Autonomous DEM
Strata Cloud Manager
Table of Contents
Expand All
|
Collapse All
Autonomous DEM Docs
-
- AI-Powered ADEM
- Autonomous DEM for China
-
-
- AI-Powered ADEM
- Access Experience Agent 5.1
- Access Experience Agent 5.3
- Access Experience Agent 5.4
Strata Cloud Manager
Learn how to enable Autonomous DEM for your Cloud Managed Prisma Access
users.
Autonomous
DEM is supported on GlobalProtect app version 5.2.11 with Content
Release version 8393-6628 or later running on Windows or macOS endpoints
only. Because you may not have licensed Autonomous DEM for all of
your mobile users, you might want to create a new app settings configuration
and restrict it to the supported operating systems and the specific
users for which you want to enable ADEM.
After the GlobalProtect
app receives the ADEM configuration, it uses the corresponding certificate
to authenticate to the ADEM service and register with the service.
After the agent registers, you will be able to assign app tests
to the user.
To enable Autonomous DEM for your GlobalProtect
users:
- From the Strata Cloud Manager user interface, create a new GlobalProtect App Settings configuration and enable Autonomous DEM.
- Select WorkflowsPrisma Access SetupGlobalProtectGlobalProtect App.
- Add App Settings to create a GlobalProtect app configuration for your Autonomous DEM users and give it a Name.
- To set the Match Criteria for OS, click Add OS and select Mac and/or Windows systems only.
- If you only want to deploy the ADEM configuration to a subset of your Mac and/or Windows users, under User Entities click Add User and select the users to whom you want to push this configuration.
- To enable Autonomous DEM for the selected users, under App Configuration, expand Show Advanced OptionsUser Behavior and select an option to enable Digital Experience Management (DEM) for Prisma Access (Windows and Mac only).You can select whether to let users enable and disable ADEM by selecting Install and User can Enable or Disable DEM or Install and User cannot Enable or Disable DEM. When you enable ADEM, this also triggers creation of the certificate needed to authenticate to the ADEM service and enables log collection for troubleshooting.Starting in GlobalProtect version 5.2.8, you have the option to suppress receiving all Autonomous DEM update notifications (pertaining to installing, uninstalling and upgrading an agent) on the endpoints. To suppress the notifications, deselect the Display ADEM Update Notification Message check box. By default, this check box is selected.
- Customize any other App Settings as needed.
- Save the App Settings.
Make sure you have security policy rules required to allow the GlobalProtect app to connect to the ADEM service and run the synthetic tests.To do so, you must add the ADEM URLs to make the endpoints register to the ADEM portal.- Create an Address Group to hold your URLs.
- Add the following ADEM URLs to the address group.
- agents.dem.prismaaccess.com
- updates.dem.prismaaccess.com
- features.dem.prismaaccess.com
- agents-prod1-us-west2.dem.prismaaccess.com
- agents-sg1-asia-southeast1.dem.prismaaccess.com
- agents-au1-australia-southeast1.dem.prismaaccess.com
- agents-jp1-asia-northeast1.dem.prismaaccess.com
- agents-ca1-northamerica-northeast1.dem.prismaaccess.com
- agents-eu1-europe-west4.dem.prismaaccess.com
- agents-uk1-europe-west2.dem.prismaaccess.com
- agents-in1-asia-south1.dem.prismaaccess.com
- agents-de1-europe-west3.dem.prismaaccess.com
- agents-ch1-europe-west6.dem.prismaaccess.com
- agents-fr1-europe-west9.dem.prismaaccess.com
- Create a security policy rule and add the newly created address group object to it.To do so, click the + icon under DestinationAddresses and add the address group you created as shown in the image below.
- To enable the app to connect to the ADEM service and to run the application tests, you must have a policy rule to allow the GlobalProtect users to connect to applications over HTTPS.
- To enable the app to run network monitoring tests, you must have a policy rule to allow ICMP and TCP traffic.
- (Optional) If you plan to run synthetic tests that use HTTP, you must also have a security policy rule to allow the GlobalProtect users to access applications over HTTP.
Save and Push the configuration to Prisma Access.