Enhanced Always-On VPN for Android

Software support: GlobalProtect agent 4.0.3 and later releases and PAN-OS with content release 731 or a later release
OS support: Android 7.0 and later releases
GlobalProtect with Always-On VPN now provides increased security for Android endpoints and includes the following enhancements:
  • Automatically connect at boot time—With Always-On VPN, GlobalProtect now connects at boot time instead of waiting for the user to unlock the endpoint. On average, this process takes fewer than 60 seconds and enables GlobalProtect to apply security policies sooner thus ensuring accurate security protection. On older Android releases, GlobalProtect connects after the user unlocks the device.
  • Lockdown mode—You can now configure GlobalProtect Always-On VPN to operate in either lockdown or non-lockdown mode (the default). With lockdown mode, network traffic is permitted only after GlobalProtect establishes a connection. This behavior persists even if GlobalProtect is disabled. With non-lockdown mode, users can access the network when GlobalProtect is disabled or disconnected. In deployments which use profiles to separate work apps from personal apps, lockdown mode will block traffic to and from work apps unless GlobalProtect establishes a connection. Personal apps are not affected by this mode. Lockdown mode is supported for external gateway configurations and is not supported with internal gateways or captive portals.
Configure Always-On VPN for Android:
  1. Before you begin, set up your GlobalProtect gateways and portal .
  2. Define the GlobalProtect Agent ConfigurationsforAndroidendpoints :
    1. To deliver this configuration to Android endpoints only, select Android as the applicable OS in the agent configuration.
    2. Customize the behavior of the GlobalProtect agent .
    3. Set Connect Method to either of the two Always On options (either user-logon or pre-logon). Note that if you use an on-demand connect method, this method will override any Always On settings you configure from your third-party mobile endpoint management system.
  3. Configure an Android for Work profile from AirWatch:
    1. From AirWatch, select DevicesProfiles & ResourcesProfilesAddAdd ProfileAndroid.
    2. Select Android for Work to deploy your profile to a device enabled for Android for Work.
    3. Configure the general settings for your profile and assign the smart groups to which the profile applies.
    4. Configure the additional Android for Work settings such as Restrictions or Passcode.
    5. Save & Publish your changes.
  4. Copy the base configuration to use as a template for your GlobalProtect VPN configuration.
    1. Select DevicesProfiles & ResourcesProfiles.
    2. Select the radio button for your Android for Work profile and then select the </> XML button at the top of the profiles table.
    3. Locate and copy the characteristic section of the configuration. The section contains a configuration type identifying its purpose, for example, restrictions.
      airwatch-android-for-work-characteristic.png
    4. Close the dialog to exit the XML view.
  5. Add the GlobalProtect VPN configuration to your Android for Work profile.
    1. Select the name of your Android for Work profile.
    2. Select Custom SettingsAdd VersionConfigure.
    3. Paste your base configuration and remove any parameters that applied to your base configuration.
    4. Add the following parameters after the opening characteristic declaration for your VPN configuration:
      <characteristic uuid="1234567-1703-45bd-9807-************" type="com.airwatch.android.androidwork.app:com.panw.globalprotect">
      	<parm name="profile_name" value="Android VPN Configuration" type="string" />
      	<parm name="action" value="0" type="string" />
      	<parm name="url" value="192.168.1.100" type="string" />
      	<parm name="route_type" value="1" type="string" />
      	<parm name="authentication_type" value="2" type="string" />
      	<parm name="EnableAlwaysOnVPN" value="True" type="boolean" />
      	<parm name="LockDown" value="True" type="boolean" />
      	</characteristic>
      where:
      • type—Type of VPN profile, in this case GlobalProtect.
      • profile_name—A descriptive name to identify the profile. For example, Android VPN Configuration.
      • url—FQDN or IP address of the GlobalProtect portal. For example, myportal.mydomain.com
      • authentication_type—Specify value="1" to use certificate authentication. Specify value="2" to use password authentication. Specify value="3" to use both password and certificate authentication.
      • EnableAlwaysOnVPN—Specify True to enable Always On VPN or False to disable Always On VPN and let the user manually initiate the connection.
      • LockDown—Specify true to enable lock-down mode with Always On VPN. This option allows network traffic only after GlobalProtect establishes a connection. Set this option to false to disable lock-down mode so that GlobalProtect is not required to connect to send network traffic.
    5. Save & Publish your changes.
  6. To verify the Android device received the updated profile and GlobalProtect successfully connects, open the VPN settings on the endpoint and view the connection status. You should see an Always-on active connection.
    android-always-on-vpn.png

Related Documentation