Enable ADEM in Cloud Managed Prisma Access for Mobile Users
Focus
Focus
FedRAMP

Enable ADEM in Cloud Managed Prisma Access for Mobile Users

Table of Contents

Enable ADEM in Cloud Managed Prisma Access for Mobile Users

Learn how to enable Autonomous DEM for your Cloud Managed Prisma Access users.
Autonomous DEM is supported on GlobalProtect app version 5.2.11 with Content Release version 8393-6628 or later running on Windows or macOS endpoints only. Because you may not have licensed Autonomous DEM for all of your mobile users, you might want to create a new app settings configuration and restrict it to the supported operating systems and the specific users for which you want to enable ADEM.
After the GlobalProtect app receives the ADEM configuration, it uses the corresponding certificate to authenticate to the ADEM service and register with the service. After the agent registers, you will be able to assign app tests to the user.
To enable Autonomous DEM for your GlobalProtect users:
  1. From the Strata Cloud Manager app on the hub, create a new GlobalProtect App Settings configuration and enable Autonomous DEM.
    1. Select ManageService SetupGlobalProtectGlobalProtect App and Name the configuration.
    2. Add App Settings to create a GlobalProtect app configuration for your autonomous DEM users and give it a Name.
    3. To set the Match Criteria for OS, click Add OS and select Mac and/or Windows systems only.
    4. If you only want to deploy the ADEM configuration to a subset of your Mac and/or Windows users, under User Entities click Add User and select the users to whom you want to push this configuration.
    5. To enable Autonomous DEM for the selected users, under App Configuration, expand Show Advanced OptionsUser Behavior and select an option to enable Digital Experience Management (DEM) for Prisma Access (Windows and Mac only).
      You can select whether to install ADEM by selecting the appropriate option in the Access Experience (ADEM, App Acceleration, End user coaching) (Windows & MAC only) field:
      • Install
      • Uninstall
      • No action (The agent state remains as is)
        This is the default value.
      When you install ADEM, this also triggers creation of the certificate needed to authenticate to the ADEM service and enables log collection for troubleshooting.
      Starting in GlobalProtect version 5.2.8, you have the option to suppress receiving all Autonomous DEM update notifications (pertaining to installing, uninstalling and upgrading an agent) on the endpoints. To suppress the notifications, deselect the Display ADEM Update Notification Message check box. By default, this check box is selected.
    6. Customize any other App Settings as needed.
    7. Save the App Settings.
  2. Make sure you have security policy rules required to allow the GlobalProtect app to connect to the ADEM service and run the synthetic tests.
    To do so, you must add the ADEM URLs to make the endpoints register to the ADEM portal.
    1. Create an Address Group to hold your URLs.
    2. Add the following ADEM URLs to the address group.
      • FedRAMP High:
        • updates.dem.prismasasegov.com
        • agents.dem.prismasasegov.com
        • features.dem.prismasasegov.com
        • agents-il4-prod-us-central1.dem.prismasasegov.com
      • FedRAMP Moderate:
        • agents-fed-mod-prod-1-us-central1.dem.prismaaccess.com
        • updates-fed-mod-prod-1-us-central1.dem.prismaaccess.com
        • features-fed-mod-prod-1-us-central1.dem.prismaaccess.com
    3. Create a security policy rule and add the newly created address group object to it.
      To do so, click the + icon under DestinationAddresses and add the address group you created as shown in the image below.
    4. To enable the app to connect to the ADEM service and to run the application tests, you must have a policy rule to allow the GlobalProtect users to connect to applications over HTTPS.
    5. To enable the app to run network monitoring tests, you must have a policy rule to allow ICMP and TCP traffic.
    6. (Optional) If you plan to run synthetic tests that use HTTP, you must also have a security policy rule to allow the GlobalProtect users to access applications over HTTP.
  3. Save and Push the configuration to Prisma Access.