Enable System and Network Extensions on macOS Endpoints Using Multiple Configuration Profiles
Focus
Focus
GlobalProtect

Enable System and Network Extensions on macOS Endpoints Using Multiple Configuration Profiles

Table of Contents

Enable System and Network Extensions on macOS Endpoints Using Multiple Configuration Profiles

Enable system and network extensions for features such as split tunneling, enforcing GlobalProtect connections for network access without requiring kernel extensions, or split DNS.
Where Can I Use This?What Do I Need?
  • Prisma Access
  • PAN-OS
  • GlobalProtect Subscription
  • Prisma Access Mobile Users license (for use with Prisma Access)
  • GlobalProtect Gateway license (for use with PAN-OS)
  • GlobalProtect app for macOS 6.0.4 and later and 6.1 and later releases
  • Endpoints running macOS 11 (Big Sur), macOS 12 (Monterey), or macOS 13 (Ventura)
End users must enable system and network extensions on macOS endpoints if the GlobalProtect app is configured with any of the following features:
After the installation or upgrade of the GlobalProtect app on a macOS device, notification messages appear that prompt users to load the GlobalProtect system extension and network extensions that were blocked from loading.
To allow the GlobalProtect app to run seamlessly without disruption on macOS endpoints, you can create GlobalProtect signed configuration profiles and deploy them using Jamf Pro to load the system and network extensions, and suppress the notification pop-ups automatically.
The following procedures assume that the macOS endpoints do not have network extensions enabled manually. If users already enabled network extensions when they were notified by GlobalProtect pop-ups, deploying configuration profiles using Jamf Pro to enable network extensions will create duplicate network extension entries on the macOS endpoints.
Refer to the following sections for information on how to enable system and network extensions on the GlobalProtect app for macOS endpoints:
If you want to use a single configuration profile to configure your managed macOS devices, you can Create a Single Configuration Profile for the GlobalProtect App for macOS.
For GlobalProtect app 6.0.3 and earlier users, you can Suppress Notifications on the GlobalProtect App for macOS Endpoints using a supported third-party mobile device management system (MDM) such as Workspace ONE.