Prisma Access Mobile Users license (for use with Prisma
Access)
GlobalProtect app version 6.2 or later for Windows and
macOS
Content release version 8699-7991 or later
Use the following procedure to configure the GlobalProtect app to run a remediation
script whenever a GlobalProtect endpoint fails one or more process checks to help
the endpoint recover from a HIP check failures. With this feature enabled, the
GlobalProtect app will provide a specified timeout period in which the endpoint can
run the remediation script if it fails a process check. After the timeout period
expires, the GlobalProtect app resubmits the HIP report.
The remediation scripts you write should check whether the processes you have
set up in the
Custom Checks
are running and, if not,
execute the script and start the process.
Configure a HIP remediation timeout on the portal.
Select
Network
GlobalProtect
Portals
.
Select the portal configuration to which you are adding the agent
configuration, and then select the
Agent
tab.
Select the agent configuration that you want to modify, or
Add
a new one.
Select the
App
tab.
To enable the HIP remediation feature, set a
HIP
Remediation Process Timeout (sec)
.
By default, this field is set to 0, indicating that the feature is
disabled. Enter a value from 1-600 seconds to indicate the amount of
time you want to allow for the remediation script to finish.
Click
OK
twice to save your app and portal
configurations.
Commit
the changes.
Deploy the remediation script to your endpoints using mobile device management
(MDM).
As a best practice, use standard formats for the scripts you deploy (for
example, deploy shell scripts on macOS endpoints and batch scripts on
Windows endpoints). The name of the script is case sensitive and must use
the predefined name and location as follows:
) Customize how the script runs on the endpoint by setting a
checksum and/or a custom error message and defining the context in which the
script will run.
macOS
Calculate the sha 256 checksum:
shasum -a 256
hip-remediation-script.sh
.
Edit the following values in the plist as needed:
checksum
—Specify the
checksum you generated
error-msg
—Enter the custom
error message you want to display to the end user when
remediation fails
success-msg
—Enter the
custom error message you want to display to the end user
when remediation succeeds
context
—set to
admin
or
user
to specify the context
in which to run the remediation script. By default, the
script runs in the user context.
Replace the GlobalProtect plist by copying the modified.plist to
overwrite the default plist: