GlobalProtect app 6.0 for Windows and macOS now introduces a more streamlined user interface and a more intuitive connection process. The redesigned app features improved workflows that enable end users to quickly understand connectivity and access issues. With this redesign, end users can enable features that they prefer to use from a central location. Additionally, end users can monitor specific notifications and Host Information Profile (HIP) report submissions sent to multiple internal gateways from a central location to help you to quickly troubleshoot HIP related issues.

To enable a better user experience, GlobalProtect app 6.0 for Android and iOS endpoints now provides an improved connection workflow. The GlobalProtect app now displays informative connectivity error messages while the end user is connecting to the gateway. Additionally, when you configure GlobalProtect with the

Always On

connect method, the home screen now displays

CONNECTED

state with a disconnect message to prevent end users from disconnecting when they try to tap the

Connect

icon.

To enable a better user experience, you can now configure the GlobalProtect app to continue to display the status panel while the end user is entering their credentials when logging in or cancels the request.

Available with Content Release Version 8450-6909 or later.

If you have set up the GlobalProtect portal to authenticate users through Security Assertion Markup Language (SAML) authentication, you can now leverage the Cloud Authentication Service to enable users to authenticate to GlobalProtect using a cloud identity provider, such as Onelogin or Okta.

You can now enforce a security policy rule to track traffic from endpoints while end users are connected to GlobalProtect and to quickly log out inactive GlobalProtect sessions. With this enhancement, you can now enforce a shorter inactivity logout period. If a GlobalProtect session remains inactive during the configured time period, the session is automatically logged out and the VPN tunnel is terminated.

GlobalProtect now extends native support for ARM64-based Windows devices. This enables Palo Alto Networks customers to secure their remote workforce using ARM64-based Windows devices to access all features that are available on the GlobalProtect app, and allows uniform endpoint security policy and enforcement similar to Intel-based Windows devices.

GlobalProtect now extends support for Linux devices to allow you to enable or disable local network access whenever end users are connected to GlobalProtect similar to Windows and macOS. Excluding local subnets from tunnel and allowing local subnet access enables end users to access proxies and local resources (such as local printers) directly without sending any local subnet traffic through the VPN tunnel. If you do not want end users to access local subnets, you can disable traffic to local subnets.

(

Android 8 and later releases

) You can now use a mobile device management (MDM) system such as Workspace ONE to grant permission to the GlobalProtect app for certificate delegation. This enables the GlobalProtect app for Android devices to select a client certificate based on the client certificate alias without first prompting GlobalProtect app users to manually select a certificate.

The GlobalProtect app now supports SSO using smart card authentication to reduce the number of times end users must enter their smart card Personal Identification Number (PIN) when they log in to their Windows 10 endpoint or to authenticate to GlobalProtect. Leveraging the same smart card PIN for GlobalProtect with their Windows 10 endpoint enables end users to connect without having them to re-enter their smart card PIN in the app for a seamless SSO experience. After the end user successfully logs in to the Windows 10 endpoint, the app acquires and remembers their smart card PIN to authenticate with the portal and gateway.

Available with Content Release version 8451-6911 or later.

With the Endpoint Traffic Policy Enforcement feature, GlobalProtect now provides added security to protect your remote workforce. You can now use the Endpoint Traffic Policy feature on the GlobalProtect endpoint to block malicious inbound connections and to restrict any applications from bypassing the GlobalProtect tunnel. Additionally, you can prevent end users from tampering with the routing table to bypass the GlobalProtect tunnel.

Available with Content Release Version 8450-6909 or later.

You can now use Jamf Pro to deploy the GlobalProtect app 6.0.4 and later releases to macOS endpoints to support large-scale GlobalProtect app deployments in on-premises and Prisma Access environments. Administrators can also provide a seamless user experience for macOS end users by deploying Jamf configuration profiles that can load system and network extensions automatically, thus preventing the user from having to respond to notifications on the GlobalProtect app.

Administrators can use Jamf Pro to deploy the GlobalProtect mobile app to macOS endpoints and enable system and network extensions on macOS endpoints using Jamf Pro.

In preparation for submitting the GlobalProtect 6.0 app for FIPS-CC certification, the GlobalProtect app for Windows and macOS endpoints, ARM-based devices running on Windows and macOS, iOS, Android, and Linux has been updated to meet FIPS-CC requirements. The GlobalProtect app FIPS-CC is supported on x86 and ARM-based platforms.

With this feature, you can deploy the GlobalProtect app in FIPS-CC mode to enforce stronger security checks for your users, including the following:

Federal Information Processing Standard (FIPS 140-3) and Common Criteria (CC) are security certifications that ensure a standard set of security assurances and functionalities. These certifications are often required by U.S. government agencies and other domestic and international regulated industries.