Global Secure Access client for Android

The Global Secure Access client can be deployed to compliant Android devices using Microsoft Intune and Microsoft Defender for Endpoint on Android. The Android client is built into the Defender for Endpoint Android app, which streamlines how your end users connect to Global Secure Access. The Global Secure Access Android client makes it easier for your end users to connect to the resources they need without having to manually configure VPN settings on their devices.

This article explains the prerequisites and how to deploy the client onto Android devices.

Prerequisites

  • The product requires licensing. For details, see the licensing section of What is Global Secure Access. If needed, you can purchase licenses or get trial licenses.
  • You must enable at least one Global Secure Access traffic forwarding profile.
  • Device installation permissions on the device are required for installation.
  • Android devices must be running Android 10.0 or later.
  • Android devices must be Microsoft Entra registered devices.
    • Devices not managed by your organization must have the Microsoft Authenticator app must be installed.
    • Devices not managed through Intune must have the Company Portal app installed.
    • Device enrollment is required for Intune device compliance policies to be enforced.

Known limitations

  • Mobile devices running Android (Go edition) aren't currently supported.
  • Microsoft Defender for Endpoint on Android on shared devices isn't currently supported.
  • Tunneling IPv6 traffic isn't currently supported.
  • Private Domain Name System (DNS) must be disabled on the device. This setting is often found in the System > Network and Internet options.
  • Running non-Microsoft endpoint protection products alongside Microsoft Defender for Endpoint might cause performance problems and unpredictable system errors.
  • Global Secure Access (GSA) coexistence with Microsoft Tunnel is not currently supported. For more information, see Prerequisites for the Microsoft Tunnel in Intune.

Supported scenarios

Global Secure Access client for Android supports deployment for the legacy Device Administrator and Android Enterprise scenarios. The following Android Enterprise scenarios are supported:

  • Corporate-owned, fully managed user devices.
  • Corporate-owned devices with a work profile.
  • Personal devices with a work profile.

Non-Microsoft mobile device management

Non-Microsoft mobile device management (MDM) scenarios are also supported. In these scenarios, known as Global Secure Access only mode, you only need to enable a traffic forwarding profile and configure the app according to the vendor documentation.

Deploy Microsoft Defender for Endpoint Android

There are several combinations of deployment modes and scenarios for using the Global Secure Access client for Android.

Once you enable a traffic forwarding profile and configure your network, the Global Secure Access Android client appears in the Defender app automatically; however, the Global Secure Access client is disabled by default. Users can enable the client from the Defender app. The steps to enable the client are provided in the Confirm Global Secure Access appears in Defender app section.

This legacy enrollment mode allows you to deploy Defender for Endpoint on Android with Microsoft Intune Company Portal - Device Administrator enrolled devices.

The high level process is as follows:

  1. Deploy Defender to Intune enrolled Android devices.

  2. Enable at least one traffic forwarding profile if Defender is already deployed.

  3. Confirm Global Secure Access appears in the Defender app.

The detailed process for deploying Defender is as follows:

  1. Sign in to the Microsoft Intune admin center as an Intune Administrator.

  2. Browse to Apps > Android > Add > Android store app > Select.

    Screenshot of the add Android app store options.

  3. Provide a Name, Description, and Publisher.

  4. Enter the URL in the Appstore URL field.

    • https://play.google.com/store/apps/details?id=com.microsoft.scmx
  5. Leave all other fields as their default values and select Next.

    Screenshot of the completed fields.

  6. In the Required section, select Add group, then select the groups to assign the app to and select Next.

    • The selected group should consist of your Intune enrolled users.
    • You can edit or add more groups later.

    Screenshot of the add groups steps.

  7. On the Review + create tab, confirm the information is correct and select Create.

  8. On the new app details page, select Device install status and confirm the app is installed.

Users need to enable the client in the Defender app. It's disabled by default. Proceed to the next section to confirm the app is installed and for how to enable the client.

Confirm Global Secure Access appears in Defender app

Because the Android client is integrated with Defender for Endpoint, it's helpful to understand the end user experience. The client appears in the Defender dashboard after onboarding to Global Secure Access. Onboarding happens by enabling a traffic forwarding profile.

Screenshot of the Defender app with the Global Secure Access tile on the dashboard.

The client is disabled by default when it's deployed to user devices. Users need to enable the client from the Defender app. To enable the client, tap the toggle.

Screenshot of the disabled Global Secure Access client.

To view the details of the client, tap on the tile on the dashboard. When enabled and working properly, the client displays an "Enabled" message. The date and time for when the client connected to Global Secure Access also appears.

Screenshot of the enabled Global Secure Access client.

If the client is unable to connect, a toggle appears to disable the service. Users can come back later to try enabling the client.

Screenshot of the Global Secure Access client that is unable to connect.

Troubleshooting

The Global Secure Access tile doesn't appear after onboarding the tenant to the service. Restart the Defender app.

When attempting to access a Private Access application, the connection might time out after a successful interactive sign-in. Reloading the application through a web browser refresh should resolve the issue.