Specify Gateway options on Android Enterprise devices

For Android devices, you can specify which apps send data through the Gateway tunnel using the Gateway service policy. If your organization manages Android Enterprise devices using an EMM solution such as BlackBerry UEM, you can configure settings in your EMM provider that affect Gateway.

You can use the IT policy in BlackBerry UEM to specify whether Gateway is always enabled on devices and whether users can change VPN configurations in the work profile on the device. For more information on UEM IT policy rules, download the UEM IT Policy Reference.

  1. In the UEM management console, create or edit an IT policy.
  2. Do one of these actions:
    1. To force Gateway to always be enabled, set these IT policy rules for the Android work profile.
      IT policy rule Description

      Force always-on VPN

      Selected

      Use BlackBerry Secure Connect Plus for VPN connection

      Not selected

      VPN app package ID

      com.blackberry.protect

      Force work apps to only use VPN

      Not selected. If this option is selected, the Aurora Protect Mobile app can't be activated on the device.

      Work apps exempt from VPN

      If the "Force work apps to only use VPN" rule is selected,

      • you must enter com.android.chrome to allow the Chrome browser to access the network and activate the Aurora Protect Mobile app on the device before the VPN is connected. This rule applies to devices running Android OS 10.0.0 or later.
      • If you enter com.android.protect, the Aurora Protect Mobile app can access the network without using the VPN only when the VPN is not connected.
    2. To allow devices to send data through the Gateway tunnel if Force always-on VPN is not selected, select Allow user-configured VPN in workspace.
    If neither Force always-on VPN nor Allow user-configured VPN in workspace is selected, the device will not allow work apps to send data through the tunnel.
  3. Assign the IT policy to users.