>
    Strata Copilot
    Enable GlobalProtect System Extensions on macOS Endpoints Using Jamf Pro
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect Administrator's Guide
    4. GlobalProtect Apps
    5. Deploy the GlobalProtect App on Mobile Devices
    6. Manage the GlobalProtect App Using Jamf Pro
    7. Manage the GlobalProtect App for macOS Using Jamf Pro
    8. Enable System and Network Extensions on macOS Endpoints Using Multiple Configuration Profiles
    9. Enable GlobalProtect System Extensions on macOS Endpoints Using Jamf Pro
    Download PDF
    GlobalProtect

    Enable GlobalProtect System Extensions on macOS Endpoints Using Jamf Pro

    Table of Contents

    Enable GlobalProtect System Extensions on macOS Endpoints Using Jamf Pro

    Use Jamf Pro to load GlobalProtect system extensions on macOS endpoints automatically without notifying end users.
    Where Can I Use This?What Do I Need?
    • NGFW (managed by Panorama or Strata Cloud Manager)
    • Prisma Access (managed by Panorama or Strata Cloud Manager)
    • GlobalProtect Gateway license or Prisma Access license with the Mobile User subscription
    • GlobalProtect app 6.0.4 and later and 6.1 releases running on macOS Big Sur 11, macOS Monterey, or macOS Ventura
    On the GlobalProtect app 6.0.4 and later and 6.1 releases running on macOS Big Sur 11, you can use Jamf Pro to configure a GlobalProtect signed configuration profile to automatically load system extensions that are required for the split tunnel, enforce GlobalProtect connections for network access, and split DNS features.
    For GlobalProtect app 6.0.3 and earlier users, you can Suppress Notifications on the GlobalProtect App for macOS Endpoints using a supported third-party mobile device management system (MDM) such as Workspace ONE.
    To enable the GlobalProtect system extension on macOS endpoints using Jamf Pro:
    1. In Jamf Pro, select ComputersConfiguration ProfilesNew.
    2. Create a configuration profile to enable GlobalProtect system extensions.
      1. Enter a Display Name for the configuration profile.
      2. Select System ExtensionsConfigure.
      3. (Optional) Enter a Display Name.
      4. In System Extension Types, select Allowed System Extensions.
      5. Enter the Team Identifier for the GlobalProtect app (PXPZ95SK77).
      6. In the ALLOWED SYSTEM EXTENSIONS section, Add the Bundle Identifier for GlobalProtect system extensions (com.paloaltonetworks.GlobalProtect.client.extension) and Save the allowed system extension.
      7. Save the configuration profile.
    3. Deploy the GlobalProtect app package and enable system extensions immediately after installation of the GlobalProtect app.
      1. Create an settings file called install_system_extensions.xml with the following content:
        <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
           <dict>
                  <key>attributeSetting</key>
                  <integer>1</integer>
                  <key>choiceAttribute</key>
                  <string>selected</string>
                  <key>choiceIdentifier</key>
                  <string>third</string>
           </dict>
           <dict>
                  <key>attributeSetting</key>
                  <integer>1</integer>
                  <key>choiceAttribute</key>
                  <string>selected</string>
                  <key>choiceIdentifier</key>
                  <string>com.paloaltonetworks.globalprotect.systemext.pkg</string>
            </dict>
</array>
</plist>
      2. Deploy the GlobalProtect app package by running the following command:
        sudo installer -pkg GlobalProtect.pkg -applyChoiceChangesXML install_system_extensions.xml -target /

    © 2026 Palo Alto Networks, Inc. All rights reserved.