Contact your Palo Alto Networks account representative
to activate the Prisma Access Agent feature
Create and deploy a configuration profile for Prisma Access Agents that defines
how the Prisma Access Agent is configured on managed macOS devices. For
example, you can set up the configuration profile to automatically load system
extensions to provide a seamless experience for users running the Prisma Access Agent to access the internet, SaaS applications, and private
applications and resources in your organization.
The following extensions are needed for the Prisma Access Agent:
securityExtension
networkExtension
After the agent has been deployed, you can run the systemextensionsctl
list command on an endpoint to verify that the extensions have been
installed:
If you previously deployed other Palo Alto Networks apps such as GlobalProtect
and Cortex XDR to your endpoints, when deploying the system extensions via
mobile device management (MDM) software, the configuration profiles for Prisma
Access Agent and the other Palo Alto Networks apps must include the
Allowed System Extension and Removable
System Extension settings. If only one of the profiles has the
removable system extension, the uninstallation of Prisma Access Agent won’t
complete.
identifier "com.paloaltonetworks.pang.securityextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PXPZ95SK77
APP OR SERVICE =
SystemPolicyAllFiles
ACCESS =
Allow
Create a second App Access section by clicking the plus sign
(+).
In the second App Access section, specify the values as shown for the
following fields:
Identifier =
com.paloaltonetworks.pang
Identifier Type = Bundle
ID
Code Requirement =
identifier "com.paloaltonetworks.pang" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PXPZ95SK77
APP OR SERVICE =
SystemPolicyAllFiles
ACCESS =
Allow
Save your settings.
Create a payload to automatically load Prisma Access Agent system
extensions on the end users' devices.
If you saved your settings in the previous step, click
Edit.
Select System ExtensionsConfigure.
(Optional) Enter a Display Name.
Specify the values as shown for the following fields:
System Extension Types =
Allowed Team Identifiers
Team Identifier =
PXPZ95SK77
Save your payload settings.
Configure a VPN payload to specify how the device
connects to your wireless network via the tunnel.
Select OptionsVPNConfigure.
Enter a Connection Name.
For the VPN Type, select Per-App
VPN.
Specify the values as shown in the following fields:
Per-App VPN Connection Type =
Custom SSL
Identifier =
com.paloaltonetworks.pang
Server = A placeholder IP address such as
8.8.8.8
Save your settings.
Set the scope for the configuration profile.
Edit the configuration profile.
Select Scope and Add the
Smart Computer Group that you created to target the specific managed
macOS devices for the installation of the Prisma Access Agent.
Save the scope of the profile. The devices in
the selected computer group or groups will be targeted for the
distribution of the configuration profile.
To verify the status of the configuration profile installation:
In Jamf Pro, select ComputersConfiguration Profiles.
Find the configuration profile that you set up and select
View.
Select the log that you want to view:
To show the configuration profiles that have been installed, select InventoryProfiles.
To show the status of the configuration profiles that are pending or
failed the push, select Management and view the
Pending Commands or Failed
Commands.
After the profile has been deployed, verify the status of the profile
installation on a macOS endpoint:
In System Settings, select Profiles.
Double-click the Prisma Access Agent profile that you
deployed.
Review the profile settings to ensure that the correct settings have
been deployed.
