Journalist 
Yes, Intune per-app vpn globalprotect is supported. In this guide you’ll get a practical, step-by-step plan to configure per-app VPN with GlobalProtect using Microsoft Intune, plus best practices, troubleshooting tips, and real‑world considerations for enterprise deployments. Below you’ll find a clear path from planning to testing, with platform-specific notes for iOS/iPadOS, macOS, and Windows where relevant. I’ll share concrete configurations, common gotchas, and plenty of actionable tips you can apply in your environment today. If you’re serious about securing remote access, check out NordVPN during testing and proof-of-concept work—the image below is a quick link you can use, and yes, it’s a trusted option to consider as part of a layered security strategy.
Useful resources and quick links you’ll likely need
– Microsoft Intune documentation – https://learn.microsoft.com/en-us/mem/intune/
– Intune per-app VPN overview – https://learn.microsoft.com/en-us/mem/intune/protect/virtual-private-network
– Palo Alto Networks GlobalProtect product page – https://www.paloaltonetworks.com/products/globalprotect
– GlobalProtect VPN administration guide – https://docs.paloaltonetworks.com/globalprotect
– Apple Developer documentation on Network Extensions per-app VPN on iOS/macOS – https://developer.apple.com/documentation/networkextension
– Microsoft Learn networking and VPN guidance – https://learn.microsoft.com/en-us/azure/active-directory/enterprise-security/identity-secure
Introduction: what you’ll learn in this guide
– What per-app VPN is, and why you’d use it with GlobalProtect in Intune
– The prerequisites, planned architecture, and policy design
– A practical, step-by-step walkthrough for iOS, iPadOS, macOS, and Windows where applicable
– How to configure the GlobalProtect client, Intune VPN profiles, and app rules
– Real-world testing steps and common pitfalls to avoid
– Security considerations, posture, and governance guidance
– A robust FAQ with practical troubleshooting tips and best practices
Body
What is Intune per-app VPN and GlobalProtect?
Per-app VPN in Intune is a capability that lets you tunnel specific apps through a VPN rather than forcing the entire device to route all traffic. When the app launches, the VPN connection is started automatically, and only the chosen apps’ traffic traverses the VPN tunnel. GlobalProtect is Palo Alto Networks’ enterprise-grade VPN client that provides secure remote access to corporate resources. Combining Intune per-app VPN with GlobalProtect gives administrators fine-grained control: you can ensure sensitive apps like intranet browsers, internal CRM, or repo clients always go through a verified secure path while reducing the attack surface from other, non-critical apps.
From a user’s perspective, this means a smoother login experience, fewer VPN prompts, and more predictable security behavior. From an admin’s view, it means you can enforce per-app access to internal resources without blanket VPN requirements for every app on the device.
Why combine Intune per-app VPN with GlobalProtect?
– Precise access control: Only approved apps use VPN tunnels, reducing exposure and overhead.
– Better user experience: Apps connect on demand, not all traffic, which can improve device performance and battery life on mobile endpoints.
– Centralized policy management: Intune handles deployment, app assignments, and policy enforcement across devices and platforms.
– Strong vendor support: GlobalProtect provides robust security features IKEv2/IPsec, certificate-based or SAML-based auth, split tunneling options and integrates with Intune’s modern management framework.
– Compliance and posture: You can tie VPN usage to device compliance, ensuring that only compliant devices can access sensitive workloads via the VPN.
Prerequisites and planning
Before you start, map out dependencies and policies. Here’s a practical checklist:
– Supported platforms: Intune per-app VPN is most commonly used on iOS/iPadOS and macOS. Windows support exists but workflows differ often leaning on Windows VPN profiles or Always On VPN rather than a strict per-app VPN, depending on the combination of Intune and Microsoft Defender for Endpoint. Confirm your target OS versions align with the latest Intune and GlobalProtect capabilities.
– GlobalProtect readiness: You should have an active GlobalProtect gateway and portal configured, with the appropriate published VPN settings portal URL, gateway addresses, and the required authentication method, such as certificate-based or SAML.
– App inventory: Identify which apps you want to tunnel. Not all apps need VPN. Build a list of mission-critical apps that must be private or reach internal resources.
– App packaging and deployment: Ensure GlobalProtect client software is available for deployment via Intune iOS/macOS app package, Windows MSI/EXE, etc.. You’ll deploy the client package and the per-app VPN policy together.
– Certificates and authentication: If you’re using certificate-based authentication, prepare the PKI materials and any required client certs. If you use SAML or other identity providers, verify the integration flow and fallback mechanisms.
– Network access controls: Define which internal resources are accessible via VPN and set up appropriate ACLs and split-tunneling rules if you’re not tunneling all traffic.
– Identity and conditional access: Plan how VPN access interacts with device compliance and Azure AD conditional access policies. Ensure you have a rollback path if a VPN policy blocks essential access.
Step-by-step: configuring per-app VPN with GlobalProtect in Intune
Note: The exact UI labels can vary slightly between Intune updates and the platform iOS/macOS vs Windows. The core flow remains consistent: prepare the VPN app, create a per-app VPN profile, assign apps, and validate.
# 1 Prepare the GlobalProtect configuration on the portal
– Ensure your GlobalProtect portal URL is accessible from the Internet and resolvable by endpoints you’ll enroll.
– Define a gateway list that devices will connect to, including any required fallback gateways.
– Decide on the authentication mechanism certificate-based, username/password, or SAML. If you’re using certificates, issue and distribute client certificates to users prior to VPN onboarding.
– If you’re supporting split tunneling, document which subnets should bypass the VPN and which must route through it.
# 2 Prepare the GlobalProtect client in Intune
– For iOS/macOS: add the GlobalProtect app from the App Store for macOS, ensure you’re using the macOS installer if you’re distributing from the store or via a direct package if your management supports it.
– For Windows: deploy the GlobalProtect Windows client .exe/.msi via Intune as a required app.
– Ensure any required VPN settings portal URL, device posture checks, login prompts map correctly to the Intune profile fields.
# 3 Create an Intune per-app VPN profile for each platform
– In the Intune admin center, go to Profiles > Create profile.
– Platform: choose iOS/iPadOS for Apple devices, macOS for Mac devices, or Windows if you’re handling per-app VPN through Windows-specific mechanisms.
– Profile type: Per-app VPN iOS/iPadOS and macOS. For Windows, you’ll typically use a standard VPN profile and apps assignment rather than a true per-app VPN, depending on your setup.
– VPN type: GlobalProtect select the GlobalProtect/VPN connector type that maps to your configuration.
– App identifier and App bundle: Enter the bundle identifier for the VPN-managed apps e.g., com.paloaltonetworks.globalprotect for iOS/macOS, and the corresponding executable/package identifiers for Windows if applicable.
– Server address: Point to your GlobalProtect portal/gateway as configured in step 1.
– Authentication method: Match the portal’s configured method certificate, SAML, or other.
– Connect-on-launch or always-on: Choose behavior that fits your policy. With per-app VPN, you often configure the VPN to start with the app that requires it.
– Split tunneling: If you’re using split tunneling, specify which destinations are routed through VPN vs. direct internet access.
# 4 Configure the per-app VPN assignment rules
– Define the policy to apply to specific user groups e.g., all users in the “Finance” or “IT” groups or device groups that require access to internal apps.
– Add the apps that should trigger the VPN when launched. For iOS/macOS, this means listing the managed apps that will route through GlobalProtect. For Windows, you’ll map the VPN use to particular line-of-business apps if supported.
– Ensure that the apps’ identifiers exactly match the app IDs in the per-app VPN policy. A small mismatch means the VPN won’t trigger as expected.
# 5 Assign and deploy
– Assign the per-app VPN profile to the appropriate user or device groups.
– Deploy the GlobalProtect client to the same groups. Ensure the app deployment is completed before or at the same time as the VPN policy to avoid user disruption.
– Communicate to end users which apps will automatically trigger the VPN and under what conditions.
# 6 Test and verify
– Enroll a test device in Intune and install the required apps and VPN profiles.
– Launch a test app that should trigger the VPN. Confirm that:
– The GlobalProtect client connects automatically.
– Traffic from the target app routes through the VPN, and external traffic uses the expected route split vs full tunnel.
– Access to internal resources is successful e.g., intranet site or internal API.
– Check logs on the device and in the GlobalProtect portal for any authentication or connectivity errors.
– Validate failover behavior if the gateway is unreachable does it gracefully prompt for re-authentication or switch to another gateway?.
# Platform-specific notes
– iOS/iPadOS: The per-app VPN feature leverages Apple’s Network Extension framework. You’ll set up VPN payloads that the OS applies when the user launches the assigned apps. Bundle IDs must be precise, and user consent prompts will appear for certificate or SSO-based authentication.
– macOS: Similar to iOS in terms of per-app VPN, but you might need to consider macOS Gatekeeper settings and app notarization for seamless operation.
– Windows: Per-app VPN with Intune on Windows is more commonly implemented via traditional VPN profiles and conditional access policies. If you need per-app behavior, you may rely on a combination of Windows VPN profiles and app-based routing with the GlobalProtect client or use third-party tooling to approximate per-app behavior. Always test with your endpoint posture and CA policy in mind.
Common pitfalls and troubleshooting
– App IDs don’t match: Make sure the app identifiers in Intune exactly match the bundle IDs or app IDs on the device. A small mismatch prevents the VPN from starting for that app.
– Portal and gateway unreachable: Verify the GlobalProtect portal URL and gateway addresses are accessible from the device network tests from a corporate network vs. home network can behave differently.
– Certificate issues: If you’re using cert-based authentication, ensure the client certs are issued, trusted, and not expired. Check the chain of trust on the device.
– Authentication prompts: If users see repeated login prompts, verify the SSO integration, token lifetimes, and any conditional access policies that might be interfering.
– Split-tunnel behavior: If internal resources aren’t reachable while external traffic seems fine, re-check split tunneling rules and route tables on the VPN gateway.
– App updates: A new version of GlobalProtect or your internal app can invalidate existing VPN profiles. Plan a change window for major app updates and re-distribute VPN settings as needed.
– Device compliance: If devices aren’t compliant, access may be blocked. Align per-app VPN deployment with your compliance baselines in Intune and Azure AD CA policies.
Security considerations and best practices
– Principle of least privilege: Only assign per-app VPN to apps that truly require internal network access. Don’t blanket all apps through VPN.
– Strong authentication: Prefer certificate-based or SAML-based Single Sign-On to reduce password exposure and friction for end users.
– Certificate management: If you rely on client certs, set up automated renewal and revocation workflows. Keep trusted roots updated on devices.
– Monitoring and auditing: Use Intune and GlobalProtect logs to monitor VPN activations, failed connections, and app-level access events. Set up alerts for unusual patterns e.g., many failed attempts or connections from unusual geos.
– Posture and conditional access: Tie VPN usage to device posture scores OS version, encryption status, anti-malware status. This helps ensure that even if a user has VPN access, they must meet security baselines to actually reach resources.
– Least exposure: Where possible, place internal services behind the VPN with proper network segmentation. Limit access to necessary subnets and ports rather than exposing broad access.
– Regular reviews: Schedule quarterly reviews of enrolled apps, groups, and VPN assignments to retire apps that no longer require VPN or update gateway configurations.
Performance, reliability, and maintenance
– Connection times: VPN startup is often the dominant factor in perceived app startup latency. Efficient gateway selection and caching of gateway lists help.
– Redundancy: Maintain multiple gateways or portal endpoints to prevent single points of failure. Test failover scenarios regularly.
– App updates: New app versions may require updated VPN profiles. Build a change management process to push updates and test in a staging group before broad rollout.
– User education: Provide end-user tips on when VPN triggers, how to approve prompts, and how to recognize a failed connection and what to do next.
Real-world usage examples
– A hospital IT department uses per-app VPN for clinicians’ intranet apps, ensuring patient data never transits unencrypted outside the secure VPN path.
– A multinational corporation uses per-app VPN to route finance and HR apps through GlobalProtect while leaving general email and collaboration apps on direct internet access, improving performance for non-sensitive tasks.
– A managed services provider builds a tiered access model where outsourced admin apps are the only ones allowed through the VPN, with strict access windows and conditional access requirements.
Deployment checklist quick reference
– GlobalProtect portal and gateway configured
– VPN authentication method selected and tested
– GlobalProtect client prepared for iOS/macOS/Windows
– Intune per-app VPN profile created for each platform
– App identifiers bundle IDs verified
– App-based VPN assignments configured
– User and device groups populated for deployment
– Pilot group tested. full rollout scheduled
– Monitoring and logging set up Intune + GlobalProtect
– Posture and conditional access policies aligned
Advanced tips and optimization
– Use separate portals for internal and DMZ-like environments if you have very different security postures or access requirements.
– Consider per-app VPN plus a separate device-level VPN as a layered security approach for very sensitive workloads.
– Document your VPN topology and keep diagrams updated so troubleshooting and onboarding are faster.
– Keep software inventory current. VPN and app updates can affect compatibility.
Frequently Asked Questions
# What is per-app VPN in Intune?
Per-app VPN in Intune is a feature that lets you route traffic from specific managed apps through a VPN connection without forcing the entire device to use the VPN. It provides targeted security for apps accessing sensitive resources.
# Does Intune support GlobalProtect per-app VPN?
Yes, you can configure per-app VPN with GlobalProtect in Intune for supported platforms, primarily iOS/iPadOS and macOS, with Windows workflows differing slightly depending on your setup.
# Which platforms support per-app VPN in Intune?
The strongest support publicly documented is for iOS and macOS. Windows environments often use traditional VPN profiles or Always On VPN in combination with Intune, depending on your configuration. Always verify with the latest Intune updates for Windows-specific per-app VPN options.
# How do I configure per-app VPN for GlobalProtect on iOS/iPadOS?
Create a per-app VPN profile in Intune, select GlobalProtect as the VPN type, provide the portal URL, and assign it to the user or device groups. Ensure the app bundle IDs are accurate and that the GlobalProtect app is deployed to the devices.
# How do I configure per-app VPN for GlobalProtect on macOS?
The steps are similar to iOS, but you’ll use macOS-specific app identifiers and deployment methods in Intune. Ensure the GlobalProtect client is installed on macOS devices and the per-app VPN payload references the correct bundle ID.
# Can I use Windows with per-app VPN and GlobalProtect in Intune?
Windows support for per-app VPN is more limited. You’ll typically deploy the GlobalProtect Windows client and rely on a device-wide VPN profile or a combination of policies to approximate per-app behavior. Always test in your environment to confirm behavior.
# What are common issues with per-app VPN and how do I troubleshoot?
Common issues include mismatched app IDs, gateway or portal resolution problems, certificate or certificate chain issues, and authentication prompts. Check device logs, GlobalProtect portal logs, and Intune deployment status. Verify network reachability to the portal and gateway from the endpoint.
# How do I test per-app VPN deployment?
Enroll a test device, install the required apps, apply the per-app VPN policy, and launch the target apps. Confirm that the VPN connects automatically, the app traffic routes through VPN, and internal resources load as expected. Validate failover and recovery paths.
# How can I monitor per-app VPN usage and health?
Use a combination of Intune monitoring profile deployment status, device health and GlobalProtect logs connection events, portal/gateway status. Consider adding Azure Monitor or your SIEM to capture VPN events and alerts.
# Should I use certificate-based or username/password authentication for GlobalProtect with Intune?
Certificate-based authentication is often more seamless and secure, especially in managed enterprise environments, but it requires proper certificate issuance and management. SAML or other federated options can simplify user experience if your IdP supports it.
# How do I handle post-deployment changes to VPN policies?
Plan a change window, notify users, and push updates through Intune to ensure devices receive updated VPN payloads. Validate the changes in a pilot group before full rollout.
# How does per-app VPN impact app performance and battery life?
Per-app VPN can improve energy efficiency by limiting VPN tunnel usage to only necessary apps, but the VPN connection itself adds overhead. Test on representative devices to gauge impact and tune the gateway settings, split tunneling, and session lifetimes accordingly.
# Can per-app VPN be integrated with conditional access and device compliance?
Yes. Most deployments tie VPN access to device posture and compliance policies. Enforce compliance checks before allowing a VPN session and use conditional access to gate resource access.
# What’s the recommended rollout approach for large organizations?
Start with a small pilot group, perfect the policy, and then expand in waves. Keep risk management in mind, and ensure support teams have guides for common user issues. Build a knowledge base with step-by-step troubleshooting and known issues.
# Is there a fallback if GlobalProtect isn’t reachable?
Yes. Define fallback gateways or a plan to escalate to user-assisted access methods while maintaining security controls. Document expected behaviors so users know what to do if the VPN cannot connect.
# How do I ensure compliance with data residency and auditing in this setup?
Map internal resources to regions, enforce data residency policies at the service level, and ensure VPN logs are stored in a compliant and auditable manner. Use conditional access policies to limit sensitive data exposure.
If you’re implementing Intune per-app VPN with GlobalProtect for your organization, this guide should give you a clear blueprint from planning through deployment and ongoing maintenance. As always, test thoroughly in a controlled pilot, gather user feedback, and iterate on the configuration to balance security with productivity.