>
    Strata Copilot
    Stagger GlobalProtect App Updates
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Prisma Access Mobile Users
    5. Mobile Users: GlobalProtect
    6. GlobalProtect App Upgrades
    7. Stagger GlobalProtect App Updates
    Download PDF
    Prisma Access

    Stagger GlobalProtect App Updates

    Table of Contents

    Stagger GlobalProtect App Updates

    Update mobile users to the latest version of GlobalProtect in stages.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Panorama)
    • Prisma Access license
    If you manage a large organization, you might want to update mobile users to the latest version of the GlobalProtect app in stages. For example, you could assign a smaller group to update their GlobalProtect app before rolling out the update to everybody in your organization. To do so, complete the following task.
    1. If you have not yet created it, create a user group for the first group of users to which you want to roll out the GlobalProtect app update.
      You can use User-ID to map users to groups, or select DeviceLocal User DatabaseUser Groups to manually create a group.
    2. Create a new GlobalProtect agent configuration to use for the first group of users.
      1. In Panorama, select NetworkGlobalProtectPortals.
      2. Select the Mobile_User_Template from the Template drop-down.
      3. Select GlobalProtect_Portal to edit the Prisma Access portal configuration.
      4. Select the Agent tab.
      5. Select the DEFAULT configuration and Clone it.
        You can also Add a new configuration; but cloning the existing configuration copies over required information for the new configuration.
      6. Specify a Name for the configuration.
      7. Select the Config Selection Criteria tab.
      8. In the User/User Group area, select the user you created in Step 1.
      9. Select the App tab.
      10. Change Allow User to Upgrade GlobalProtect App to either Allow with Prompt or Allow Transparently.
        Allow with Prompt prompts users when a new version is activated and allows them to upgrade their software when it is convenient; Allow Transparently automatically upgrades the app software whenever a new version becomes available on the portal.
      11. Click OK to save your changes.
    3. Select Move Up to move your configuration above the default configuration.
      When an app connects, the portal compares the source information in the packet against the agent configurations you have defined. As with security rule evaluation, the portal looks for a match starting from the top of the list. When it finds a match, it delivers the corresponding configuration to the app.
    4. Repeat these steps for the DEFAULT configuration, but change Allow User to Upgrade GlobalProtect App to Disallow to prevent users from updating to the latest GlobalProtect app software.
    5. When you want to let the rest of the users update their apps, change Allow User to Upgrade GlobalProtect App in the DEFAULT configuration to a selection that allows it (either Allow with Prompt or Allow Transparently).

    © 2026 Palo Alto Networks, Inc. All rights reserved.