GlobalProtect
Configure GlobalProtect Settings on macOS via Microsoft Intune
Table of Contents
Configure GlobalProtect Settings on macOS via Microsoft Intune
Deploy settings to enhance GlobalProtect security.
You deploy system extensions, enforce connections for network access, and grant full
disk access to the GlobalProtect app for enhanced security and effectiveness.
Deploying system extensions enables the necessary system access for GlobalProtect to
function properly on macOS. System extensions allow GlobalProtect to integrate with
the operating system for enhanced security and network management capabilities.
- On the Microsoft Intune admin center, navigate to .
- Click .
- Set the Profile type to Settings catalog and click
Create.
- Enter a name and description and click Next.
- In the Configuration settings tab, click Add settings.
- Search and add parameters per the following table.
Task and Search Value Select Add Fields and Specify Values in System Extension Pane To deploy system extensions, search for extensions. System Configuration> System Extensions - Select Allowed System Extensions and Removable System Extensions check boxes.
- Close the Settings panel.
- In the System Extensions panel, click Edit
instance in Removable System Extensions and enter
the following values:
- Bundle Identifier: com.paloaltonetworks.GlobalProtect.client.extension
- Team Identifier: PXPZ95SK77
- Repeat the above step in the Removable System Extensions
(Optional) To enforce GlobalProtect for network access, search for content filter Web > Web Content Filter- Select the following check boxes:
- Filter Data Provider Bundle Identifier
- Filter Data Provider Designated Requirement
- Filter Grade
- Filter Packet Provider Bundle Identifier
- Filter Packet Provider Designated Requirement
- Filter Packets
- Filter Sockets
- Filter Type
- Plugin Bundle ID
- Close the settings panel.
- Specify the following values.
- Filter Data Provider Bundle Identifier: com.paloaltonetworks.GlobalProtect.client.extension
- Filter Data Provider Designated
Requirement:com.paloaltonetworks.GlobalProtect.client.extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = PXPZ95SK77)
- Filter Grade: firewall
- Filter Packet Provider Bundle Identifier: com.paloaltonetworks.GlobalProtect.client.extension
- Filter Packet Provider Designated Requirement: anchor apple generic and identifier "com.paloaltonetworks.GlobalProtect.client.extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PXPZ95SK77)
- Filter Packets: True
- Filter Sockets: True
- Filter Type: Plug-In
- Plugin Bundle ID: com.paloaltonetworks.GlobalProtect.client
To grant full disk access to the GlobalProtect app, search for privacy. Privacy > Privacy Preferences Policy Control - Expand Services and select the System Policy All Files checkbox.
- Close the Settings panel.
- Click Edit instance and enter the following
values in the Privacy Preferences Policy Control
panel:
- Allowed: True
- Authorization: not required, so you can delete this field
- Code Requirement: anchor apple generic and identifier "com.paloaltonetworks.GlobalProtect.client.extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = PXPZ95SK77)
- Identifier: PXPZ95SK77
- Identifier Type: bundle ID
- Static Code: False
- Click Next.
- Do not make any changes in the Scope tags tab and click Next.
- Select user assignments as appropriate and click Next.
- Assign this policy to the appropriate groups and click Next.
- Review the policy summary and click Create.
