Use the GlobalProtect App for macOS

This topic applies to you only if your setup requires you to enter your GlobalProtect login credentials after you have logged into your endpoint (single sign-on is disabled).
We typically recommend that organizations allow its GlobalProtect users to log in transparently following app installation. After you log in to an endpoint with transparent GlobalProtect login, the GlobalProtect app automatically initiates and connects to the corporate network without further user intervention.
After the installation is complete, the
System Extension Blocked
notification message appears, prompting users to enable the system extensions in macOS that was blocked from loading. If the
GlobalProtect System Extensions
option is not selected during the installation, this notification message appears once users connect to the gateway. This notification appears if your administrator has configured either split tunnel on the GlobalProtect gateway, enforced GlobalProtect connections for network access on the GlobalProtect portal (see GlobalProtect App Customization), or both. Both features require users to enable the system extensions.
If your setup requires you to enter your GlobalProtect credentials, follow the applicable steps below.
  1. Log in to GlobalProtect.
    If you are logging in to the endpoint for the first time, the GlobalProtect app displays a friendly, welcome page upon successful login. Click
    Get Started
    .
    1. Launch the GlobalProtect app by clicking the system tray icon. The status panel opens.
    2. (
      Optional
      ) Review your company’s terms of service before connecting to GlobalProtect if your administrator requires you to see a page to access internal resources.
      If you do not accept terms of use, you will not be able to connect to GlobalProtect.
      Optionally, if you click
      Cancel
      , you must enter the IP address (or domain) of the GlobalProtect portal, and then click
      Connect
      to initiate the connection.
    3. Enter the IP address or domain of the portal that your GlobalProtect administrator provided, and then click
      Connect
      .
  2. Connect to the GlobalProtect portal or gateway.
    You can determine if you are connected by checking the GlobalProtect system tray icon. If you are not connected, the icon is gray ( ), and
    Not Connected
    appears when you hover over the icon.
    1. Launch the GlobalProtect app by clicking the system tray icon. The status panel opens.
    2. (
      Optional
      ) If you are logging in to the GlobalProtect app for the first time, enter the FQDN or IP address of the GlobalProtect portal, and then click
      Connect
      .
    3. (
      Optional
      ) If multiple portals are saved on your app, select a portal from the
      Change Portal
      drop-down. By default, the most recently connected portal is pre-selected from the
      Change Portal
      drop-down.
    4. (
      Optional
      ) By default, you are automatically connected to the
      Best Available
      gateway, based on the configuration that the administrator defines and the response times of the available gateways. To connect to a different gateway, click the
      Change Gateway
      drop-down and then use one of the following options:
      • Select a gateway manually (external gateways only). This option is only available if your administrator enables manual gateway selection.
      • Assign and automatically connect to a preferred gateway:
        1. To designate a gateway as preferred, click the star icon ( ). The next time you connect, you will automatically connect to this preferred gateway.
          If you later decide that you don’t want the gateway as your preferred gateway anymore, you can simply clear the star icon to remove this gateway as a preferred connection.
        2. By default, you automatically connect to the
          Best Available
          gateway that is identified by a check mark from the
          Change Gateway
          drop-down. If you set the preferred gateway, a star displays by the starred gateway from the
          Change Gateway
          drop-down.
          If your administrator configured manual external gateways in the portal agent configuration, you can choose a specific gateway using the gateway search field.
    5. (
      Optional
      ) Depending on the connection mode, click
      Connect
      to initiate the connection.
    6. (
      Optional
      ) If prompted, enter your
      Username
      and
      Password
      and then
      Sign In
      .
      If your administrator has allowed you to use biometric (fingerprint) information to sign in, you need to first sign-in with a username and password twice (once to save it and again to authenticate); you can then use biometric information to sign in.
      If your system administrator has enabled the
      GlobalProtect System Extensions
      , you must enable the system extensions in macOS that was blocked from loading to use the split tunnel and Enforce GlobalProtect for Network Access features.
      Users do not need administrator privileges to allow both the
      Network Extensions Configuration
      pop-up prompts. Your administrator can suppress these message prompts by using the mobile device management system (MDM) such as Jamf Pro to automatically load the network extensions without receiving these prompts. Refer to the knowledge base article at https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAW8 for information on how to enable system and network extensions using Jamf Pro.
      1. (
        macOS Catalina 10.15.4 or later only
        ) If your system administrator has configured split tunnel based on domains and applications on the GlobalProtect gateway, select
        Allow
        in the following pop-up prompt:
        If you select
        Don’t Allow
        , the Split Tunnel feature cannot be used on the GlobalProtect app. This pop-up prompt will appear the next time you connect to the portal or gateway.
      2. (
        macOS Catalina 10.15.4 or later only
        ) If your system administrator has enabled the Enforce GlobalProtect Connections for Network Access feature, select
        Allow
        in the following pop-up prompt:
        If you select
        Don’t Allow
        , the Enforce GlobalProtect Connections for Network Access feature will not work and the GlobalProtect connections for network access cannot be enforced. This pop-up prompt will appear until you select
        Allow
        .
      3. (
        macOS Big Sur 11 or later only
        ) If your system administrator has configured split tunnel based on domains and applications on the GlobalProtect gateway and enabled the Enforce GlobalProtect Connections for Network Access feature, select
        Allow
        in the following pop-up prompt:
        If you select
        Don’t Allow
        , the Split Tunnel feature cannot be used on the GlobalProtect app, the Enforce GlobalProtect Connections for Network Access feature will not work, and the GlobalProtect connections for network access cannot be enforced. This pop-up prompt will appear the next time you connect to the portal or gateway or until you select
        Allow
        .
      When the app connects in external mode, the GlobalProtect system tray icon displays a shield ( ), and
      Connected
      appears when you hover over the icon. When the app connects in internal mode, the GlobalProtect system tray icon displays a house ( ), and
      Internal Network
      appears when you hover over the icon.
  3. Open the GlobalProtect app.
    Click the GlobalProtect system tray icon to launch the app interface.
    A notification appears if your administrator configured the portal to install the Autonomous DEM (ADEM) endpoint agent during the GlobalProtect app installation and has either allowed you to enable the tests or not allowed you to enable the tests. If your administrator has already installed the ADEM endpoint agent and later configured the portal to uninstall the ADEM endpoint agent, a notification appears at the next login.
  4. View information about your network connection.
    After you launch the app, click the hamburger menu on the status panel to open the settings menu. Select
    Settings
    to open the
    GlobalProtect Settings
    panel, and then select one of the following settings to view and modify the GlobalProtect app:
    • Connections
      —The
      Connections
      tab displays the portal(s) associated with the GlobalProtect account. You can add, edit, or delete portals from this tab. This tab also displays the gateway to which you are connected. You can view connection statistics about the gateway (for example, gateway IP address, location, and VPN session uptime) when your administrator sets
      Enable Advanced View
      to
      Yes
      in the GlobalProtect portal agent configuration.
    • Preferences
      —The
      Preferences
      tab is now available only if your administrator configures at least one of the following options:
      • Enable Biometric Sign-in
        —You can choose to use biometric (fingerprint) information to sign in. This option is available only if your administrator configures the
        Save User Credentials
        to
        Only with User Fingerprint
        in the GlobalProtect agent configuration. You must supply a fingerprint that matches a trusted fingerprint template on the endpoint to use a saved password for authentication to GlobalProtect portal and gateways.
      • Do not display a welcome page upon each successful connection
        —You can choose to display a welcome page upon successful login. This option is available only if your administrator sets the
        Welcome Page
        to
        factory-default
        in the GlobalProtect portal agent configuration.
      • Connect with SSL
        —You can choose to use SSL or stay with IPSec. This option is available only if your administrator sets
        Connect with SSL Only
        to
        User can Change
        in the GlobalProtect portal agent configuration .
      • Always run diagnostic tests and include logs
        —You can choose to enable the GlobalProtect app to run diagnostic tests and to include diagnostic logs. This option is available only if your administrator enables the GlobalProtect app log collection for troubleshooting on the GlobalProtect portal.
    • Troubleshooting
      —The
      Troubleshooting
      tab allows you to
      Collect Logs
      and set the logging level to
      Debug Logs
      or
      Dump Logs
      , and optionally
      Enable User Experience Tests
      .
      In order for the GlobalProtect app to send troubleshooting logs, diagnostic logs, or both to Cortex Data Lake for further analysis, you must configure the GlobalProtect portal to enable the GlobalProtect app log collection for troubleshooting. Additionally, you can configure the HTTPS-based destination URLs that can contain IP addresses or fully qualified domain names of the web servers/resources that you want to probe, and to determine issues such as latency or network performance on the end user’s endpoint.
      You can click
      Advanced
      to view detailed information about their endpoint.
      The
      Advanced Logging Settings
      window displays information about the network configuration, route settings, active connections, and logs.
      When GlobalProtect is connected, verify that the ADEM endpoint agent can perform user experience tests if the
      Enable user experience tests
      check box is displayed on the GlobalProtect app. Or you can verify that a message is displayed if your administrator installed the ADEM endpoint agent during the GlobalProtect app installation but does not allow you to enable or disable user experience tests from the GlobalProtect app. By default, heartbeat alerts are still forwarded to ADEM even when GlobalProtect is disabled or disconnected.
      If your administrator configured the portal to install the Autonomous DEM endpoint agent during the GlobalProtect app installation and has allowed you to enable the tests, select the check box to
      Enable user experience tests
      on the GlobalProtect app. This check box does not appear if your administrator does not allow you to enable or disable user experience tests from the GlobalProtect app. Instead, a message is displayed, confirming that the app is enabled to run user experience tests.
      If you do not select the check box to
      Enable user experience tests
      , heartbeat alerts are still forwarded to ADEM.
    • Notifications
      —The
      Notifications
      tab displays the detailed information about specific notifications triggered on the GlobalProtect app.
      You are also notified if there are no new notifications triggered on the GlobalProtect app.
    • Host Profile
      —The
      Host Profile
      tab displays the endpoint data that GlobalProtect uses to monitor and enforce security policies using the Host Information Profile. You can
      Resubmit Host Profile
      to manually resubmit HIP data to the gateway.
      If your administrator configured multiple internal gateways in non-tunnel mode and internal host detection, you can click
      More Details
      to monitor the Host Information Profile (HIP) report submission for each gateway from a central location to help you to quickly troubleshoot HIP related issues.
    • About
      —The
      About
      tab displays the version of GlobalProtect currently installed on the endpoint and allows end users to
      Check for Updates
      .
  5. (
    Optional
    ) Log in using a new password.
    If your GlobalProtect administrator configures the GlobalProtect portal agent to
    Save User Credentials
    , your credentials are automatically saved to the GlobalProtect app. If your password for accessing the corporate network changes, you must log in to GlobalProtect using your new password.
    1. Launch the GlobalProtect app by clicking the system tray icon. The status panel opens.
    2. Click the hamburger menu to open the settings menu.
    3. Select
      Settings
      to open the
      GlobalProtect Settings
      panel.
    4. On the
      GlobalProtect Settings
      panel,
      Sign Out
      to clear your saved user credentials from the GlobalProtect app.
    5. After you clear your user credentials, you can reconnect to GlobalProtect with your new username and password.
  6. (
    Optional
    ) Disconnect from GlobalProtect.
    If your administrator configures GlobalProtect with the
    On-Demand
    connect method, you can disconnect from GlobalProtect by clicking
    Disconnect
    on the status panel.

Recommended For You