Edit

Install the Global Secure Access client for Android

This article describes how to deploy the Global Secure Access client to Android devices by using Microsoft Intune and Microsoft Defender for Endpoint on Android. The Android client is built into the Defender for Endpoint Android app, which streamlines how users connect to Global Secure Access. The Global Secure Access Android client makes it easier for your users to connect to the resources that they need without having to manually configure VPN settings on their devices.

Prerequisites

  • The product requires licensing. For details, see the licensing section of What is Global Secure Access?. If necessary, purchase licenses or get trial licenses.

  • Enable at least one Global Secure Access traffic forwarding profile.

  • You need device installation permissions to install the client.

  • Android devices need to run Android 11.0 or later.

  • Android devices need to be Microsoft Entra registered devices:

    • Devices that your organization doesn't manage need to have the Microsoft Authenticator app installed.
    • Devices not managed through Intune need to have the Company Portal app installed.
    • Device enrollment is required to enforce Intune device compliance policies.

  • To enable a Kerberos single sign-on (SSO) experience, install and configure a non-Microsoft SSO client.

Known limitations

For detailed information about known issues and limitations, see Known limitations for Global Secure Access.

Supported scenarios

The Global Secure Access client for Android supports deployment in these Android Enterprise scenarios:

  • Corporate-owned, fully managed user devices
  • Corporate-owned devices with a work profile
  • Personal devices with a work profile

Non-Microsoft mobile device management

The Global Secure Access client also supports non-Microsoft mobile device management (MDM) scenarios. These scenarios, known as Global Secure Access only mode, require enabling a traffic forwarding profile and configuring the app based on the vendor documentation.

When you're configuring through a non-Microsoft MDM solution, use the following key/value pairs in the managed app configuration:

Configuration key Value Details
Global Secure Access 13 Required. Controls whether Global Secure Access is enabled in the Defender app. For detailed value descriptions, see the table later in this article.
GlobalSecureAccessPrivateChannel 03 Optional. Controls the Private Access channel. For detailed value descriptions, see the table later in this article.

Deploy Microsoft Defender for Endpoint on Android

To deploy Microsoft Defender for Endpoint on Android, create an MDM profile and configure Global Secure Access:

  1. In the Microsoft Intune admin center, go to Apps > Android > Manage Apps > Configuration.

  2. Select + Create, and then select Managed devices. The Create app configuration policy form opens.

  3. On the Basics tab:

    1. Enter a Name value.
    2. Set Platform to Android Enterprise.
    3. Set Profile Type to Fully Managed, Dedicated, and Corporate-Owned Work Profile Only.
    4. Set Targeted app to Microsoft Defender.

    Screenshot of the Basics tab in the pane for creating an app configuration policy.

  4. Select Next.

  5. On the Settings tab:

    1. Set Configuration settings format to Use configuration designer.
    2. Select the + Add button.
    3. In the search box, type global and select the Global Secure Access configuration keys listed in the following table.
    4. Set the appropriate values for each configuration key according to the following table.

    Note

    The Android configuration keys differ from the iOS client keys. On Android, use Global Secure Access and GlobalSecureAccessPrivateChannel as shown here. Don't use the iOS key names (EnableGSA, EnableGSAPrivateChannel).

    The GlobalSecureAccessPA configuration key is no longer supported.

    Configuration key Value Details
    Global Secure Access No value Global Secure Access isn't enabled and the tile isn't visible.
    0 Global Secure Access isn't enabled and the tile isn't visible.
    1 The tile is visible and defaults to false (disabled state). The user can enable or disable Global Secure Access by using the toggle in the app.
    2 The tile is visible and defaults to true (enabled state). The user can override Global Secure Access. The user can enable or disable Global Secure Access by using the toggle in the app.
    3 The tile is visible and defaults to true (enabled state). The user can't disable Global Secure Access.
    GlobalSecureAccessPrivateChannel No value Global Secure Access defaults to value 2 behavior.
    0 Private Access isn't enabled and the toggle option isn't visible to the user.
    1 The Private Access toggle is visible and defaults to the disabled state. The user can enable or disable Private Access.
    2 The Private Access toggle is visible and defaults to the enabled state. The user can enable or disable Private Access.
    3 The Private Access toggle is visible but unavailable, and it defaults to the enabled state. The user can't disable Private Access.

    Screenshot of the Settings tab in the pane for creating an app configuration policy.

  6. Select Next.

  7. On the Scope tags tab, configure scope tags as needed and then select Next.

  8. On the Assignments tab, select + Add groups to assign the configuration policy and enable Global Secure Access.

    Screenshot of the Assignments tab in the pane for creating an app configuration policy.

    Tip

    To enable the policy for all but a few specific users, select Add all devices in the Included groups section. Then, add the users or groups to exclude in the Excluded groups section.

  9. Select Next.

  10. Review the configuration summary, and then select Create.

Confirm Global Secure Access appears in the Defender app

Because the Android client is integrated with Defender for Endpoint, it's helpful to understand the user experience. The client appears in the Defender dashboard after you onboard to Global Secure Access. Onboarding happens by enabling a traffic forwarding profile.

Screenshot of the Global Secure Access tile on the dashboard of the Defender app.

The client is disabled by default when it's deployed to user devices. Users need to enable the client from the Defender app. To enable the client, tap the toggle.

Screenshot of the Global Secure Access client in a disabled state.

To view client details, tap the tile on the dashboard. When the client is enabled and working properly, the dashboard displays an "Enabled" message. It also shows the date and time when the client connected to Global Secure Access.

Screenshot of the Global Secure Access client in an enabled state.

If the client can't connect, a toggle appears to disable the service. Users can return later to enable the client.

Screenshot of a Global Secure Access client that's unable to connect.

Troubleshooting

If the Global Secure Access tile doesn't appear after you onboard the tenant to the service, restart the Defender app.

When you try to access a Private Access application, the connection might time out after a successful interactive sign-in. Reload the application by refreshing the web browser.

Related content

  • Last updated on