macOS System Extensions Support

Software Support
: Starting with GlobalProtect™ app 5.1.4
OS Support
: macOS
The GlobalProtect App can now use system extensions on macOS Catalina 10.15.4 or macOS Big Sur 11 endpoints for enabling capabilities such as split tunnel on the GlobalProtect gateway based on the destination domain name and application process name and to enforce GlobalProtect connections for network access (see GlobalProtect App Customization) without requiring kernel extensions. When users install the GlobalProtect app for the first time on a macOS device running macOS Catalina 10.15.4, macOS Big Sur 11, or later or upgrade to GlobalProtect app 5.1.4, they must now enable the system extensions. If you have configured split tunnel on the gateway or enforced GlobalProtect connections for network access on the portal, the
System Extension Blocked
notification message displays on the app during the installation, prompting users to enable and allow the system extensions in macOS that are blocked from loading to use these GlobalProtect features.
  1. (Optional)
    Allow GlobalProtect app users to automatically load the system extensions without receiving the
    System Extension Blocked
    notification.
  2. Enable the
    GlobalProtect System Extensions
    to allow the system extensions in macOS to load.
    1. Complete the GlobalProtect app setup using the GlobalProtect installer.
    2. When prompted, select the
      GlobalProtect System Extensions
      check box on the
      Installation Type
      screen if the administrator has configured the split tunnel on the gateway or enforced GlobalProtect connections.
    3. Select
      Open Security Preferences
      to enable the system extensions in macOS that was blocked from loading from the
      System Extension Blocked
      notification.
  3. Enable the network extensions configuration in macOS to use split tunnel and Enforce GlobalProtect for Network Access.
    1. (
      macOS Catalina 10.15.4 or later only
      ) If you have configured split tunnel on the gateway, select
      Allow
      in the following pop-up prompt:
    2. (
      macOS Catalina 10.15.4 or later only
      ) If you have enabled the Enforce GlobalProtect Connections for Network Access feature, select
      Allow
      in the following pop-up prompt:
    3. (
      macOS Big Sur 11 or later only
      ) If you have configured split tunnel based on domains and applications on the GlobalProtect gateway and enabled the Enforce GlobalProtect Connections for Network Access feature, select
      Allow
      in the following pop-up prompt:
      If you have suppressed the network extensions configuration notifications by using the mobile device management system (MDM) such as Jamf Pro, you can automatically load the network extensions without receiving these notifications. Refer to the knowledge base article at https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAW8 for information on how to enable system and network extensions using Jamf Pro.

Recommended For You