configuration, Windows automatically saves the users credentials. If you do not enable GlobalProtect to save credentials, users must enter them every time they connect. Select User/User Group, Add an OS, and select WindowsUWP. Specify the external gateways to which users with this configuration can connect. Windows 10 UWP endpoints support External gateways-auto discovery only. ( Optional ) Select App and customize the portal and TCP timeout settings for the GlobalProtect app for Windows 10 UWP. Configuration of any additional settings that do not apply are discarded. Click OK twice.
Save your changes. Commit the configuration.
Enforce Policies on the GlobalProtect App for Windows 10 UWP
With the release of the GlobalProtect app for Windows 10 UWP, you can now create HIP objects using Host Info that is specific to Windows 10 UWP endpoints and use it as match conditions in any HIP profiles. You can then use a HIP profile as a match condition in a policy rule to enforce the corresponding security policy.
The following table defines the criteria that is specific to Windows 10 UWP that you can use when you create a HIP object.
HIP Object Criteria Value
General > Host Info > OS Select Contains: Microsoft: Windows UWP Desktop or Windows UWP Mobile to create a HIP object that looks for information about desktop or mobile devices running Windows UWP.
General > Host Info > Client Version Select an operator (for example, Contains) and then enter the version number of the GlobalProtect app for Windows 10 UWP. For example, enter 3.1.3 to match endpoints running the GlobalProtect app 3.1.3. Specifying the client version without specifying the OS or hostname matches all endpoints regardless of OS version.
Obtain the GlobalProtect App for Windows 10 UWP
Obtain the GlobalProtect app for Windows 10 UWP using either of the following methods:
Microsoft Store —You or your users can install the GlobalProtect app on a Windows 10 UWP endpoint by downloading the app from the Microsoft Store. Third-party endpoint management system —Use a mobile device management system, such as AirWatch, to manage and deploy the GlobalProtect App for Windows 10 UWP from a centralized, web-based location. See Deploy the GlobalProtect App Windows 10 UWP Using AirWatch.
Set Up the GlobalProtect App for Windows 10 UWP
After you install the GlobalProtect app for Windows 10 UWP, configure the connection settings.
Set Up the GlobalProtect App for Windows 10 UWP
Launch the GlobalProtect app.
From the Windows 10 UWP device, select Start > All apps > GlobalProtect.
Configure the VPN settings for the GlobalProtect app. After you configure the settings you can return to the NETWORK & INTERNET > VPN Settings page at any time to modify the following settings: Connection name Portal address Select the NETWORK & INTERNET VPN Settings link to jump to Windows 10 settings. Click Yes to confirm the switch from the GlobalProtect app to the Settings page. Click Add a VPN connection. Select GlobalProtect as the VPN provider. Enter a Connection name to identify the GlobalProtect VPN connection. Enter the server name (FQDN) or IP address of the GlobalProtect portal in the Server name or address field. Click Save to create the connection. Windows 10 adds the connection to the list of VPNs.
Test the connection. If the connection is successful, the network settings display the connection name with a status of Connected. Select the GlobalProtect connection ( NETWORK & INTERNET > VPN) and click Connect. Enter your username and password and click Connect.
Use the GlobalProtect App for Windows 10 UWP
The GlobalProtect app for Windows 10 UWP provides on-demand connectivity to your network and enables enforcement of security policies on Windows 10 UWP endpoints. To connect to GlobalProtect you must manually initiate a connection.
Use the GlobalProtect App for Windows 10 UWP
If you are not connected to GlobalProtect, connect now. When the VPN is connected, the Network settings displays the status of the connection as Connected. Click the Network icon ( ) in the notification area of the Windows 10 UWP endpoint and then select the connection name for your GlobalProtect app.
The NETWORK & INTERNET > VPNs settings page opens. Select the connection name and select Connect. When prompted, enter your Username and Password for the portal and click Next.
( Optional ) Use the app to perform any of the following tasks:
Disconnect from GlobalProtect. Click the Network icon ( ) in the notification area of the Windows 10 UWP endpoint and then select the connection name for your GlobalProtect app. The NETWORK & INTERNET > VPNs settings page opens. Select the connection name and select Disconnect.
Log in with a new password. If your password for accessing your corporate network changes, you will need to disconnect from GlobalProtect to clear your credentials. When you next log in, GlobalProtect prompts you for your new credentials. Disconnect from GlobalProtect as described in the previous step. Click the Network icon ( ) in the notification area of the Windows 10 UWP endpoint. Select the connection name and select Connect. When prompted, enter your Username and new Password and click Next.
Collect any available logs and send them in an email. Select Start > All apps > GlobalProtect, and then Email Logs. The app prompts you to select your email application and then attaches the logs to an email which you can send to Support.

Related Documentation