Learn how to enable Autonomous DEM for your Cloud Managed Prisma Access
users.
Autonomous
DEM is supported on GlobalProtect app version 5.2.11 with Content
Release version 8393-6628 or later running on Windows or macOS endpoints
only. Because you may not have licensed Autonomous DEM for all of
your mobile users, you might want to create a new app settings configuration
and restrict it to the supported operating systems and the specific
users for which you want to enable ADEM.
After the GlobalProtect
app receives the ADEM configuration, it uses the corresponding certificate
to authenticate to the ADEM service and register with the service.
After the agent registers, you will be able to assign app tests
to the user.
To enable Autonomous DEM for your GlobalProtect
users:
From the Strata Cloud Manager user interface, create a new GlobalProtect App
Settings configuration and enable Autonomous DEM.
Add App Settings to create a GlobalProtect app
configuration for your Autonomous DEM users and give it a
Name.
To set the Match Criteria for OS, click
Add OS and select
Mac and/or Windows
systems only.
If you only want to deploy the ADEM configuration to a subset of your
Mac and/or Windows users, under User Entities
click Add User and select the users to whom
you want to push this configuration.
To enable Autonomous DEM for the selected users, under App
Configuration, expand Show Advanced OptionsUser Behavior and select an option to enable Digital
Experience Management (DEM) for Prisma Access (Windows
and Mac only).
You can select whether to let users enable and disable ADEM by
selecting Install and User can Enable or Disable
DEM or Install and User cannot Enable or
Disable DEM. When you enable ADEM, this also
triggers creation of the certificate needed to authenticate to the
ADEM service and enables log collection for troubleshooting.
Starting in GlobalProtect version 5.2.8, you have the option
to suppress receiving all Autonomous DEM update notifications
(pertaining to installing, uninstalling and upgrading an agent) on
the endpoints. To suppress the notifications, deselect the
Display ADEM Update Notification Message
check box. By default, this check box is selected.
Customize any other App Settings as needed.
Save the App Settings.
Make sure you have security policy rules required to
allow the GlobalProtect app to connect to the ADEM service and run
the synthetic tests.
To do so, you must add the ADEM URLs to make the endpoints
register to the ADEM portal.
Create a security policy rule and add the newly created address
group object to it.
To do so, click the + icon
under DestinationAddresses and
add the address group you created as shown in the image below.
To enable the app to connect to the ADEM service and to run
the application tests, you must have a policy rule to allow the
GlobalProtect users to connect to applications over HTTPS.
To enable the app to run network monitoring tests, you must
have a policy rule to allow ICMP and TCP traffic.
(Optional) If you plan to run synthetic tests that
use HTTP, you must also have a security policy rule to allow the
GlobalProtect users to access applications over HTTP.
If you use a third-party EDR, you must allow certain processes on the EDR for ADEM to function properly. Examples of EDRs that require this
include: