>
    Strata Copilot
    Deploy App Settings to macOS Endpoints
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect Administrator's Guide
    4. GlobalProtect Apps
    5. Deploy App Settings Transparently
    6. Deploy App Settings to macOS Endpoints
    Download PDF
    GlobalProtect

    Deploy App Settings to macOS Endpoints

    Table of Contents

    Deploy App Settings to macOS Endpoints

    Use the macOS global plist file to deploy app settings and scripts to macOS endpoints.
    Where Can I Use This?What Do I Need?
    • NGFW (managed by Panorama)
    • GlobalProtect Gateway license
    Use the macOS global plist (property list) file to set the GlobalProtect app customization settings or to deploy scripts to macOS endpoints.

    Deploy App Settings in the macOS Plist

    Customize and deploy GlobalProtect app settings in macOS plist to enforce security rules and configure portal name and connect method.
    Where Can I Use This?What Do I Need?
    • NGFW (managed by Panorama)
    • GlobalProtect Gateway license
    You can set the GlobalProtect app customization settings in the macOS global plist (Property list) file. This enables deployment of GlobalProtect app settings to macOS endpoints prior to their first connection to the GlobalProtect portal.
    On macOS endpoints, plist files are either located in /Library/Preferences or in ~/Library/Preferences. The tilde ( ~ ) symbol indicates that the location is in the current user's home folder. The GlobalProtect app on a macOS endpoint first checks for the GlobalProtect plist settings. If the plist does not exist at that location, the GlobalProtect app searches for plist settings in ~/Library/Preferences.
    In addition to using the macOS plist to deploy GlobalProtect app settings, you can enable the GlobalProtect app to collect specific macOS plist information from the endpoints. You can then monitor the data and add it to a security rule to use as matching criteria. Endpoint traffic that matches registry settings you define can be enforced according to the security rule. Additionally, you can set up custom checks to Collect Application and Process Data From Endpoints.
    1. Open the GlobalProtect plist file and locate the GlobalProtect app customization settings.
      Use Xcode or an alternate plist editor to open the plist file:
      /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist
      Then go to:
      /Palo Alto Networks/GlobalProtect/Settings
      If the Settings dictionary does not exist, create it. Add each key to the Settings dictionary as a string.
    2. Set the portal name.
      If you do not want the end user to manually enter the portal address even for the first connection, you can pre-deploy the portal address through the plist. In the PanSetup dictionary, configure an entry for Portal.
    3. Deploy various settings to the macOS endpoint, including the connect method for the GlobalProtect app.
      View Customizable App Settings. for a full list of the keys and values that you can configure using the macOS plist.
    4. (Optional) If you are using kernel system extensions and need to switch to kernel extensions, set the key value to UseKextAnyway in the macOS plist (/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist) for the GlobalProtect app.
      Follow these guidelines when you are using system extensions and need to switch to kernel extensions:
      • After you have enabled system extensions, you must first uninstall the existing app to use the UseKextAnyway plist key to enable kernel extensions on macOS.
      • You later have the option to revert to use system extensions. You must delete the UseKextAnyway plist key in the macOS plist. After you have deleted this plist key, you must restart the GobalProtect app in order for the change to take effect.
      • By switching to kernel extensions, you can no longer use the Split DNS and Enforce GlobalProtect Connections with FQDN Exclusions features.
      • If you have configured split tunnel settings based on the application on macOS endpoints, all Safari-based traffic, Microsoft Teams-based traffic, or Slack-based traffic that are defined in the split tunnel configuration would be dropped. We recommend that you use Chrome instead of Safari so that traffic defined in the split tunnel configuration will not be dropped. All traffic that was created based on the WebKit framework such as Safari, Microsoft Teams, or Slack might have problems using kernel extensions.
      You must specify UseKextAnyway as the plist key before installing GlobalProtect app 5.2.6 or later releases or upgrading from an earlier release to GlobalProtect app 5.2.6 or later releases running Catalina 10.15.4 or later. However, if you are upgrading from an earlier release to GlobalProtect app 5.2.6 or later releases running macOS Big Sur 11 or later, you must enable system extensions.

    Deploy Scripts Using the macOS Plist

    Deploy scripts using the macOS plist in GlobalProtect to make app setting changes and run scripts at different events.
    Where Can I Use This?What Do I Need?
    • NGFW (managed by Panorama)
    • GlobalProtect Gateway license
    When a user connects to the GlobalProtect gateway for the first time, the GlobalProtect app downloads the configuration file and stores app settings in a GlobalProtect macOS property file (plist). In addition to making changes to the app settings, you use the plist to deploy scripts at any or all of the following events: before and after establishing the tunnel, and before disconnecting the tunnel. Use the following workflow to use the plist to deploy scripts to macOS endpoints.
    The macOS plist settings that enable you to deploy scripts are supported on endpoints running GlobalProtect App 2.3 and later releases.
    1. (Endpoints running Mac OS X 10.9 or a later OS) Flush the settings cache. This prevents the OS from using the cached preferences after making changes to the plist.
      To clear the default preferences cache, run the killall cfprefsd command from a macOS terminal.
    2. Open the GlobalProtect plist file, and locate or create the GlobalProtect dictionary associated with the connect or disconnect event. The dictionary under which you will add the settings determines when the GlobalProtect app runs the script(s).
      Use Xcode or an alternate plist editor to open the plist file (/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist) and go to one of the following dictionary locations:
      • /PaloAlto Networks/GlobalProtect/Settings/pre-vpn-connect
      • /Palo Alto Networks/GlobalProtect/Settings/post-vpn-connect
      • /Palo Alto Networks/GlobalProtect/Settings/pre-vpn-disconnect
      If Settings dictionary does not exist, create it. Then, in Settings, create a new dictionary for the event or events at which you want to run scripts.
    3. Enable the GlobalProtect app to run scripts by creating a new String named command.
      The value specified here should reference the shell script (and the parameters to pass to the script) that you want run on your endpoints.
      If the command string does not already exist, add it to the dictionary and specify the script and parameters in the Value field. For example:
      $HOME/pre_vpn_connect.sh
/Users/username username
      Environmental variables are supported.
      As a best practice, specify the full path in commands.
    4. (Optional) Add additional settings related to the command, including administrator privileges, a timeout value for the script, checksum value for the batch file, and an error message to display if the command fails to execute successfully.
      Create or modify additional strings in the plist (context, timeout, file, checksum, and/or error-msg) and enter their corresponding values. For additional information, see Customizable App Settings..
    5. Save the changes to the plist file.
      Save the plist.

    © 2025 Palo Alto Networks, Inc. All rights reserved.