What Data Does the GlobalProtect App Collect on Each Operating System?
Focus
Focus
GlobalProtect

What Data Does the GlobalProtect App Collect on Each Operating System?

Table of Contents

What Data Does the GlobalProtect App Collect on Each Operating System?

Learn what types of data the GlobalProtect app collects on each supported operating system.
The GlobalProtect app collects data to help identify or retrieve the host information profile (HIP) for the device for use in HIP-based policy enforcement.

What Data Does the GlobalProtect App Collect on Windows?

The following table describes the data collected by the GlobalProtect app on Windows devices for HIP-based policy enforcement generated by the firewall:
HIP Report AttributeDescription
Report Generation Time
Date and time that the HIP report was generated.
User Name
Username that is used to log in to the VPN.
User IP Address
IP address of the users’ Windows device.
Machine Name
Host name and serial number of the Windows device.
Domain
Field is empty on Windows devices.
OS
Application name and vendor name of the target OS.
Host ID
Unique host ID that is assigned by GlobalProtect to identify the host. The host ID value is machine GUID on Windows devices. The machine GUID is stored in the Windows registry (HKEY_Local_Machine\Software\Microsoft\Cryptography\MachineGuid).
Client Version
Version number of the currently installed GlobalProtect app.
Network Interface
Following settings are identified for the network interface:
  • Interface—Type of network interface detected on the Windows device.
  • MAC Address—MAC address is the unique hardware identifier assigned to each network interface on the Windows device.
  • IP Address—IP address assigned to each network interface on the Windows device.
Anti-Malware
Information about any antivirus or anti-spyware that is enabled or installed on the device, whether real-time anti-virus or anti-spyware protection is enabled on the host, virus definition version, last scan time, and the vendor and product name.
Disk Backup
Information about the disk backup status of the device such as whether the disk backup software is installed on the host, the last backup time, and the vendor and product name of the software.
Disk Encryption
Information about the disk encryption status of the device such as whether the disk encryption software is installed on the host, the drive or path to check for disk encryption to determine a match, state of the encrypted location, and the vendor and product name of the software.
(Requires GlobalProtect app 5.2) If you want to view the encryption status of all drives or paths on the endpoint, you must manually enter All as the Encrypted Locations when creating the HIP object for the Disk Encryption category. To verify if all drives or paths are encrypted, you must set the Encrypted Locations to All and set the State to Is encrypted from the drop-down.
Patch Management
Information about any patch management software that is installed or enabled on the host and whether the host detected missing patches and the specified severity value. See the Patch Management category for details on each value.
Firewall
Information about whether firewall software is enabled or installed on the host.
Data Loss Prevention
Information about the data loss prevention (DLP) software status on the Windows devices to prevent corporate information from leaving the corporate network or from being stored on a potentially insecure device.
Custom Checks
Information about the Windows Registry collected by the GlobalProtect app from Windows devices. You can enable custom checks to collect data from Windows devices to instruct the app to collect specific registry information (Registry Keys and Registry Key Values). The type of information collected can include whether an application is installed on the device, or specific attributes or properties of that application.

What Data Does the GlobalProtect App Collect on macOS?

The following table describes the data collected by the GlobalProtect app on macOS devices for HIP-based policy enforcement generated by the firewall:
HIP Report AttributeDescription
Report Generation Time
Date and time that the HIP report was generated.
User Name
Username that is used to log in to the VPN.
User IP Address
IP address of the users’ macOS device.
Machine Name
Host name and serial number of the macOS device.
Domain
Field is empty on macOS devices.
OS
Application name and vendor name of the target OS.
Host ID
Unique host ID that is assigned by GlobalProtect to identify the host. The host ID value is the MAC address of the first built-in physical interface.
Client Version
Version number of the currently installed GlobalProtect app.
Network Interface
Following settings are identified for the network interface:
  • Interface—Type of network interface detected on the macOS device.
  • MAC Address—MAC address is the unique hardware identifier assigned to each network interface on the macOS device.
  • IP Address—IP address assigned to each network interface on the macOS device.
Anti-Malware
Information about any antivirus or anti-spyware that is enabled or installed on the device, whether real-time anti-virus or anti-spyware protection is enabled on the host, virus definition version, last scan time, and the vendor and product name.
Disk Backup
Information about the disk backup status of the device such as whether the disk backup software is installed on the host, the last backup time, and the vendor and product name of the software.
Disk Encryption
Information about the disk encryption status of the device such as whether the disk encryption software is installed on the host, the drive or path to check for disk encryption to determine a match, state of the encrypted location, and the vendor and product name of the software.
(Requires GlobalProtect app 5.2) If you want to view the encryption status of all drives or paths on the endpoint, you must manually enter All as the Encrypted Locations when creating the HIP object for the Disk Encryption category. To verify if all drives or paths are encrypted, you must set the Encrypted Locations to All and set the State to Is encrypted from the drop-down.
Patch Management
Information about any patch management software that is installed or enabled on the host and whether the host detected missing patches and the specified severity value. See the Patch Management category for details on each value.
Firewall
Information about whether firewall software is enabled or installed on the host.
Custom Checks
Information about the macOS property list (plist) collected by the GlobalProtect app from macOS devices. You can enable custom checks to collect data from macOS devices to instruct the app to collect specific plist information (plist and plist keys). The type of information collected can include whether an application is installed on the device, or specific attributes or properties of that application.

What Data Does the GlobalProtect App Collect on Windows UWP?

The following table describes the data collected by the GlobalProtect app on Windows UWP devices for HIP-based policy enforcement generated by the firewall:
HIP Report AttributeDescription
Report Generation Time
Date and time that the HIP report was generated.
User Name
Username that is used to log in to the VPN.
User IP Address
IP address of the users’ Windows UWP device.
Machine Name
Host name and serial number of the Windows UWP device.
Domain
Field is empty on Windows UWP devices.
OS
Application name and vendor name of the target OS.
Host ID
Unique host ID that is assigned by GlobalProtect to identify the host. The host ID value is GUID on Windows UWP devices.
Client Version
Version number of the currently installed GlobalProtect app.
Network Interface
Following settings are identified for the network interface:
  • Interface—Type of network interface detected on the Windows UWP device.
  • MAC Address—MAC address is the unique hardware identifier assigned to each network interface on the Windows UWP device.
  • IP Address—IP address assigned to each network interface on the Windows UWP device.

What Data Does the GlobalProtect App Collect on Android?

The following table describes the data collected by the GlobalProtect app on Android devices for HIP-based policy enforcement generated by the fiirewall:
The GlobalProtect app for Android on a Chromebook uses the same HIP report attributes.
HIP Report AttributeDescription
Report Generation Time
Date and time that the HIP report was generated.
User Name
Username that is used to log in to the VPN.
User IP Address
IP address of the users’ Android device.
Machine Name
Host name and serial number of the Android device.
Domain
Field is empty on Android devices.
Serial Number
Serial number of the Android device.
Managed
Value that indicates whether the Android device is managed. If this value is set to Yes, the device is managed. If this value is set to No, the device is unmanaged.
OS
Application name and vendor name of the target OS.
Host ID
GlobalProtect assigned unique alphanumeric string with length of 16 characters to identify the host. The host ID value is Android ID on Android devices.
Client Version
Version number of the currently installed GlobalProtect app.
WiFi SSID
Specific information about the network connectivity such as WiFi SSID on the Android device.
Network Interface
Following settings are identified for the network interface:
  • Interface—Type of network interface detected on the Android device.
  • MAC Address—MAC address is the unique hardware identifier assigned to each network interface on the Android device.
  • IP Address—IP address assigned to each network interface on the Android device.
Mobile Device
Information about the mobile device, including the device name, logon domain, operating system, app version, and the network to which the device is connected.
Tags
Tags to enable you to match against other MDM-based attributes.
Device Compliance
The Rooted/Jailbroken attribute is used to determine the compliance status of the Android device that has been rooted or jailbroken to obtain administrative privileges. The security policies can be removed or bypassed in the operating system from a compromised device.
MDM Attributes
When you integrate your GlobalProtect deployment with an MDM vendor, the GlobalProtect app for Android devices can obtain the following data attributes and tags from the MDM system:
  • udid—Unique device identifier (UDID) of the Android device.
  • managed-by-mdm—Value that indicates whether the Android device is managed. If this value is set to Yes, the Android device is managed. If this value is set to No, the Android device is unmanaged.
  • tag—Tags to enable you to match against other MDM-based attributes.
  • compliance—Compliance status that indicates whether the Android device is compliant with the compliance policies that you have defined.
  • ownership—Ownership category of the Android device (for example, Employee Owned). This value is appended to the Tag attribute in the HIP report.

What Data Does the GlobalProtect App Collect on iOS?

The following table describes the data collected by the GlobalProtect app on iOS devices for HIP-based policy enforcement generated by the firewall:
HIP Report AttributeDescription
Report Generation Time
Date and time that the HIP report was generated.
User Name
Username that is used to log in to the VPN.
User IP Address
IP address of the users’ iOS device.
Machine Name
User-assigned device name + identifierForVendor
The user-assigned device name will defer depending on the device's iOS version.
  • In iOS 15 and earlier, the name property returns the device's name (for example, "Adam's iPhone").
  • In iOS 16 and later, the name property returns a generic device name by default (for example, "iPhone").
Domain
Field is empty on iOS devices.
Serial Number
Field is empty on iOS device.
Managed
Value that indicates whether the iOS device is managed. If this value is set to Yes, the device is managed. If this value is set to No, the device is unmanaged.
OS
Application name and vendor name of the target OS.
Host ID
Unique ID that is assigned by GlobalProtect to identify the host. The host ID value is UDID on iOS devices.
Client Version
Version number of the currently installed GlobalProtect app.
WiFi SSID
Information about the network connectivity such as WiFi SSID on the iOS device.
Network Interface
Following settings are identified for the network interface:
  • Interface—Type of network interface detected on the iOS device.
  • MAC Address—MAC address is the unique hardware identifier assigned to each network interface on the iOS device.
  • IP Address—IP address assigned to each network interface on the iOS device.
Mobile Device
Information about the mobile device, including the device name, logon domain, operating system, app version, and the network to which the device is connected.
Device Compliance
Following attributes are used to determine the compliance status of the iOS device:
  • Rooted/Jailbroken—Status on the iOS device that has been rooted or jailbroken to obtain administrative privileges. The security policies can be removed or bypassed in the operating system from a compromised device.
  • Disk Encryption Not Set—Status on the iOS device that is enabled for disk encryption.
  • Passcode Not Set—Status on the iOS device that is set to a passcode.
  • Has Malware—Status on the iOS device that has malware-infected apps installed.
MDM Attributes
When you integrate your GlobalProtect deployment with an MDM vendor, the GlobalProtect app for iOS devices can obtain the following data attributes and tags from the MDM system:
  • udid—Unique device identifier (UDID) of the iOS device.
  • managed-by-mdm—Value that indicates whether the iOS device is managed. If this value is set to Yes, the iOS device is managed. If this value is set to No, the iOS device is unmanaged.
  • tag—Tags to enable you to match against other MDM-based attributes.
  • compliance—Compliance status that indicates whether the iOS device is compliant with the compliance policies that you have defined.
  • ownership—Ownership category of the iOS device (for example, Employee Owned). This value is appended to the Tag attribute in the HIP report.

What Data Does the GlobalProtect App Collect on Linux?

The following table describes the data collected by the GlobalProtect app on Linux devices for HIP-based policy enforcement generated by the firewall:
HIP Report AttributeDescription
User Name
Username that is used to log in to the VPN.
IP Address
IP address of the users’ Linux device.
Generate Time
Date and time that the HIP report was generated.
Host Info
Activate one or more of the following options for configuring the host information:
  • Managed—Value that indicates whether the Linux device is managed. If this value is set to Yes, the device is managed. If this value is set to No, the device is unmanaged.
  • Serial Number—Serial number of the Linux device.
  • Client Version—Version number of the currently installed GlobalProtect app.
  • OS—Application name of the target OS you want to match.
  • OS Vendor—Vendor name of the target OS you want to match.
  • Domain—Domain name of the Linux device.
  • Host Name—Host name of the Linux device.
  • Host ID—Unique ID that is assigned by GlobalProtect to identify the host. The host ID value is the product unique device identifier (UDID) on Linux devices.
Network Interface
Following settings are identified for the network interface:
  • Interface—Type of network interface detected on the Linux device.
  • MAC Address—MAC address is the unique hardware identifier assigned to each network interface on the Linux device.
  • IP Address—IP address assigned to each network interface on the Linux device.
Anti-Malware
Information about any antivirus or anti-spyware that is enabled or installed on the device, whether real-time anti-virus or anti-spyware protection is enabled on the host, virus definition version, last scan time, and the vendor and product name.
Disk Backup
Information about the disk backup status of the device such as whether the disk backup software is installed on the host, the last backup time, and the vendor and product name of the software.
Disk Encryption
Information about the disk encryption status of the device such as whether the disk encryption software is installed on the host, the drive or path to check for disk encryption to determine a match, state of the encrypted location, and the vendor and product name of the software.
(Requires GlobalProtect app 5.2) If you want to view the encryption status of all drives or paths on the endpoint, you must manually enter All as the Encrypted Locations when creating the HIP object for the Disk Encryption category. To verify if all drives or paths are encrypted, you must set the Encrypted Locations to All and set the State to Is encrypted from the drop-down.
Firewall
Information about whether firewall software is enabled or installed on the host.
Patch Management
Information about any patch management software that is installed or enabled on the host and whether the host detected missing patches and the specified severity value. See the Patch Management category for details on each value.
Custom Checks
Information about the Process List collected by the GlobalProtect app from Linux devices. You can enable custom checks to collect data from Linux devices to instruct the app to collect specific information that can include whether an application is installed on the device, or specific attributes or properties of that application.