GlobalProtect App for Android on Managed Chromebooks Using the Google Admin

Reply
Highlighted
L1 Bithead

GlobalProtect App for Android on Managed Chromebooks Using the Google Admin

Hi we want to deploy Global-protect app for Android on managed Chromebooks using Google admin console.

Requirement: every device needs to be uniquely identified and then allowed. Kind of a device whitelisting for example Host id for windows.

Problem 1: when the GP app running in Android container on a Chromebook managed by google admin console, my firewall sees a new serial I'd everytime it connects to firewall in Hip match logs even the host id is different.  How can we make sure we use the unique mobile I'd to enforce the whitelist approach in Hip objects?

 

Problem 2: will this setup require a third-party MDM integration to enforce hip or can palo alto detect this without third party MDM integration. (Palo Alto only supports airwatch MDM integration)

 

Problem 3: as per the 3rd party MDM compatibility matrix we only support Global-protect app deployment for andorid on a managed Chromebook using Google admin console. Will we be able to identify Chromebook based on mobile I'd?

https://docs.paloaltonetworks.com/compatibility-matrix/globalprotect/what-features-do-third-party-mo...

 

 

Problem 4: this below URL says we can enforce mobile I'd on a android running on managed Chromebook in step 5. How wever we are not able to and this contradicted above Matrix.

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/mobile-endpoint-management/s...


Accepted Solutions
Highlighted
L1 Bithead

We opened a case with TAC and the findings were:

 

Problem 1: when the GP app running in Android container on a Chromebook managed by google admin console, my firewall sees a new serial I'd everytime it connects to firewall in Hip match logs even the host id is different.  How can we make sure we use the unique mobile I'd to enforce the whitelist approach in Hip objects?

Answer: Since the mode of deployment is kiosk mode for chromebook after reboot, a new container version will be created everytime. thus new serial number and host id. only the options given under Hip Object> General can be used. changing the mode to App mode at Google admin console will help. mobile id can only be used when we integrate with MDM.

 

Problem 2: will this setup require a third-party MDM integration to enforce hip or can palo alto detect this without third party MDM integration. (Palo Alto only supports airwatch MDM integration)

if we want mdm then we have to use airwatch. 

Problem 3: as per the 3rd party MDM compatibility matrix we only support Global-protect app deployment for andorid on a managed Chromebook using Google admin console. Will we be able to identify Chromebook based on mobile I'd?

https://docs.paloaltonetworks.com/compatibility-matrix/globalprotect/what-features-do-third-party-mo...

No we will not be able to. as the documents says only thing which is support is Global-protect app deployment.

 

Problem 4: this below URL says we can enforce mobile I'd on a android running on managed Chromebook in step 5. However we are not able to and this contradicted above Matrix.

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/mobile-endpoint-management/s...

Mobile id is only applicable when we have a MDM. currently only airwatch is supported.

 

View solution in original post


All Replies
Highlighted
L3 Networker

Problem 1: Is there a setting (on Google Admin Console) where apps on the chromebook are getting uninstalled when chromebook shuts down? Can you confirm?

Highlighted
L1 Bithead

yes the app gets uninstalled on reboot. since the app is running in Kiosk mode. it runs in a sandbox environment on managed chormebook. 

Highlighted
L4 Transporter

commenting to review.  

Highlighted
L1 Bithead

We opened a case with TAC and the findings were:

 

Problem 1: when the GP app running in Android container on a Chromebook managed by google admin console, my firewall sees a new serial I'd everytime it connects to firewall in Hip match logs even the host id is different.  How can we make sure we use the unique mobile I'd to enforce the whitelist approach in Hip objects?

Answer: Since the mode of deployment is kiosk mode for chromebook after reboot, a new container version will be created everytime. thus new serial number and host id. only the options given under Hip Object> General can be used. changing the mode to App mode at Google admin console will help. mobile id can only be used when we integrate with MDM.

 

Problem 2: will this setup require a third-party MDM integration to enforce hip or can palo alto detect this without third party MDM integration. (Palo Alto only supports airwatch MDM integration)

if we want mdm then we have to use airwatch. 

Problem 3: as per the 3rd party MDM compatibility matrix we only support Global-protect app deployment for andorid on a managed Chromebook using Google admin console. Will we be able to identify Chromebook based on mobile I'd?

https://docs.paloaltonetworks.com/compatibility-matrix/globalprotect/what-features-do-third-party-mo...

No we will not be able to. as the documents says only thing which is support is Global-protect app deployment.

 

Problem 4: this below URL says we can enforce mobile I'd on a android running on managed Chromebook in step 5. However we are not able to and this contradicted above Matrix.

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/mobile-endpoint-management/s...

Mobile id is only applicable when we have a MDM. currently only airwatch is supported.

 

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!