>
    Strata Copilot
    Prisma Access Agent Deployment Configuration
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access Agent
    3. Prisma Access Agent Administration
    4. Deploy the Prisma Access Agent
    5. Prisma Access Agent Deployment Configuration
    Download PDF
    Prisma Access Agent

    Prisma Access Agent Deployment Configuration

    Table of Contents

    Prisma Access Agent Deployment Configuration

    Learn how to modify the configuration of the Prisma Access Agent before deploying the agent to your endpoints.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • NGFW (Managed by Panorama)
    • Check the prerequisites for the deployment you're using
    • macOS 14 and later or Windows 10 version 2024 and later desktop devices
    • macOS, Windows, or Linux desktop devices
    • Contact your Palo Alto Networks account representative to activate the Prisma Access Agent feature
    After you finish onboarding your mobile users, your Prisma Access Agent configurations, along with the Prisma Access tenant ID and Prisma Access server URL, are saved to the Prisma Access Agent configuration file. You can download this configuration file when you download the Prisma Access agent package from the Endpoint Management page (ConfigurationEndpoint Management). The configuration file is used during the installation of the Prisma Access Agent on your end users' devices.
    Before you deploy the Prisma Access Agent to your end users' devices, you can optionally edit the configuration file to modify the following options:
    • Set the server URL (the Prisma Access Agent domain)
    • Permanently enable or disable the feature to access Prisma Access Agents using a remote shell from the Endpoint Management page in Strata Cloud Manager
    • If the GlobalProtect app is running on your end users' devices, choose whether to enable or disable the GlobalProtect app during the installation of the Prisma Access Agent
    • Enable pre-logon for Prisma Access Agent (Not supported on Prisma Access Agent Linux)
    • Use the default system browser for SAML authentication on the endpoint
    Updating this file is optional, as the configuration already contains default settings or settings that you configured during the Prisma Access Agent onboarding process.
    The "enable_dlp": true setting is no longer required to enable Endpoint DLP during the installation of Prisma Access Agent. If you set it previously (before Prisma Access Agent version 25.3.1.14), remove it from the config.json file.

    Prisma Access Agent Configuration File

    To install the Prisma Access Agent with your configuration, you must put the configuration file with a predefined name (such as config.json) in the same folder as the Prisma Access Agent installation package. The Prisma Access Agent installer will look for this file during the agent startup, read all the supported values in the file, and configure the agent accordingly.
    The following example shows the typical contents that you can have in a configuration file:
    {
    "server_url": "xxx.epm.gpcloudservice.com",
    "tenant_id": "xxxxxxxxxx",
    "disable_remote_shell": false,
    "unload_gp": true,
    "pre_logon_supported": true
}
    You can modify the following fields and values in JSON format:
    FieldValue
    client_cert_lookup_store
    Use this parameter to define specific criteria for how Prisma Access Agent selects certificates during authentication.
    This parameter determines where the agent searches for authentication certificates. On Windows, certificates can be stored in either the user's personal certificate store or the local machine's certificate store. On macOS, certificates are stored in keychains, with similar separation between user and system.
    Possible values:
    • user—Agent searches only in the certificate store of the currently logged-in user
    • machine—Agent searches only in the local machine's certificate store
    • user_then_machine—Agent searches first in the user store, then in the machine store if no certificate is found (Default)
    client_cert_eku_oid_list
    Use this parameter to define specific criteria for how Prisma Access Agent selects certificates during authentication.
    This parameter provides additional granularity by allowing you to specify which certificate purposes are valid for authentication. Every certificate includes information about its intended use through OIDs (Object Identifiers).
    Value Format: Comma-separated OID strings
    Common OIDs:
    • Client Authentication (1.3.6.1.5.5.7.3.2) (Default)
    • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • Any Extended Key Usage (2.5.29.37.0)
    • IPSec End System (1.3.6.1.5.5.7.3.5)
    • IPSec Tunnel (1.3.6.1.5.5.7.3.6)
    • IPSec User (1.3.6.1.5.5.7.3.7)
    • OCSP Signing (1.3.6.1.5.5.7.3.9)
    disable_remote_shell
    (Not supported on Prisma Access Agent Linux)
    		false | true
    Specifies whether to remove the feature to access a Prisma Access Agent for troubleshooting using a remote shell. The value is of type boolean. Default: false
    If you set the value to true, the remote shell capabilities are disabled at deployment and cannot be reenabled until you remove the Prisma Access Agent and reinstall it.
    pre_logon_supported
    (Not supported on Prisma Access Agent Linux)
    		false | true
    When set to true, enables the pre-logon feature on endpoints. Pre-logon support for Prisma Access Agent establishes a secure tunnel before a user logs into their device, which can provide essential network access for managing and updating remote devices without requiring a user to log in to their device. Default: false
    server_urlThe FQDN for the Prisma Access Agent domain without the https:// protocol. The server_url value is of type string. The server URL has this format: xxx.epm.gpcloudservice.com
    tenant_idThe ID for your Prisma Access tenant. The tenant ID corresponds to the Strata Logging Service Instance (Tenant) ID. The tenant_id is of type string and is a numerical value.
    This field will be removed after the endpoint is able to resolve the tenant ID from the FQDN.
    unload_gpfalse | true
    If the GlobalProtect app is installed on the end user's device, specifies whether to disable the GlobalProtect app during the installation of the Prisma Access Agent. Default: false
    If you set the value to true, the GlobalProtect app is disabled upon the installation of the Prisma Access Agent. After the installation, users can switch between the Prisma Access Agent and GlobalProtect app.
    use_external_browser_for_
    auth
    		false | true
    When set to true, uses the default system browser instead of the embedded browser for SAML authentication. Default: false
    For Windows MSI packages, the following table shows the MSI properties and the corresponding Prisma Access Agent configuration file settings:
    MSI Property NameConfiguration SettingNotes
    CONFIGThe full path to the Prisma Access Agent configuration file. Default: config.json
    DISABLE_REMOTE_SHELL
    (Not supported on Prisma Access Agent Linux)
    		disable_remote_shellFor Boolean values in MSI, specify 1 for the true value, and an empty value for the false value.
    PRE_LOGON_SUPPORTED
    (Not supported on Prisma Access Agent Linux)
    		pre_logon_supportedFor Boolean values in MSI, specify 1 for the true value, and an empty value for the false value.
    SERVER_URLserver_url
    TENANT_IDtenant_id
    UNLOAD_GPunload_gpFor Boolean values in MSI, specify 1 for the true value, and an empty value for the false value.
    USE_EXTERNAL_BROWSER_
    FOR_AUTH
    use_external_browser_
    for_auth
    		For Boolean values in MSI, specify 1 for the true value, and an empty value for the false value.

    Change the Prisma Access Agent Server Address

    If a Prisma Access Agent is not connected to Prisma Access and the agent cannot be found in the inventory, an incorrect address for server might have been configured. You can change the address by using the PACLI tool.
    1. Issue the following command in a terminal window or command prompt:
      • On macOS agents:
        /Applications/Prisma\ Access\ Agent.app/Contents/Helpers/pacli epm address <xxx>.epm.gpcloudservice.com 443 <tenant-id>
      • On Windows agents:
        "C:\Program Files\Palo Alto Networks\Prisma Access Agent\pacli" epm address <xxx>.epm.gpcloudservice.com 443 <tenant-id>
      • On Linux agents:
        pacli epm address <xxx>.epm.gpcloudservice.com 443 <tenant-id>
      where <xxx>.epm.gpcloudservice.com is the FQDN for the Prisma Access Agent domain without the https:// protocol, and <tenant-id> is the Prisma Access tenant ID. 443 is the port number for the server address.
    2. When prompted, enter the supervisor password (also known as the anti-tamper unlock password). If no supervisor password is assigned, you can enter any password or a blank password. You can enable or change the anti-tamper unlock password in Strata Cloud Manager.
      When the address is successfully changed, the following message is displayed:
      Successfully set EPM address
    3. To verify the server address setting, issue the following command:
      • On macOS agents:
        /Applications/Prisma\ Access\ Agent.app/Contents/Helpers/pacli epm status
      • On Windows agents:
        "C:\Program Files\Palo Alto Networks\Prisma Access Agent\PACli" epm status
      • On Linux agents:
        pacli epm status
      The following example output is shown:
      EPM Status:                       Up
Authentication Status:            Authenticated with access token
User type:                        Logged on
Authentication Type:              GP Portal Auth
EPM Communication:                WebSocket
Current Time:                     2025-11-20 09:47:44, PST
Last EPM Keepalive:               2025-11-20 09:47:22
Last EPM Token Refresh:           2025-11-20 09:37:13
Access Token Expiry:              2025-11-20 14:37:13
User Refresh Token Expiry:        2025-11-27 09:37:11
Agent Refresh Token Expiry:       2026-05-19 10:37:12
EPM Address:                      xxx.epm.gpcloudservice.com
Machine ID:                       xx:xx:xx:xx:xx:xx
      The following fields are for Dynamic Privilege Access enabled agents only:
      DPA Status:                 Enabled
Project Name:               Example-Project
      The Last Successful Login and EPM Token Expiry fields are shown as Never because the Prisma Access Agent needs to authenticate to the server. To authenticate to the server, log in to the Prisma Access agent.

    © 2026 Palo Alto Networks, Inc. All rights reserved.