Deploy the GlobalProtect Mobile App for macOS Using Jamf Pro

Table of Contents

Create a Single Configuration Profile for the GlobalProtect App for macOS

Enable System and Network Extensions on macOS Endpoints Using Multiple Configuration Profiles

Learn how to deploy the GlobalProtect app to your macOS endpoints using Jamf Pro.

Where Can I Use This?	What Do I Need?
Prisma Access PAN-OS GlobalProtect Subscription	Prisma Access Mobile Users license (for use with Prisma Access) GlobalProtect Gateway license (for use with PAN-OS) GlobalProtect app for macOS 6.0.4 and later and 6.1 and later releases Endpoints running macOS 11 (Big Sur), macOS 12 (Monterey), or macOS 13 (Ventura)

Starting with GlobalProtect app 6.0.4 and later and 6.1 releases, you can deploy the GlobalProtect app to managed macOS endpoints that have enrolled with Jamf Pro by using a script that prepopulates GlobalProtect app settings such as the default portal address and connection method. As a best practice, you can also target the app installation or upgrade to a smaller group of endpoints before rolling out the installation to the rest of your organization.

If you configured dual GlobalProtect portals, you can set up the script to support multiple portals. This method works only on initial deployments, when you're deploying the GlobalProtect app for the first time to your endpoints without any preexisting configuration present. In this case, you must configure the Jamf policy to run the script before installing the GlobalProtect package.

For a demonstration on how to deploy the GlobalProtect app by using Jamf Pro, watch this video.

For step-by-step instructions, refer to the following procedure:

Download the GlobalProtect app package for macOS from the Customer Support Portal.
1. Log in to the Palo Alto Networks Customer Support Portal (https://support.paloaltonetworks.com/).
  
  You must have a valid Palo Alto Networks Customer Support Portal account to log in to and download software from the Software Updates page.
2. Select UpdatesSoftware Updates.
3. Select the GlobalProtect app version for macOS.
4. Review the Release Notes for the app version, and then select the download link.
Upload the GlobalProtect app PKG file to Jamf Pro:
1. Select SettingsComputer ManagementPackages.
2. Click New.
3. Configure general settings for the package, including the display name and category (optional).
4. Click Choose File and select the GlobalProtect app package to upload.
5. Save your settings.

Create a script that you will add to Jamf Pro that prepopulates default settings, such as the default GlobalProtect portal and connection method. You can also set up the script to support multiple GlobalProtect portals.

The following examples are provided as a reference. Customize the script and app settings as needed for your environment.

Single portal script:

#!/bin/bash
## Description: Checks for global preferences file and populates  
## it with the default portal if needed.
## Body ###########################################################
## Declare Variables ##############################################
 
# Get current Console user
active_user=$( stat -f "%Su" /dev/console )
 
# Global Prefs File
gPrefs=/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist
 
## Logic ##########################################################
 
# Check to see if the global preference file already exists...
if [[ -e $gPrefs ]]; then
	echo "Default global portal already exists. Skipping."
else
	echo "Setting default global portal to: your.portal.here.com"
     # If it does not already exist, create it and populate the default portal using the echo command
       echo '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Palo Alto Networks</key>
    <dict>
        <key>GlobalProtect</key>
        <dict> 
            <key>PanSetup</key>
            <dict>
                <key>Portal</key>
                <string>your.portal.here.com</string>
                <key>Prelogon</key>
                <string>0</string>
            </dict>
            <key>Settings</key>
            <dict>
                <key>connect-method</key>
                <string>on-demand</string>
            </dict>
        </dict>
    </dict>
</dict>
</plist>
' > $gPrefs
echo $?
	# Kill the Preference caching daemon to prevent it from overwriting any changes
	killall cfprefsd
	echo $?
fi
# Check exit code.
exit $?

Multiple portal script:

#!/bin/bash
## Description: Checks for global and user preferences and populates with a test portal if needed.
## Body ###############################################################
## Declare Variables ##################################################

# Get current Console user
active_user=$( stat -f "%Su" /dev/console )

# Global Prefs File
gPrefs=/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist

# User Prefs File
uPrefs=/Users/${active_user}/Library/Preferences/com.paloaltonetworks.GlobalProtect.client.plist

## Logic ##############################################################

echo "Setting default global portal to: your.portal.here.com in GPS"
# If it does not already exist, create it and populate the default portal using PlistBuddy
/usr/libexec/PlistBuddy -c "Add Palo\ Alto\ Networks:GlobalProtect:PanSetup:Portal string your.portal.here.com" \
-c "Add Palo\ Alto\ Networks:GlobalProtect:PanSetup:Prelogon string 0" $gPrefs
echo $?

# Kill the Preference caching daemon to prevent it from overwriting any changes
killall cfprefsd
echo $?

#convert plist files from binary to xml format
plutil -convert xml1 $uPrefs

echo "Setting default user portal to: your.portal.here.com in GPA"
# If it does not already exist, create it and populate the default portal using the echo command
echo '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
       <key>PanPortalList</key>
       <array>
               <string>your.portal.here.com</string>
               <string>your.second.portal.here.com</string>
       </array>
</dict>
</plist>
' > $uPrefs

echo $?

# Kill the Preference caching daemon to prevent it from overwriting any changes
killall cfprefsd
echo $?

# Assign ownership of the user preference file to the signed in user
chown $active_user $uPrefs
echo $?

#restart GlobalProtect
pkill GlobalProtect

# Check exit code.
exit $?

(Optional) If you configured the GlobalProtect portal to authenticate users through SAML authentication, end users can connect to SAML-enabled applications without having to reenter their credentials, providing a seamless single sign-on (SSO) experience. To enable an endpoint to use the default system browser for SAML authentication, add the following statements to the Settings dictionary in the default settings script:

   <key>default-browser</key>
   <string>yes</string>

For example, the following sample script pushes the default GlobalProtect portal address, connection method, and the setting for using the default system browser for SAML authentication:

#!/bin/bash
## Description: Checks for global preferences file and populates  
## it with the default portal if needed.
## Body ###########################################################
## Declare Variables ##############################################
 
# Get current Console user
active_user=$( stat -f "%Su" /dev/console )
 
# Global Prefs File
gPrefs=/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist
 
## Logic ##########################################################
 
# Check to see if the global preference file already exists...
if [[ -e $gPrefs ]]; then
	echo "Default global portal already exists. Skipping."
else
	echo "Setting default global portal to: your.portal.here.com"
	echo "Setting fips mode"
     # If it does not already exist, create it and populate the default portal using the echo command
       echo '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Palo Alto Networks</key>
    <dict>
        <key>GlobalProtect</key>
        <dict> 
            <key>PanSetup</key>
            <dict>
                <key>Portal</key>
                <string>your.portal.here.com</string>
                <key>Prelogon</key>
                <string>0</string>
            </dict>
            <key>Settings</key>
            <dict>
                <key>connect-method</key>
                <string>on-demand</string>
                <key>default-browser</key>
                <string>yes</string>
            </dict>
        </dict>
    </dict>
</dict>
</plist>
' > $gPrefs
echo $?
	# Kill the Preference caching daemon to prevent it from overwriting any changes
	killall cfprefsd
	echo $?
fi
# Check exit code.
exit $?

Add the script to Jamf Pro.
1. Select SettingsComputer ManagementScripts.
2. Click New.
3. Enter a Display Name for the script.
4. Select Script and copy and paste your script to the editor.
5. Save the script.
If you have not done so already, create a Jamf Smart Computer Group to target specific macOS devices for installation of the GlobalProtect app.
1. Select ComputersSmart Computer GroupsNew.
2. Enter a Display Name for the group.
3. Select Criteria and Add the criteria for the group.
4. Save your settings.
Create a Jamf Policy by adding the GlobalProtect package and script to the policy, and setting the scope to the Smart Computer Group that you created for your macOS devices in step
6
.
1. In Jamf Pro, select ComputersPoliciesNew.
2. In the General payload, configure the basic settings for the policy:
  Enter a Display Name for the policy and Enable the policy.
  (Optional) Select a Category.
  Specify a Trigger that will initiate a policy, such as Recurring Check-in.
  Select an Execution Frequency, such as Once per computer and Automatically re-run the policy on failure.
3. Configure the Scripts payload by selecting ScriptsConfigure.
  
  Add the script that you created in step
  5
  and select the Priority for running the script. For multiple portal support, ensure that you set the Priority to Before so that the script will run before the installation of the GlobalProtect package.
  
  If you set the priority to After, make sure to restart the GlobalProtect app after the deployment has completed so that the configuration can take effect.
4. Configure the Packages payload by selecting PackagesConfigure.
  Add the GlobalProtect app package that you uploaded in step
  2
  .
  Select a Distribution Point.
  Select Install in the Action menu.
5. Configure the Maintenance payload by selecting MaintenanceConfigure.
  
  Select Update Inventory.
6. Configure the scope of the policy.
  Select Scope and Add a deployment target.
  
  Click Computer Groups and Add the Smart Computer Group that you created in step
  6
  .
  Click Done. The computers in the selected computer group will be targeted for deployment of the GlobalProtect app.
7. Save the policy.
  The next time macOS endpoints in the Smart Computer Group that is scoped to the policy check in with Jamf Pro and meet the trigger in the General payload, the policy will run and deploy the GlobalProtect app to the endpoints.