Create an App Configuration on Android Endpoints Using Microsoft Intune

1. Click AppsAndroidManage AppsConfiguration.
2. On the Configuration page, click CreateManaged Devices.

3. Enter a name and description for the policy and select the platform to Android Enterprise and profile type to Templates
4. Click Select app next to Targeted app, select Prisma Access Agent, and click OK.
5. Click Next.
6. In Configuration settings format, select Use configuration designer and add configuration key for server address.

   • Add the Server Address key and value as “com.paloaltonetworks.prismaaccessagent” to add Prisma Access Agent as VPN agent. This is the only configuration required to add Prisma Access Agent.

   Key	Value Type	Description	Example
   server address Required attribute for all configurations	String	IP address or fully qualified domain name (FQDN) of the server address.	VPN Identifier: com.paloaltonetworks.prismaaccessagent EPM address: paa.epm.pancloudev.com
   app_list Required attribute for per-app configurations	String	To configure Per-App VPN, begin the string with either allowlist or blocklist, followed by a colon, and then by a list of app Bundle IDs separated by semicolons. End the list with a semicolon. To find a Bundle ID, refer to the app’s Google Play Store URL. The Bundle ID is embedded in the URL. For example, in the URL: https://play.google.com/store/apps/details?id=com.example.app&hl=en_US The Bundle ID is: com.example.app To decide if you need an Allowlist or Blocklist: Allowlist: Only the listed applications will be tunneled through the Prisma Access Agent; all other traffic will go directly. Blocklist: All traffic will be tunneled through the Prisma Access Agent, except for the listed applications.	allowlist | blocklist: com.google.calendar; com.android.email; com.android.chrome Default value: none.
   connect_method	String	Choose user-logon for always-on connect method. This automatically connects Prisma Access Agent with your credentials. On Android devices, Prisma Access Agent does not automatically connect when you open applications configured with an allowlist or blockist. Hence, we recommend setting the always on connect method for per-app configurations. Choose on-demand to ensure that users manually connect Prisma Access Agent through the application.	user-logon | on-demand Default value: blank, in which case the connect method specified on the portal configuration is used.
   managed	Boolean	Indicates whether the device is managed by an MDM. (Applicable only for Always-On connect method. On intune MDM, set On-demand VPN and connect VPN set to all domains.)	true | false Default value: false
   compliance	String	Tag to identify devices in security policies. You can specify any value for this parameter, it will appear in the HIP report and can be used to create security policies with.	yes | no
   tag	String	Tag to identify devices in security policies. You can specify any value for this parameter, it will appear in the HIP report and can be used to create security policies with.	HR_Department
   ownership	String	Tag to identify devices in security policies. You can specify any value for this parameter, it will appear in the HIP report and can be used to create security policies with.	corp-owned

7. Click Next.
8. Assign the policy to the appropriate users or groups. To deploy the policy broadly to all applicable devices, select Add all users or Add all devices.
9. Click Next.
10. Review your settings and click Create.