topic Re: GlobalProtect App for Android on Managed Chromebooks Using the Google A in GlobalProtect Discussions

GlobalProtect App for Android on Managed Chromebooks Using the Google Admin

lrangra — Sat, 18 Jul 2020 07:20:58 GMT

Hi we want to deploy Global-protect app for Android on managed Chromebooks using Google admin console.

Requirement: every device needs to be uniquely identified and then allowed. Kind of a device whitelisting for example Host id for windows.

Problem 1: when the GP app running in Android container on a Chromebook managed by google admin console, my firewall sees a new serial I'd everytime it connects to firewall in Hip match logs even the host id is different. How can we make sure we use the unique mobile I'd to enforce the whitelist approach in Hip objects?

Problem 2: will this setup require a third-party MDM integration to enforce hip or can palo alto detect this without third party MDM integration. (Palo Alto only supports airwatch MDM integration)

Problem 3: as per the 3rd party MDM compatibility matrix we only support Global-protect app deployment for andorid on a managed Chromebook using Google admin console. Will we be able to identify Chromebook based on mobile I'd?

https://docs.paloaltonetworks.com/compatibility-matrix/globalprotect/what-features-do-third-party-mobile-device-management-systems-support

Problem 4: this below URL says we can enforce mobile I'd on a android running on managed Chromebook in step 5. How wever we are not able to and this contradicted above Matrix.

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/mobile-endpoint-management/set-up-a-mobile-endpoint-management-system/manage-the-globalprotect-app-using-a-third-party-mdm/deploy-the-globalprotect-mobile-app/deploy-the-globalprotect-app-for-android-on-managed-chromebooks-using-the-google-admin-console.html

Re: GlobalProtect App for Android on Managed Chromebooks Using the Google A

vathreya — Thu, 30 Jul 2020 00:42:58 GMT

Problem 1: Is there a setting (on Google Admin Console) where apps on the chromebook are getting uninstalled when chromebook shuts down? Can you confirm?

Re: GlobalProtect App for Android on Managed Chromebooks Using the Google A

lrangra — Thu, 30 Jul 2020 08:02:19 GMT

yes the app gets uninstalled on reboot. since the app is running in Kiosk mode. it runs in a sandbox environment on managed chormebook.

Re: GlobalProtect App for Android on Managed Chromebooks Using the Google A

Sec101 — Thu, 30 Jul 2020 16:17:52 GMT

commenting to review.

Re: GlobalProtect App for Android on Managed Chromebooks Using the Google A

lrangra — Thu, 24 Sep 2020 11:10:31 GMT

We opened a case with TAC and the findings were:

Answer: Since the mode of deployment is kiosk mode for chromebook after reboot, a new container version will be created everytime. thus new serial number and host id. only the options given under Hip Object> General can be used. changing the mode to App mode at Google admin console will help. mobile id can only be used when we integrate with MDM.

Problem 2: will this setup require a third-party MDM integration to enforce hip or can palo alto detect this without third party MDM integration. (Palo Alto only supports airwatch MDM integration)

if we want mdm then we have to use airwatch.

https://docs.paloaltonetworks.com/compatibility-matrix/globalprotect/what-features-do-third-party-mo...

No we will not be able to. as the documents says only thing which is support is Global-protect app deployment.

Problem 4: this below URL says we can enforce mobile I'd on a android running on managed Chromebook in step 5. However we are not able to and this contradicted above Matrix.

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/mobile-endpoint-management/s...

Mobile id is only applicable when we have a MDM. currently only airwatch is supported.