Download and Install the GlobalProtect App for macOS
Focus
Focus
GlobalProtect

Download and Install the GlobalProtect App for macOS

Table of Contents

Download and Install the GlobalProtect App for macOS

Before connecting to the GlobalProtect network, you must download and install the GlobalProtect app on your macOS endpoint. To ensure that you get the right app for your organization’s GlobalProtect or Prisma Access deployment, you must download the app directly from a GlobalProtect portal within your organization. For this reason, there is no direct GP app download link available on the Palo Alto Networks site.
Before you can download and install the GlobalProtect app, you must obtain the IP address or FQDN of the GlobalProtect portal from your administrator. In addition, your administrator should verify which username and password you can use to connect to the portal and gateways. This is typically the same username and password that you use to connect to your corporate network.
When you install the GlobalProtect app for the first time on a macOS device running macOS Catalina 10.15.4, macOS Big Sur 11, or later or upgrade to GlobalProtect app 5.1.4, you must enable the system extensions that are used for specific GlobalProtect features. If your administrator has configured split tunnel on the GlobalProtect gateway based on the destination domain name and application process name or enforced GlobalProtect connections for network access on the GlobalProtect portal (see GlobalProtect App Customization), the
System Extension Blocked
notification message displays on the GlobalProtect app during the installation. The message prompts users to enable and allow the system extensions in macOS that are blocked from loading to use the split tunnel and Enforce GlobalProtect for Network Access features.
Follow these guidelines when you use system extensions:
  • Only users with administrator privileges can enable the system extensions on the GlobalProtect app for macOS endpoints.
  • Due to the security enhancement on macOS Catalina 10.15 and macOS Big Sur 11 to ensure that your data is protected while using third-party applications, GlobalProtect must request your permission before attempting access to files and folders stored in your Documents, Desktop, and Downloads folders and network drives. If your administrator has enabled HIP checks, new permission pop-ups appear on your macOS endpoint when GlobalProtect requests access to certain files and folder stored in your file system.
  • The GlobalProtect app 5.1.4 running on macOS Catalina 10.15.4, macOS Big Sur 11, or later does not use kernel extensions and will use system extensions.
  • The GlobalProtect app 5.1.4 running on macOS Catalina 10.15.4, macOS Big Sur 11, or later will not use the kernel extensions (
    com.paloaltonetworks.kext.pangpd
    ) and instead will use any of the available utun interfaces provided by macOS as the virtual adapter.
  • If you are upgrading from an earlier release to the GlobalProtect app 5.1.4 running on macOS Catalina 10.15.4, macOS Big Sur 11, or later, kernel extensions are no longer needed. After the upgrade, the
    System Extension Blocked
    notification message displays on the GlobalProtect app, prompting users to enable and allow the system extensions in macOS that was blocked from loading. By default, the app will not install system extensions and the same default settings are applied.
After you gather the required information, use the following steps to download and install the app:
  1. Log in to the GlobalProtect portal.
    1. Launch a web browser and go to the following URL:
      https://<portal IP address or FQDN>
      Example:
      http://gp.acme.com
    2. On the portal login page, enter your
      Name
      (username) and
      Password
      and then click
      LOG IN
      . In most instances, you can use the same username and password that you use to connect to your corporate network.
  2. Navigate to the app download page.
    In most instances, the app download pages appears immediately after you log in to the portal. Use this page to download the latest app software package.
    If your system administrator has enabled GlobalProtect Clientless VPN access, the applications page opens after you log in to the portal (instead of the app download page). Select
    GlobalProtect Agent
    to open the download page.
  3. Download the app.
    1. Click
      Download Mac 32/64 bit GlobalProtect agent
      .
    2. When prompted,
      Run
      the software.
    3. When prompted again,
      Run
      the GlobalProtect Installer.
  4. Complete the GlobalProtect app setup using the GlobalProtect Installer.
    1. From the GlobalProtect Installer, click
      Continue
      .
    2. On the
      Destination Select
      screen, select the installation folder for the GlobalProtect app, and then click
      Continue
      .
    3. On the
      Installation Type
      screen, select the
      GlobalProtect
      installation package check box.
      If your system administrator has configured the split tunnel on the gateway or enforced GlobalProtect connections for network access on the portal, select the
      GlobalProtect System extensions
      check box (disabled by default).
      Click
      Continue
      .
    4. Click
      Install
      to confirm that you want to install GlobalProtect.
    5. When prompted, enter your
      User Name
      and
      Password
      , and then click
      Install Software
      to begin the installation.
    6. After installation is complete,
      Close
      the installer.
    7. If your administrator has configured the portal to install the Autonomous DEM (ADEM) endpoint agent during the GlobalProtect app installation for the first time, select
      OK
      in the following pop-up pop-up prompt so that it will not appear again:
    8. If you enabled the
      GlobalProtect System Extensions
      , select
      Open Security Preferences
      to enable the system extensions in macOS that was blocked from loading from the following
      System Extension Blocked
      notification:
      If your administrator has suppressed this notification by using the supported mobile device management system (MDM) such as Workspace ONE, you can automatically load the system extensions without receiving this notification.
    9. On the
      Security & Privacy
      dialog, click the
      padlock
      icon to make changes, and then select
      App Store and identified developers
      in the
      Allow apps downloaded from
      area. Click
      Allow
      .

Recommended For You