Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Skyhigh Mobile Client for Android Devices

  1. Last updated
  2. Save as PDF

The Skyhigh Client for Mobile application enables end users to access the Internet and private applications from Android devices securely. When end users access websites or private applications, the traffic is forwarded to the Skyhigh SWG for policy enforcement before being directed to the actual website or private application. 

NOTE: 

  • This topic is intended for MDM administrators who manage end users' Android devices via the Skyhigh Client app. 
  • Skyhigh recommends creating a new user group and applying all relevant policies and configurations to the group. Once Skyhigh Client is set up and deployed, MDM administrators can add new users to the group. 

Recommended Android Versions 

Skyhigh Client for Mobile Version  Android Versions
Android 15 Android 14
v4.0.0.x                           clipboard_eb71e6f35fa648922948598fef5ebabef.png                             clipboard_eb71e6f35fa648922948598fef5ebabef.png

Prerequisites

  • The CA certificate should be trusted and must be available in the device trust store. Download the certificates locally for distribution. Download the forward proxy certificate from the SSE dashboard for internet access.  
  • Make the OPG Configuration file available on the devices:
    • MDM:
      • Admins can get the encoded OPG configuration string from the SSE dashboard and use it for configuration. For more details, see Generate Encoded OPG Policy Config for MDM to generate an encoded OPG configuration file.
    • BYOD:
      • End users' personal devices must have a policy configuration (.OPG) file. MDM administrators can download the OPG file from the SSE dashboard and share it via email or any other sharing method. Save this policy file in a public location, such as the Downloads or Documents folder. 

Upload and Push Certificates using MDM 

You can use the Mobile Device Management (MDM) solution to automatically upload the Skyhigh Client app and trust certificates on Android devices without any user intervention.

NOTE: Microsoft Intune is the MDM solution validated with v4.0.0 of the Skyhigh Client for Mobile.

Upload Skyhigh Client App to Intune
  1. Navigate to Apps > Android > Android Apps > Create. 

2025-07-02_10-39-23_11.webp

The Select app type panel opens. 

  1. From the App type dropdown, select Managed Google Play app.

image (40)_11.png

  1. Click Select
    The Managed Google Play window opens. 
  2. Search com.skyhigh.clientproxy or Skyhigh Client and select Skyhigh Client. 

image (42)_1.png

  1. Click Select.
  2. Click Sync.

It may take up to an hour to reflect the Skyhigh Client app in the list.

1_1.png

Push Certificates

For internet access and private application access to work, certificates must be pushed to the device. Intune and other mobile device management (MDM) solutions provide a method for deploying certificates directly to devices.

  1. Navigate to Devices > Configuration > Create > New Policy.

2.png

  1. Select Android Enterprise as a Platform.
  2. Select the Trusted certificate under the Profile type.
    Make sure you select the correct Trusted certificate option under the relevant section, depending on whether you are pushing certificates to fully managed devices or personal devices. 

3.png

  1. In the Basics tab, enter NameDescription, and then upload the certificate to push when prompted.

NOTE:  Intune allows.crt and .cer certificates only. Change the extension accordingly, if necessary. 

  1. In the Assignment tab, assign the configuration to one or more user groups for distribution, if necessary. 
  2. In the Review+create tab, verify the details. 

  1. When the device syncs with Intune, the certificates will be downloaded and installed.

NOTE: Make sure the certificates are installed on the device before pushing the Skyhigh Client app.  

Deploy and Configure Skyhigh Client for Mobile using MDM 

Deploy Skyhigh Client in Intune 
  1. Navigate to Apps > Android Apps > select Skyhigh Client from the list of apps.
  2. Click Properties > Edit Assignments > Add group.
    Select the required groups to give access to the Skyhigh Android app. 
Configure Skyhigh Client App

With MDM, end users no longer need to manage the OPG policy file themselves. This section explains how MDM administrators can create an app configuration to directly deliver the selected policy to users' devices.

  1. Navigate to Apps > Configuration > Create > Managed devices. 

clipboard_efa4052a8831f9f41e6cbd6cee95a3e07.png

  1. Enter the Name and Description.
  2. Select Android Enterprise as the platform.
  3. Select the desired profile type from this list. 

5_1.png

  1. Select the Skyhigh Client app as the target app, and click Next.
  2. Select Use configuration designer as the configuration setting format.

clipboard_e28a33d82de86a22440a1cbf3e7053227.png

  1. In the Configuration value field, enter the encoded OPG configuration, which is generated from the prerequisite step. This removes the need to manually distribute the OPG file. To generate OPG configuration, see Generate Encoded OPG Policy Config File.

NOTE: 

  • Any change in the current policy gets applied based on the update frequency set in the SSE dashboard. Switching to a completely new policy will not affect existing users; only new users will get the new policy.
  • Existing users must either factory reset the app from settings or reinstall the app to switch to a new policy.

  • In case of an invalid configuration or configuration not set at all, the app will prompt the user for an OPG policy file.

Configure Always-On VPN Connection via Intune

With Always-on VPN in lockdown mode, all traffic from the device (for fully managed corporate devices) or from the work profile (for personal devices with a work profile) is directed through the Skyhigh tunnel. In case the user or system kills the app, the device loses internet connectivity till the Skyhigh app tunnel is established. Relaunch the app to bring up the tunnel. For more details, refer to Configure Always-On VPN Connection via Intune.  

NOTE: 

  • Ensure you use the com.skyhigh.clientproxy package ID for Skyhigh Client for configuring always-on VPN with lockdown mode.
  • To enforce configuration for a new device, MDM admins can add the new user to the user group for which these policies are configured and deployed.

Install Skyhigh Client for Mobile in BYOD

End users must install the CA certificate to prevent seeing warning messages, such as Proceed to Unsafe, in their device browsers when accessing the app. Without the necessary certificates, you may be alerted that the page they are trying to access is not private.

NOTE: The Android device should have a lock screen (pattern, biometric, pin, or password) to install and trust a CA certificate. 

  1. Open Settings.
  2. Tap Security.
  3. Tap Encryption & Credentials.

certificate.png
 

  1. Tap Install a certificate.
  2. Tap CA Certificate.

    6.png
  3. Tap Install anyway on the alert screen. 
    Browse and select the certificate file and install it. Check if the certificate is available on the device.
Install Skyhigh Client 

Once the CA certificate is installed on the device, install Skyhigh Client from the Google Play Store. For more details, see the Skyhigh Client App for Android Devices.

Bypass or Block an Application

To bypass or block an application, do the following using the SSE web policy: 

  • Bypass - Add the Android package name in the SCP policy Proxy Bypass > Bypass all the proxies for traffic from these processes, and add the domain in Policy > Web Policy > Policy > Global Bypass> Domains Bypass. 
  • Block -  Use ports other than 80 and 443 to block the application traffic.

NOTE: Disconnect the Skyhigh Client VPN service and reconnect to get the latest version of the SCP policy.  

NOTE: To make Microsoft Teams calls, add com.microsoft.teams in SCP policy Proxy Bypass > Bypass all the proxies for traffic from these processes, and add microsoft.com in Policy > Web Policy > Policy > Global Bypass> Domains Bypass. 

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    1. Private Access Android device
    2. ZTNA Android device