Download and Install the GlobalProtect App for macOS
Focus
Focus
GlobalProtect

Download and Install the GlobalProtect App for macOS

Table of Contents

Download and Install the GlobalProtect App for macOS

Before connecting to the GlobalProtect network, you must download and install the GlobalProtect app on your macOS endpoint. To ensure that you get the right app for your organization’s GlobalProtect or Prisma Access deployment, you must download the app directly from a GlobalProtect portal within your organization. For this reason, there is no direct GP app download link available on the Palo Alto Networks site.
To download and install the GlobalProtect app, you must obtain the IP address or FQDN of the GlobalProtect portal from your administrator. In addition, your administrator should verify which username and password you can use to connect to the portal and gateways. This is typically the same username and password that you use to connect to your corporate network.
When you install the GlobalProtect app for the first time on a macOS device running macOS Catalina 10.15.4, macOS Big Sur 11, or later or upgrade to GlobalProtect app 5.1.4, you must enable the system extensions that are used for specific GlobalProtect features. If your administrator has configured split tunnel on the GlobalProtect gateway based on the destination domain name and application process name or enforced GlobalProtect connections for network access on the GlobalProtect portal (see GlobalProtect App Customization), the System Extension Blocked notification message displays on the GlobalProtect app during the installation. The message prompts users to enable and allow the system extensions in macOS that are blocked from loading to use the split tunnel and Enforce GlobalProtect for Network Access features.
Follow these guidelines when you use system extensions:
  • Only users with administrator privileges can enable the system extensions on the GlobalProtect app for macOS endpoints.
  • Due to the security enhancement on macOS Catalina 10.15 and macOS Big Sur 11 to ensure that your data is protected while using third-party applications, GlobalProtect must request your permission before attempting access to files and folders stored in your Documents, Desktop, and Downloads folders and network drives. If your administrator has enabled HIP checks, new permission pop-ups appear on your macOS endpoint when GlobalProtect requests access to certain files and folder stored in your file system.
  • The GlobalProtect app 5.1.4 running on macOS Catalina 10.15.4, macOS Big Sur 11, or later does not use kernel extensions and will use system extensions.
  • The GlobalProtect app 5.1.4 running on macOS Catalina 10.15.4, macOS Big Sur 11, or later will not use the kernel extensions (com.paloaltonetworks.kext.pangpd) and instead will use any of the available utun interfaces provided by macOS as the virtual adapter.
  • If you are upgrading from an earlier release to the GlobalProtect app 5.1.4 running on macOS Catalina 10.15.4, macOS Big Sur 11, or later, kernel extensions are no longer needed. After the upgrade, the System Extension Blocked notification message displays on the GlobalProtect app, prompting users to enable and allow the system extensions in macOS that was blocked from loading. By default, the app will not install system extensions and the same default settings are applied.
After you gather the required information, use the following steps to download and install the app:
  1. Log in to the GlobalProtect portal.
    1. Launch a web browser and go to the following URL:
      https://<portal IP address or FQDN>
      Example: http://gp.acme.com
    2. On the portal login page, enter your Name (username) and Password and then click LOG IN. In most instances, you can use the same username and password that you use to connect to your corporate network.
  2. Navigate to the app download page.
    In most instances, the app download pages appears immediately after you log in to the portal. Use this page to download the latest app software package.
    If your system administrator has enabled GlobalProtect Clientless VPN access, the applications page opens after you log in to the portal (instead of the app download page). Select GlobalProtect Agent to open the download page.
  3. Download the app.
    1. Click Download Mac 32/64 bit GlobalProtect agent.
    2. When prompted, Run the software.
    3. When prompted again, Run the GlobalProtect Installer.
  4. Complete the GlobalProtect app setup using the GlobalProtect Installer.
    1. From the GlobalProtect Installer, click Continue.
    2. On the Destination Select screen, select the installation folder for the GlobalProtect app, and then click Continue.
    3. On the Installation Type screen, select the GlobalProtect installation package check box.
      If your system administrator has configured the split tunnel on the gateway or enforced GlobalProtect connections for network access on the portal, select the GlobalProtect System Extensions check box (disabled by default).
      Click Continue.
    4. Click Install to confirm that you want to install GlobalProtect.
    5. When prompted, enter your User Name and Password, and then click Install Software to begin the installation.
    6. After installation is complete, Close the installer.
    7. If your administrator has configured the portal to install the Autonomous DEM (ADEM) endpoint agent during the GlobalProtect app installation for the first time, select OK in the following pop-up pop-up prompt so that it will not appear again:
    8. If you enabled the GlobalProtect System Extensions, select Open Security Preferences to enable the system extensions in macOS that was blocked from loading from the following System Extension Blocked notification:
      If your administrator has suppressed this notification by using the supported mobile device management system (MDM) such as Workspace ONE, you can automatically load the system extensionswithout receiving this notification.
    9. On the Security & Privacy dialog, click the padlock icon to make changes, and then select App Store and identified developers in the Allow apps downloaded from area. Click Allow.