To improve the user experience with GlobalProtect, you can now use the Conditional Connect setting to have GlobalProtect dynamically change the connect method based on whether the user is on the internal network or working from a remote location. This is useful in environments where you require your users to connect to GlobalProtect at all times when in the office (Always On mode), but don’t require them to connect to GlobalProtect when they are away from the office except when they need access to your private apps.

With Conditional Connect, GlobalProtect uses internal host detection (IHD) to determine whether the user is on the internal network and then sets the connect method accordingly.

To configure this feature, you must deploy the conditional-connect setting to the endpoint transparently to the Windows Registry or macOS plist. For the feature to work, you must also enable internal host detection and configure the endpoints to use the On-demand connect method.