>
    Enable GlobalProtect System Extensions on macOS Endpoints Using Jamf Pro
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. Mobile Device Management
    4. Manage the GlobalProtect App Using Jamf Pro
    5. Manage the GlobalProtect App for macOS Using Jamf Pro
    6. Enable System and Network Extensions on macOS Endpoints Using Multiple Configuration Profiles
    7. Enable GlobalProtect System Extensions on macOS Endpoints Using Jamf Pro
    Download PDF
    GlobalProtect

    Enable GlobalProtect System Extensions on macOS Endpoints Using Jamf Pro

    Table of Contents

    Enable GlobalProtect System Extensions on macOS Endpoints Using Jamf Pro

    Use Jamf Pro to load GlobalProtect system extensions on macOS endpoints automatically without notifying end users.
    Where Can I Use This?What Do I Need?
    • Prisma Access
    • PAN-OS
    • GlobalProtect Subscription
    • Prisma Access Mobile Users license (for use with Prisma Access)
    • GlobalProtect Gateway license (for use with PAN-OS)
    • GlobalProtect app for macOS 6.0.4 and later and 6.1 and later releases
    • Endpoints running macOS 11 (Big Sur), macOS 12 (Monterey), or macOS 13 (Ventura)
    On the GlobalProtect app 6.0.4 and later and 6.1 releases running on macOS Big Sur 11, you can use Jamf Pro to configure a GlobalProtect signed configuration profile to automatically load system extensions that are required for the split tunnel, enforce GlobalProtect connections for network access, and split DNS features.
    For GlobalProtect app 6.0.3 and earlier users, you can Suppress Notifications on the GlobalProtect App for macOS Endpoints using a supported third-party mobile device management system (MDM) such as Workspace ONE.
    To enable the GlobalProtect system extension on macOS endpoints using Jamf Pro:
    1. In Jamf Pro, select ComputersConfiguration ProfilesNew.
    2. Create a configuration profile to enable GlobalProtect system extensions.
      1. Enter a Display Name for the configuration profile.
      2. Select System ExtensionsConfigure.
      3. (Optional) Enter a Display Name.
      4. In System Extension Types, select Allowed System Extensions.
      5. Enter the Team Identifier for the GlobalProtect app (PXPZ95SK77).
      6. In the ALLOWED SYSTEM EXTENSIONS section, Add the Bundle Identifier for GlobalProtect system extensions (com.paloaltonetworks.GlobalProtect.client.extension) and Save the allowed system extension.
      7. Save the configuration profile.
    3. Deploy the GlobalProtect app package and enable system extensions immediately after installation of the GlobalProtect app.
      1. Create an settings file called install_system_extensions.xml with the following content:
        <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
           <dict>
                  <key>attributeSetting</key>
                  <integer>1</integer>
                  <key>choiceAttribute</key>
                  <string>selected</string>
                  <key>choiceIdentifier</key>
                  <string>third</string>
           </dict>
           <dict>
                  <key>attributeSetting</key>
                  <integer>1</integer>
                  <key>choiceAttribute</key>
                  <string>selected</string>
                  <key>choiceIdentifier</key>
                  <string>com.paloaltonetworks.globalprotect.systemext.pkg</string>
            </dict>
</array>
</plist>
      2. Deploy the GlobalProtect app package by running the following command:
        sudo installer -pkg GlobalProtect.pkg -applyChoiceChangesXML install_system_extensions.xml -target /

    © 2024 Palo Alto Networks, Inc. All rights reserved.