Roll out GSA client to all managed devices

Implementation Effort: Low

User Impact: Low

Overview

Rolling out the Microsoft Entra Global Secure Access (GSA) client to all managed devices is a foundational step in enabling secure, identity-driven access to both corporate and internet resources. The GSA client provides organizations with granular control over network traffic at the endpoint, allowing for secure routing of specific traffic profiles through Microsoft Entra Internet Access and Private Access. This approach aligns with Zero Trust and Secure Access Service Edge (SASE) strategies by ensuring that connectivity from endpoints to applications is always verified, monitored, and policy-driven.

To deploy the GSA client, organizations should:

• Download the latest GSA client from the Microsoft Entra admin center and package it for deployment (such as with Microsoft Intune for Windows devices).
• Define security groups to target the correct set of users or devices for installation.
• Follow platform-specific installation guidance for Windows, Android, and other supported operating systems.
• Configure the client to enable required traffic forwarding profiles, such as Microsoft traffic, internet access, or private access.

By rolling out the GSA client across all managed devices, organizations benefit from deep visibility, real-time policy enforcement, and improved protection against evolving threats—whether users are on-site or remote.

For detailed, step-by-step instructions, see the References section

Reference

Windows based Global Secure Access Client

• https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-install-windows-client

non-Windows OS clients:

• https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-install-macos-client
• https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-install-android-client?tabs=device-administrator
• https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-install-ios-client