Deploy the GlobalProtect App on macOS Endpoints using Microsoft Intune

Table of Contents

Configure Micrsoft Intune for macOS Endpoints

Configure GlobalProtect Settings on macOS via Microsoft Intune

Upload the GlobalProtect package to Microsoft Intune.

Upload the GlobalProtect package you received from your support representative, specify the portal and connect method, and specify the operating system for the app

Navigate to the Microsoft Intune Admin Center at https://intune.microsoft.com and log in with the administrator credentials for Intune.
Select AppsmacOS and then click Add.
In the Select app type pane that opens up on the right. select macOS app (PKG) and click Select.
Click Select app package file, upload the GlobalProtect package file from your computer, and click OK.
In the App Information tab, specify the Publisher as Palo Alto Networks, enter additional information as required, and click Next.

In the Program tab, enter the pre-install script to be run before the GlobalProtect app is installed. With this script, you can specify the portal, connect method and whether default browser is to be used for authentication.

Copy paste the following script in the Pre-install script after updating the Portal, connect-method, and default-browser values.

#!/bin/bash
## Description: Checks for global preferences file and populates  
## it with the default portal if needed.
## Body ###########################################################
## Declare Variables ##############################################
 
# Get current Console user
active_user=$( stat -f "%Su" /dev/console )
 
# Global Prefs File
gPrefs=/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist
 
## Logic ##########################################################
 
# Check to see if the global preference file already exists...
if [[ -e $gPrefs ]]; then
	echo "Default global portal already exists. Skipping."
else
	echo "Setting default GP portal to: {Portal FQDN here}"
     # If it does not already exist, create it and populate the default portal using the echo command
       echo '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Palo Alto Networks</key>
    <dict>
        <key>GlobalProtect</key>
        <dict> 
            <key>PanSetup</key>
            <dict>
                <key>Portal</key>
                <string>{Portal FQDN here}</string>
            </dict>
            <key>Settings</key>
            <dict>
                <key>connect-method</key>
                <string>on-demand | always-on</string>
                <key>default-browser</key>
                <string>{Value}</string> [yes | no]
            </dict>
        </dict>
    </dict>
</dict>
</plist>
' > $gPrefs
echo $?
	# Kill the Preference caching daemon to prevent it from overwriting any changes
	killall cfprefsd
	echo $?
fi
# Check exit code.
exit $?

Click Next.
In the Requirements tab, select the minimum operating system required to install the GlobalProtect app and click Next.
In the Detection rules tab, set Ignore app version to No.

This setting ensures that Microsoft Intune verifies the GlobalProtect app bundleID and version number before installation.
Leave the App bundle ID and App version values unchanged and click Next.
Select user assignments as appropriate and click Next.
Review the app summary and click Create.