Autonomous
DEM is supported on GlobalProtect app version 5.2.11 with Content
Release version 8393-6628 or later running on Windows or macOS endpoints
only. Because you may not have licensed Autonomous DEM for all of
your mobile users, you might want to create a new app settings configuration
and restrict it to the supported operating systems and the specific
users for which you want to enable ADEM.
After the GlobalProtect
app receives the ADEM configuration, it uses the corresponding certificate
to authenticate to the ADEM service and register with the service.
After the agent registers, you will be able to assign app tests
to the user.
To enable Autonomous DEM for your GlobalProtect
users:
From the
Strata Cloud Manager
user interface, create a new GlobalProtect App
Settings configuration and enable
Autonomous DEM
.
Select
Workflows
Prisma Access
Setup
GlobalProtect
GlobalProtect App
.
Add App Settings
to create a GlobalProtect app
configuration for your
Autonomous DEM
users and give it a
Name
.
To set the Match Criteria for
OS
, click
Add OS
and select
Mac
and/or
Windows
systems only.
If you only want to deploy the ADEM configuration to a subset of your
Mac and/or Windows users, under
User Entities
click
Add User
and select the users to whom
you want to push this configuration.
To enable
Autonomous DEM
for the selected users, under App
Configuration, expand
Show Advanced Options
User Behavior
and select an option to enable
Digital
Experience Management (DEM) for
Prisma Access
(Windows
and Mac only)
.
You can select whether to let users enable and disable ADEM by
selecting
Install and User can Enable or Disable
DEM
or
Install and User cannot Enable or
Disable DEM
. When you enable ADEM, this also
triggers creation of the certificate needed to authenticate to the
ADEM service and enables log collection for troubleshooting.
Starting in GlobalProtect version 5.2.8, you have the option
to suppress receiving all
Autonomous DEM
update notifications
(pertaining to installing, uninstalling and upgrading an agent) on
the endpoints. To suppress the notifications, deselect the
Display ADEM Update Notification Message
check box. By default, this check box is selected.
Customize any other App Settings as needed.
Save
the App Settings.
Make sure you have security policy rules required to
allow the GlobalProtect app to connect to the ADEM service and run
the synthetic tests.
To do so, you must add the ADEM URLs to make the endpoints
register to the ADEM portal.
Create an
Address Group
to
hold your URLs.
Add the following ADEM URLs to the address group.
agents.dem.prismaaccess.com
agents.jp1.ap-northeast-1.dem.prismaaccess.com
agents.sg1.ap-southeast-1.dem.prismaaccess.com
agents.au1.ap-southeast-2.dem.prismaaccess.com
agents.ca1.ca-central-1.dem.prismaaccess.com
agents.eu1.eu-central-1.dem.prismaaccess.com
agents.uk1.eu-west-2.dem.prismaaccess.com
agents.us1.us-east-2.dem.prismaaccess.com
updates.dem.prismaaccess.com
agents.in1.ap-south-1.dem.prismaaccess.com
Create a security policy rule and add the newly created address
group object to it.
To do so, click the
+
icon
under
Destination
Addresses
and
add the address group you created as shown in the image below.
To enable the app to connect to the ADEM service and to run
the application tests, you must have a policy rule to allow the
GlobalProtect users to connect to applications over HTTPS.
To enable the app to run network monitoring tests, you must
have a policy rule to allow ICMP and TCP traffic.
(
Optional
) If you plan to run synthetic tests that
use HTTP, you must also have a security policy rule to allow the
GlobalProtect users to access applications over HTTP.
Autonomous DEMupdate notifications (pertaining to installing, uninstalling and upgrading an agent) on the endpoints. To suppress the notifications, deselect theDisplay ADEM Update Notification Messagecheck box. By default, this check box is selected.
