Deploy the GlobalProtect App to End Users
Focus
Focus
GlobalProtect

Deploy the GlobalProtect App to End Users

Table of Contents

Deploy the GlobalProtect App to End Users

Deploy the GlobalProtect app to devices using different methods based on the platform, such as direct portal download, web server hosting, command line deployment, or MDM distribution.
In order to connect to GlobalProtect™, an endpoint must be running the GlobalProtect app. Use the GlobalProtect app compatibility matrix to determine what version of the GlobalProtect app you want your users to run on their endpoints. Because the version that an end user must download and install to enable successful connectivity to your network depends on your environment, there is no direct download link for the GlobalProtect app on the Palo Alto Networks site.
Palo Alto Networks strongly recommends using an Extended Detection and Response (XDR) solution such as Cortex XDR to protect GlobalProtect. You should block processes from reading or writing PanGPA.exe process memory. In addition, you should protect the "HKEY_CURRENT_USER\Software\Palo Alto Networks\GlobalProtect" registry key and its contents recursively from modification by any processes other than the PanGPA.exe binary provided by Palo Alto Networks.
The app deployment method depends on the type of endpoint as follows:
PlatformDeployment Options
macOS and Windows endpoints
There are several options you can use to distribute and install the software on macOS and Windows endpoints:
  • Directly from the portal—Download the app software to the firewall hosting the portal, and then activate it so that end users can install the updates when they connect to the portal. This option provides flexibility by allowing you to control how and when end users receive updates based on the agent configuration settings you define for each user, group, and/or operating system. However, if you have a large number of apps that require updates, it could put extra load on your portal. See Host App Updates on the Portal for instructions.
  • From a web server—If you have a large number of endpoints that need to upgrade the app simultaneously, consider hosting the app updates on a web server to reduce the load on the firewall. See Host App Updates on a Web Server for instructions.
  • Transparently from the command line—For Windows endpoints, you can deploy app settings automatically using the Windows Installer (Msiexec). However, to upgrade to a later app version using Msiexec, you must first uninstall the existing app. In addition, Msiexec allows for deployment of app settings directly on the endpoints by setting values in the Windows registry. Similarly, you can also deploy app settings to macOS endpoints, by configuring settings in the macOS plist. See Deploy App Settings Transparently.
  • Using group policy rules—In Active Directory environments, the GlobalProtect app can also be distributed to end users through an Active Directory group policy. AD Group policies allow for automated modification of Windows endpoint settings and software. Refer to the article at http://support.microsoft.com/kb/816102 for more information on how to use Group Policy to automatically distribute programs to endpoints or users.
  • From a mobile endpoint management system—If you use a mobile management system, such as an MDM or EMM, to manage your mobile endpoints, you can use the system to deploy and configure the GlobalProtect app. See Mobile Endpoint Management.
Windows 10 phone and Windows 10 UWP
  • From a mobile endpoint management system—If you use a mobile management system, such as an MDM or EMM, that supports Windows 10 endpoints, you can use the system to deploy and configure the GlobalProtect app. See Mobile Endpoint Management.
  • From the Microft Store—The end user can also download and install the GlobalProtect app directly from the Microsoft Store. For instructions on how to download and test the GlobalProtect app installation, see Download and Install the GlobalProtect Mobile App.
iOS and Android endpoints
  • From a mobile endpoint management system—If you use a mobile management system, such as an MDM or EMM, you can use the system to deploy and configure the GlobalProtect app. See Mobile Endpoint Management.
  • From an app store—The end user can also download and install the GlobalProtect app directly from the Apple App Store (iOS endpoints) or from Google Play (Android endpoints). For instructions on how to download and test the GlobalProtect app installation, see Download and Install the GlobalProtect Mobile App.
Chromebooks
  • From the Google Admin console—The Google Admin console enables you to manage Chromebook settings and apps from a central, web-based location. To deploy the GlobalProtect app for Android on managed Chromebooks using the Google Admin console, see Deploy the GlobalProtect App for Android on Managed Chromebooks Using the Google Admin Console.
    The GlobalProtect app for Android is supported only on certain Chromebooks. Chromebooks that do not support Android applications must continue to run the GlobalProtect app for Chrome, which is not supported starting with GlobalProtect app 5.0 and later.
  • From Workspace ONE—You can deploy the GlobalProtect app for Android on managed Chromebooks that are enrolled with Workspace ONE. After you deploy the app, configure and deploy a VPN profile to set up the GlobalProtect app for end users automatically. To deploy the GlobalProtect app for Android on managed Chromebooks using Workspace ONE, see Deploy the GlobalProtect App for Android on Managed Chromebooks Using Workspace ONE.
Linux
After you download the GlobalProtect app for Linux from the Support Site, you can distribute and install the app:
  • Using Linux app distribution tools—Linux app distribution is typically managed using third-party tools (such as Chef and Puppet), or using a local repository for the Linux operating system (for example, Ubuntu repositories and RHELrepositories). See the documentation for your Linux operating system for more information.
  • Manual installation—If you make the software available to your end users, they can manually install the software using Linux tools such as apt or dpkg. For instructions on how to install the GlobalProtect app for Linux, see the GlobalProtect App User Guide.
As an alternative to deploying the GlobalProtect app software, you can configure the GlobalProtect portal to provide secure remote access to common enterprise web applications that use HTML, HTML5, and Javascript technologies. Users have the advantage of secure access from SSL-enabled web browsers without installing the GlobalProtect app software. Refer to GlobalProtect Clientless VPN.