Deploy App Settings in the macOS Plist
You can set the GlobalProtect app customization settings in the macOS global plist (Property list) file. This enables deployment of GlobalProtect app settings to macOS endpoints prior to their first connection to the GlobalProtect portal.
On macOS endpoints, plist files are either located in
~/Library/Preferences. The tilde (
~) symbol indicates that the location is in the current user's home folder. The GlobalProtect app on a macOS endpoint first checks for the GlobalProtect plist settings. If the plist does not exist at that location, the GlobalProtect app searches for plist settings in
In addition to using the macOS plist to deploy GlobalProtect app settings, you can enable the GlobalProtect app to collect specific macOS plist information from the endpoints. You can then monitor the data and add it to a security rule to use as matching criteria. Endpoint traffic that matches registry settings you define can be enforced according to the security rule. Additionally, you can set up custom checks to Collect Application and Process Data From Endpoints.
- Open the GlobalProtect plist file and locate the GlobalProtect app customization settings.Use Xcode or an alternate plist editor to open the plist file:/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plistThen go to:/Palo Alto Networks/GlobalProtect/SettingsIf theSettingsdictionary does not exist, create it. Add each key to theSettingsdictionary as a string.
- Set the portal name.If you do not want the end user to manually enter the portal address even for the first connection, you can pre-deploy the portal address through the plist. In thePanSetupdictionary, configure an entry forPortal.
- Deploy various settings to the macOS endpoint, including the connect method for the GlobalProtect app.
- Follow these guidelines when you are using system extensions and need to switch to kernel extensions:
You must specifyUseKextAnywayas the plist key before installing GlobalProtect app 5.2.6 or later releases or upgrading from an earlier release to GlobalProtect app 5.2.6 or later releases running Catalina 10.15.4 or later. However, if you are upgrading from an earlier release to GlobalProtect app 5.2.6 or later releases running macOS Big Sur 11 or later, you must enable system extensions.
- After you have enabled system extensions, you must first uninstall the existing app to use theUseKextAnywayplist key to enable kernel extensions on macOS.
- You later have the option to revert to use system extensions. You must delete theUseKextAnywayplist key in the macOS plist. After you have deleted this plist key, you must restart the GobalProtect app in order for the change to take effect.
- By switching to kernel extensions, you can no longer use the Split DNS and Enforce GlobalProtect Connections with FQDN Exclusions features.
- If you have configured split tunnel settings based on the application on macOS endpoints, all Safari-based traffic, Microsoft Teams-based traffic, or Slack-based traffic that are defined in the split tunnel configuration would be dropped. We recommend that you use Chrome instead of Safari so that traffic defined in the split tunnel configuration will not be dropped. All traffic that was created based on the WebKit framework such as Safari, Microsoft Teams, or Slack might have problems using kernel extensions.
Recommended For You
Recommended videos not found.