: Enable ADEM in Cloud Managed Prisma Access for Mobile Users
Focus
Focus

Enable ADEM in Cloud Managed Prisma Access for Mobile Users

Table of Contents

Enable ADEM in Cloud Managed
Prisma Access
for Mobile Users

Learn how to enable
Autonomous DEM
for your Cloud Managed
Prisma Access
users.
Autonomous DEM is supported on GlobalProtect app version 5.2.11 with Content Release version 8393-6628 or later running on Windows or macOS endpoints only. Because you may not have licensed Autonomous DEM for all of your mobile users, you might want to create a new app settings configuration and restrict it to the supported operating systems and the specific users for which you want to enable ADEM.
After the GlobalProtect app receives the ADEM configuration, it uses the corresponding certificate to authenticate to the ADEM service and register with the service. After the agent registers, you will be able to assign app tests to the user.
To enable Autonomous DEM for your GlobalProtect users:
  1. From the
    Strata Cloud Manager
    user interface, create a new GlobalProtect App Settings configuration and enable
    Autonomous DEM
    .
    1. Select
      Workflows
      Prisma Access
      Setup
      GlobalProtect
      GlobalProtect App
      .
    2. Add App Settings
      to create a GlobalProtect app configuration for your
      Autonomous DEM
      users and give it a
      Name
      .
    3. To set the Match Criteria for
      OS
      , click
      Add OS
      and select
      Mac
      and/or
      Windows
      systems only.
    4. If you only want to deploy the ADEM configuration to a subset of your Mac and/or Windows users, under
      User Entities
      click
      Add User
      and select the users to whom you want to push this configuration.
    5. To enable
      Autonomous DEM
      for the selected users, under App Configuration, expand
      Show Advanced Options
      User Behavior
      and select an option to enable
      Digital Experience Management (DEM) for
      Prisma Access
      (Windows and Mac only)
      .
      You can select whether to let users enable and disable ADEM by selecting
      Install and User can Enable or Disable DEM
      or
      Install and User cannot Enable or Disable DEM
      . When you enable ADEM, this also triggers creation of the certificate needed to authenticate to the ADEM service and enables log collection for troubleshooting.
      Starting in GlobalProtect version 5.2.8, you have the option to suppress receiving all
      Autonomous DEM
      update notifications (pertaining to installing, uninstalling and upgrading an agent) on the endpoints. To suppress the notifications, deselect the
      Display ADEM Update Notification Message
      check box. By default, this check box is selected.
    6. Customize any other App Settings as needed.
    7. Save
      the App Settings.
  2. Make sure you have security policy rules required to allow the GlobalProtect app to connect to the ADEM service and run the synthetic tests.
    To do so, you must add the ADEM URLs to make the endpoints register to the ADEM portal.
    1. Create an
      Address Group
      to hold your URLs.
    2. Add the following ADEM URLs to the address group.
      • agents.dem.prismaaccess.com
      • updates.dem.prismaaccess.com
      • features.dem.prismaaccess.com
      • agents-prod1-us-west2.dem.prismaaccess.com
      • agents-sg1-asia-southeast1.dem.prismaaccess.com
      • agents-au1-australia-southeast1.dem.prismaaccess.com
      • agents-jp1-asia-northeast1.dem.prismaaccess.com
      • agents-ca1-northamerica-northeast1.dem.prismaaccess.com
      • agents-eu1-europe-west4.dem.prismaaccess.com
      • agents-uk1-europe-west2.dem.prismaaccess.com
      • agents-in1-asia-south1.dem.prismaaccess.com
      • agents-de1-europe-west3.dem.prismaaccess.com
      • agents-ch1-europe-west6.dem.prismaaccess.com
      • agents-fr1-europe-west9.dem.prismaaccess.com
    3. Create a security policy rule and add the newly created address group object to it.
      To do so, click the
      +
      icon under
      Destination
      Addresses
      and add the address group you created as shown in the image below.
    4. To enable the app to connect to the ADEM service and to run the application tests, you must have a policy rule to allow the GlobalProtect users to connect to applications over HTTPS.
    5. To enable the app to run network monitoring tests, you must have a policy rule to allow ICMP and TCP traffic.
    6. (
      Optional
      ) If you plan to run synthetic tests that use HTTP, you must also have a security policy rule to allow the GlobalProtect users to access applications over HTTP.
  3. Save
    and
    Push
    the configuration to
    Prisma Access
    .

Recommended For You