Enable ADEM in Cloud Managed Prisma Access for Mobile Users

Learn how to enable Autonomous DEM for your Cloud Managed Prisma Access users.
Autonomous DEM is supported on GlobalProtect app version 5.2.11 with Content Release version 8393-6628 or later running on Windows or macOS endpoints only. Because you may not have licensed Autonomous DEM for all of your mobile users, you might want to create a new app settings configuration and restrict it to the supported operating systems and the specific users for which you want to enable ADEM.
After the GlobalProtect app receives the ADEM configuration, it uses the corresponding certificate to authenticate to the ADEM service and register with the service. After the agent registers, you will be able to assign app tests to the user.
To enable Autonomous DEM for your GlobalProtect users:
  1. From the Prisma Access app on the hub, create a new GlobalProtect App Settings configuration and enable Autonomous DEM.
    1. Select
      Manage
      Service Setup
      GlobalProtect
      GlobalProtect App
      and
      Name
      the configuration.
    2. Add App Settings
      to create a GlobalProtect app configuration for your autonomous DEM users and give it a
      Name
      .
    3. To set the Match Criteria for
      OS
      , click
      Add OS
      and select
      Mac
      and/or
      Windows
      systems only.
    4. If you only want to deploy the ADEM configuration to a subset of your Mac and/or Windows users, under
      User Entities
      click
      Add User
      and select the users to whom you want to push this configuration.
    5. To enable Autonomous DEM for the selected users, under App Configuration, expand
      Show Advanced Options
      User Behavior
      and select an option to enable
      Digital Experience Management (DEM) for Prisma Access (Windows and Mac only)
      .
      You can select whether to let users enable and disable ADEM by selecting
      Install and User can Enable or Disable DEM
      or
      Install and User cannot Enable or Disable DEM
      . When you enable ADEM, this also triggers creation of the certificate needed to authenticate to the ADEM service and enables log collection for troubleshooting.
      Starting in GlobalProtect version 5.2.8, you have the option to suppress receiving all Autonomous DEM update notifications (pertaining to installing, uninstalling and upgrading an agent) on the endpoints. To suppress the notifications, deselect the
      Display ADEM Update Notification Message
      check box. By default, this check box is selected.
    6. Customize any other App Settings as needed.
    7. Save
      the App Settings.
  2. Make sure you have security policy rules required to allow the GlobalProtect app to connect to the ADEM service and run the synthetic tests.
    To do so, you must add the ADEM URLs to make the endpoints register to the ADEM portal.
    1. Create an
      Address Group
      to hold your URLs.
    2. Add the following ADEM URLs to the address group.
      • agents.dem.prismaaccess.com
      • agents.jp1.ap-northeast-1.dem.prismaaccess.com
      • agents.sg1.ap-southeast-1.dem.prismaaccess.com
      • agents.au1.ap-southeast-2.dem.prismaaccess.com
      • agents.ca1.ca-central-1.dem.prismaaccess.com
      • agents.eu1.eu-central-1.dem.prismaaccess.com
      • agents.uk1.eu-west-2.dem.prismaaccess.com
      • agents.us1.us-east-2.dem.prismaaccess.com
      • updates.dem.prismaaccess.com
      • agents.in1.ap-south-1.dem.prismaaccess.com
    3. Create a security policy rule and add the newly created address group object to it.
      To do so, click the
      +
      icon under
      Destination
      Addresses
      and add the address group you created as shown in the image below.
    4. To enable the app to connect to the ADEM service and to run the application tests, you must have a policy rule to allow the GlobalProtect users to connect to applications over HTTPS.
    5. To enable the app to run network monitoring tests, you must have a policy rule to allow ICMP and TCP traffic.
    6. (
      Optional
      ) If you plan to run synthetic tests that use HTTP, you must also have a security policy rule to allow the GlobalProtect users to access applications over HTTP.
  3. Save
    and
    Push
    the configuration to Prisma Access.

Recommended For You