Enable ADEM to Monitor Mobile User Experience
Focus
Focus
Autonomous DEM

Enable ADEM to Monitor Mobile User Experience

Table of Contents

Enable ADEM to Monitor Mobile User Experience

If you purchased the Mobile Users license while purchasing ADEM, you can enable ADEM monitoring for your Mobile Users.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • Prisma Access license
  • ADEM or Strata Cloud Manager Pro license
To enable Autonomous Digital Experience Management (ADEM) for your Prisma Access mobile users, you must enable ADEM in the GlobalProtect app settings. After you enable ADEM for a user, the GlobalProtect portal will automatically push the ADEM capabilities and the required authentication certificate to the selected users the next time they connect.
Enable ADEM for your Prisma Access mobile users using the appropriate workflow for your Prisma Access deployment:

Strata Cloud Manager

Learn how to enable Autonomous DEM for your Cloud Managed Prisma Access users.
Autonomous DEM is supported on GlobalProtect app version 5.2.11 with Content Release version 8393-6628 or later running on Windows or macOS endpoints only. Because you may not have licensed Autonomous DEM for all of your mobile users, you might want to create a new app settings configuration and restrict it to the supported operating systems and the specific users for which you want to enable ADEM.
After the GlobalProtect app receives the ADEM configuration, it uses the corresponding certificate to authenticate to the ADEM service and register with the service. After the agent registers, you will be able to assign app tests to the user.
To enable Autonomous DEM for your GlobalProtect users:
  1. From the Strata Cloud Manager user interface, create a new GlobalProtect App Settings configuration and enable Autonomous DEM.
    1. Select WorkflowsPrisma Access SetupGlobalProtectGlobalProtect App.
    2. Add App Settings to create a GlobalProtect app configuration for your Autonomous DEM users and give it a Name.
    3. To set the Match Criteria for OS, click Add OS and select Mac and/or Windows systems only.
    4. If you only want to deploy the ADEM configuration to a subset of your Mac and/or Windows users, under User Entities click Add User and select the users to whom you want to push this configuration.
    5. To enable Autonomous DEM for the selected users, under App Configuration, expand Show Advanced OptionsUser Behavior and select an option to enable Digital Experience Management (DEM) for Prisma Access (Windows and Mac only).
      You can select whether to let users enable and disable ADEM by selecting Install and User can Enable or Disable DEM or Install and User cannot Enable or Disable DEM. When you enable ADEM, this also triggers creation of the certificate needed to authenticate to the ADEM service and enables log collection for troubleshooting.
      Starting in GlobalProtect version 5.2.8, you have the option to suppress receiving all Autonomous DEM update notifications (pertaining to installing, uninstalling and upgrading an agent) on the endpoints. To suppress the notifications, deselect the Display ADEM Update Notification Message check box. By default, this check box is selected.
    6. Customize any other App Settings as needed.
    7. Save the App Settings.
  2. Make sure you have security policy rules required to allow the GlobalProtect app to connect to the ADEM service and run the synthetic tests.
    To do so, you must add the ADEM URLs to make the endpoints register to the ADEM portal.
    1. Create an Address Group to hold your URLs.
    2. Add the following ADEM URLs to the address group.
      • agents.dem.prismaaccess.com
      • updates.dem.prismaaccess.com
      • features.dem.prismaaccess.com
      • agents-prod1-us-west2.dem.prismaaccess.com
      • agents-sg1-asia-southeast1.dem.prismaaccess.com
      • agents-au1-australia-southeast1.dem.prismaaccess.com
      • agents-jp1-asia-northeast1.dem.prismaaccess.com
      • agents-ca1-northamerica-northeast1.dem.prismaaccess.com
      • agents-eu1-europe-west4.dem.prismaaccess.com
      • agents-uk1-europe-west2.dem.prismaaccess.com
      • agents-in1-asia-south1.dem.prismaaccess.com
      • agents-de1-europe-west3.dem.prismaaccess.com
      • agents-ch1-europe-west6.dem.prismaaccess.com
      • agents-fr1-europe-west9.dem.prismaaccess.com
    3. Create a security policy rule and add the newly created address group object to it.
      To do so, click the + icon under DestinationAddresses and add the address group you created as shown in the image below.
    4. To enable the app to connect to the ADEM service and to run the application tests, you must have a policy rule to allow the GlobalProtect users to connect to applications over HTTPS.
    5. To enable the app to run network monitoring tests, you must have a policy rule to allow ICMP and TCP traffic.
    6. (Optional) If you plan to run synthetic tests that use HTTP, you must also have a security policy rule to allow the GlobalProtect users to access applications over HTTP.
  3. Save and Push the configuration to Prisma Access.

Panorama

Learn how to enable Autonomous DEM for your Panorama Managed Prisma Access users.
Autonomous DEM is supported on GlobalProtect app version 5.2.11 with Content Release version 8393-6628 or later running on Windows or macOS endpoints only. Because you may not have licensed Autonomous DEM for all of your mobile users, you might want to create a new app settings configuration and restrict it to the supported operating systems and the specific users for which you want to enable ADEM.
After the GlobalProtect app receives the ADEM configuration, it uses the corresponding certificate to authenticate to the ADEM service and register with the service. After the agent registers, you will be able to assign app tests to the user.
To enable Autonomous DEM for your GlobalProtect users:
  1. Generate the certificate the agent will use to authenticate to the Autonomous DEM service.
    1. From Panorama, select PanoramaCloud ServicesConfigurationService Setup.
    2. In the GlobalProtect App Log Collection section under Service Operators, click Generate Certificate for GlobalProtect App Collection and Autonomous DEM.
      A confirmation message indicates that the certificate was successfully generated in the Mobile_User_Template Shared location.
  2. Configure the portal to push the DEM settings to the GlobalProtect agent.
    1. Select NetworkGlobalProtectPortalsGlobalProtect Portal.
    2. To create an agent configuration to push to your DEM users only, in the Mobile_User_Template, select the GlobalProtect Portal Configuration.
    3. On the Agent tab, select the DEFAULT agent configuration and Clone it and give it a new Name.
    4. To enable the portal to push the DEM authentication certificate you just generated to the end user systems, on the Authentication tab set Client Certificate to Local and then select the globalprotect_app_log_cert.
      After you push globalprotect_app_log_cert to the client machine, one root CA, two intermediate CAs, and one client certificate, issued by Palo Alto Networks, are installed in the user's Personal store.
      Palo Alto Networks automatically generates the Strata Logging Service certificate, so the root CA certificate and intermediate CA certificate must be owned by Palo Alto Networks. Palo Alto Networks can add the root certificate to portal configuration so that the GlobalProtect client can install it as a trusted root CA to the machine if they want to do so.
    5. To ensure that this agent configuration is only pushed to agents running on supported operating systems, on the Config Selection CriteriaUser/User Group tab, click Add in the OS column and select Mac and/or Windows only).
    6. If you only want to deploy the DEM configuration to a subset of your Mac and/or Windows users, in the User/User Group column Add the specific users or user groups to push this configuration to.
    7. To enable Autonomous DEM functionality for users on GlobalProtect version 6.2 and below, on the App tab, enable Autonomous DEM endpoint agent for Prisma Access for GP version 6.2 and below (Windows & Mac Only).
      ADEM is enabled by default; however, you can allow users to disable ADEM by selecting Install and user can enable/disable agent from GlobalProtect. End users can use this GlobalProtect configuration to pause/resume monitoring. If users disable the ADEM agent, they will continue to be online, but the agent will pause the monitoring and no synthetic tests will be conducted.
      ADEM is enabled by default. Select Install and user cannot enable/disable agent from GlobalProtect to keep ADEM enabled. Users will not be able to disable ADEM.
      To enable Autonomous DEM functionality for users on GlobalProtect version 6.3 and above, on the App tab, enable Access Experience (ADEM, App Acceleration, end user coaching) for GP 6.3 and above (Windows & Mac Only).
      ADEM is enabled by default. If you want to keep it enabled, select the No Action (The agent state remains the same) option. To install or uninstall the agent, select Install the Agent or Uninstall the Agent.
    8. Also on the App tab, set Enable Autonomous DEM and GlobalProtect App Log Collection for Troubleshooting to Yes to enable the GlobalProtect app to use the certificate you just created to authenticate to the DEM service.
    9. Starting in GlobalProtect version 5.2.8, you have the option to suppress receiving all Autonomous DEM update notifications (pertaining to installing, uninstalling and upgrading an agent) on the endpoints. To suppress the notifications, set the Display Autonomous DEM Update Notifications to No. By default, the Display Autonomous DEM Update Notifications is set to Yes.
    10. Click OK to save the new app configuration settings, and click OK again to save the portal configuration.
  3. Make sure you have security policy rules required to allow the GlobalProtect app to connect to the ADEM service and run the synthetic tests.
    1. In Panorama, go to Objectsaddresses. Click on Add and add the following ADEM Service Destination FQDNs.
      Do not decrypt the following servers. Also, make sure the profile allows untrusted issuers.
      • agents.dem.prismaaccess.com
      • updates.dem.prismaaccess.com
      • features.dem.prismaaccess.com
      • agents-prod1-us-west2.dem.prismaaccess.com
      • agents-sg1-asia-southeast1.dem.prismaaccess.com
      • agents-au1-australia-southeast1.dem.prismaaccess.com
      • agents-jp1-asia-northeast1.dem.prismaaccess.com
      • agents-ca1-northamerica-northeast1.dem.prismaaccess.com
      • agents-eu1-europe-west4.dem.prismaaccess.com
      • agents-uk1-europe-west2.dem.prismaaccess.com
      • agents-in1-asia-south1.dem.prismaaccess.com
      • agents-de1-europe-west3.dem.prismaaccess.com
      • agents-ch1-europe-west6.dem.prismaaccess.com
      • agents-fr1-europe-west9.dem.prismaaccess.com
    2. Create an address group to contain the addresses above by going to ObjectsAddress Groups, clicking Add and providing a name for the address group.
    3. Add the address group you just created into the security policy. Go to PoliciesSecurityPreRules. Click Add and add the address group to the policy.
    4. To enable the GlobalProtect users to connect to and register with the ADEM service and to run the synthetic application tests, make sure there is a security policy rule that allows traffic to HTTPS-based applications.
    5. To enable the app to run network monitoring tests, you must have a security policy rule to allow ICMP and TCP traffic.
    6. (Optional) If you plan to run synthetic tests that use HTTP, you must also have a security policy rule to allow the GlobalProtect users to access applications over HTTP.
  4. Commit all your changes to Panorama and push the configuration changes to Prisma Access.
    1. Click CommitCommit to Panorama.
    2. Click CommitPush to Devices and click Edit Selections.
    3. On the Prisma Access tab, make sure Prisma Access for users is selected and then click OK.
    4. Click Push.