Deploy App Settings in the macOS Plist

You can set the GlobalProtect app customization settings in the macOS global plist (Property list) file. This enables deployment of GlobalProtect app settings to macOS endpoints prior to their first connection to the GlobalProtect portal.
On macOS endpoints, plist files are either located in
or in
. The tilde (
) symbol indicates that the location is in the current user's home folder. The GlobalProtect app on a macOS endpoint first checks for the GlobalProtect plist settings. If the plist does not exist at that location, the GlobalProtect app searches for plist settings in
In addition to using the macOS plist to deploy GlobalProtect app settings, you can enable the GlobalProtect app to collect specific macOS plist information from the endpoints. You can then monitor the data and add it to a security rule to use as matching criteria. Endpoint traffic that matches registry settings you define can be enforced according to the security rule. Additionally, you can set up custom checks to Collect Application and Process Data From Endpoints.
  1. Open the GlobalProtect plist file and locate the GlobalProtect app customization settings.
    Use Xcode or an alternate plist editor to open the plist file:
    Then go to:
    /Palo Alto Networks/GlobalProtect/Settings
    If the
    dictionary does not exist, create it. Add each key to the
    dictionary as a string.
  2. Set the portal name.
    If you do not want the end user to manually enter the portal address even for the first connection, you can pre-deploy the portal address through the plist. In the
    dictionary, configure an entry for
  3. Deploy various settings to the macOS endpoint, including the connect method for the GlobalProtect app.
    View Customizable App Settings for a full list of the keys and values that you can configure using the macOS plist.
  4. (
    ) If you are using system extensions and need to switch to kernel extensions, set the
    value to
    in the macOS plist (
    ) for the GlobalProtect app.
    Follow these guidelines when you are using system extensions and need to switch to kernel extensions:
    • After you have enabled system extensions, you must first uninstall the existing app to use the
      plist key to enable kernel extensions on macOS.
    • You later have the option to revert to use system extensions. You must delete the
      plist key in the macOS plist. After you have deleted this plist key, you must restart the GobalProtect app in order for the change to take effect.
    • By switching to kernel extensions, you can no longer use the Split DNS and Enforce GlobalProtect Connections with FQDN Exclusions features.
    • If you have configured split tunnel settings based on the application on macOS endpoints, all Safari-based traffic, Microsoft Teams-based traffic, or Slack-based traffic that are defined in the split tunnel configuration would be dropped. We recommend that you use Chrome instead of Safari so that traffic defined in the split tunnel configuration will not be dropped. All traffic that was created based on the WebKit framework such as Safari, Microsoft Teams, or Slack might have problems using kernel extensions.
    You must specify
    as the plist key before installing GlobalProtect app 5.2.6 or later releases or upgrading from an earlier release to GlobalProtect app 5.2.6 or later releases running Catalina 10.15.4 or later. However, if you are upgrading from an earlier release to GlobalProtect app 5.2.6 or later releases running macOS Big Sur 11 or later, you must enable system extensions.

Recommended For You