>
    Strata Copilot
    Configure GlobalProtect Settings on macOS via Microsoft Intune
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect Administrator's Guide
    4. GlobalProtect Apps
    5. Deploy the GlobalProtect App on Mobile Devices
    6. Manage the GlobalProtect App Using Microsoft Intune
    7. Configure Micrsoft Intune for macOS Endpoints
    8. Configure GlobalProtect Settings on macOS via Microsoft Intune
    Download PDF
    GlobalProtect

    Configure GlobalProtect Settings on macOS via Microsoft Intune

    Table of Contents

    Configure GlobalProtect Settings on macOS via Microsoft Intune

    Deploy settings to enhance GlobalProtect security.
    Where Can I Use This?What Do I Need?
    • NGFW (managed by Panorama or Strata Cloud Manager)
    • Prisma Access (managed by Panorama or Strata Cloud Manager)
    • GlobalProtect Gateway license or Prisma Access license with the Mobile User subscription
    You deploy system extensions, enforce connections for network access, and grant full disk access to the GlobalProtect app for enhanced security and effectiveness. Deploying system extensions enables the necessary system access for GlobalProtect to function properly on macOS. System extensions allow GlobalProtect to integrate with the operating system for enhanced security and network management capabilities.
    1. On the Microsoft Intune admin center, navigate to DevicesmacOSConfiguration.
    2. Click CreateNew Policy.
    3. Set the Profile type to Settings catalog and click Create.
    4. Enter a name and description and click Next.
    5. In the Configuration settings tab, click Add settings.
    6. Search and add parameters per the following table.
      Task and Search ValueSelectAdd Fields and Specify Values in System Extension Pane
      To deploy system extensions, search for extensions.System Configuration> System Extensions
      1. Select Allowed System Extensions and Removable System Extensions check boxes.
      2. Close the Settings panel.
      3. In the System Extensions panel, click Edit instance in Removable System Extensions and enter the following values:
        • Bundle Identifier: com.paloaltonetworks.GlobalProtect.client.extension
        • Team Identifier: PXPZ95SK77
      4. Repeat the above step in the Removable System Extensions
      (Optional) To enforce GlobalProtect for network access, search for content filter
      Web > Web Content Filter
      1. Select the following check boxes:
        • Filter Data Provider Bundle Identifier
        • Filter Data Provider Designated Requirement
        • Filter Grade
        • Filter Packet Provider Bundle Identifier
        • Filter Packet Provider Designated Requirement
        • Filter Packets
        • Filter Sockets
        • Filter Type
        • Plugin Bundle ID
      2. Close the settings panel.
      3. Specify the following values.
        • Filter Data Provider Bundle Identifier: com.paloaltonetworks.GlobalProtect.client.extension
        • Filter Data Provider Designated Requirement:
          com.paloaltonetworks.GlobalProtect.client.extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = PXPZ95SK77)
        • Filter Grade: firewall
        • Filter Packet Provider Bundle Identifier: com.paloaltonetworks.GlobalProtect.client.extension
        • Filter Packet Provider Designated Requirement: anchor apple generic and identifier "com.paloaltonetworks.GlobalProtect.client.extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PXPZ95SK77)
        • Filter Packets: True
        • Filter Sockets: True
        • Filter Type: Plug-In
        • Plugin Bundle ID: com.paloaltonetworks.GlobalProtect.client
      To grant full disk access to the GlobalProtect app, search for privacy. Privacy > Privacy Preferences Policy Control
      1. Expand Services and select the System Policy All Files checkbox.
      2. Close the Settings panel.
      3. Click Edit instance and enter the following values in the Privacy Preferences Policy Control panel:
        • Allowed: True
        • Authorization: not required, so you can delete this field
        • Code Requirement:
          anchor apple generic and identifier "com.paloaltonetworks.GlobalProtect.client.extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = PXPZ95SK77)
        • Identifier: PXPZ95SK77
        • Identifier Type: bundle ID
        • Static Code: False
    7. Click Next.
    8. Do not make any changes in the Scope tags tab and click Next.
    9. Select user assignments as appropriate and click Next.
    10. Assign this policy to the appropriate groups and click Next.
    11. Review the policy summary and click Create.

    © 2025 Palo Alto Networks, Inc. All rights reserved.