Enable Users to Disable Prisma Access Agent Using a One-Time Password

Table of Contents

Configure Agent Settings for the Prisma Access Agent

Customize Prisma Access Agent Session Timeout Settings

Enable Users to Disable Prisma Access Agent Using a One-Time Password

One-time password (OTP) support enhances security for disabling the Prisma Access Agent, providing a secure, admin-approved method for end users to disable the agent when needed.

Where Can I Use This?	What Do I Need?
Strata Cloud Manager Managed Prisma Access	Check the prerequisites for the deployment you're using Minimum required Prisma Access Agent version: 25.3.0.43 macOS 14 and later or Windows 10 version 2024 and later desktop devices Contact your Palo Alto Networks account representative to activate the Prisma Access Agent feature

If your users need to disable the Prisma Access Agent, you can configure the agent with a one-time password (OTP) that they need to enter before disabling the agent.

The OTP feature introduces a new level of security and control for disabling the Prisma Access Agent. This feature enables Prisma Access Agent to generate unique single-use passwords for disabling the agent. In certain situations where a user needs to disable the Prisma Access Agent, you can share the OTP with the user, who will then enter the OTP when they disable the Prisma Access Agent.

The OTP is specific for a user's agent or device. Once a user successfully enters the OTP, it can’t be reused. If the user needs to disable the agent again, you must access another OTP and send it to the user. Any activity associated with the OTP is logged in the Prisma Access Agent logs, enabling you to track which users have disabled the agent. By implementing OTP support, you can enhance their security posture, improve auditing capabilities, and provide more flexible management options for their Prisma Access Agent deployments.

Enable the option to disable the agent with a one-time password for a user.
1. In Strata Cloud Manager, select ConfigurationNGFW and Prisma AccessConfiguration ScopeAccess AgentSetupPrisma Access Agent.
2. Add an agent setting or edit an existing agent setting.
3. Select the criteria (OS and User Entities) that match the user to which you authorize to disable the agent.
4. Select Disable AgentAllow with One Time Password.
5. Configure other agent settings if needed and Save the settings.
6. Push the configuration.
  
  When the user tries to disable the agent using either the Prisma Access Agent app or the pacli disable command, they will need to enter the OTP when prompted. If they don't have the OTP, they need to request the OTP from you.
Access the OTP and share it with the user.
1. In Strata Cloud Manager, select ConfigurationEndpoint Management.
2. In the Devices section of the Endpoint Management page, select the device Hostname of the agent for which you want to obtain the OTP.
3. In the agent details page, scroll to the OTPs section and click on the Disable OTP field to obtain the OTP. The OTP appears as a masked password. Click the eye icon to show the OTP.
4. Copy the OTP and share it with the end user using your preferred communication channel, typically via email.
  
  Once the user disables the agent with the OTP, they can no longer use the OTP again. If the user forgets the password, repeat step 2 to obtain the same OTP since the OTP has not been used. When the user successfully disabled the agent and needs to disable the agent again in the future, they will need to request another OTP since the OTP can’t be reused. Repeat step 2 to obtain a new OTP.
(Optional) Prisma Access Agent keeps track of the OTP codes generated for an agent, and will include the OTP generation events in the logs. You can use the Strata Logging Service to monitor the codes used by an agent.