Deploy Agent Settings Transparently

As an alternative to deploying agent settings from the portal configuration, you can define them directly from the Windows registry or global Mac plist or—on Windows clients only—using the Windows Installer (Msiexec). The benefit is that it enables deployment of GlobalProtect agent settings to endpoints prior to their first connection to the GlobalProtect portal.
Settings defined in the portal configuration always override settings defined in the Windows registry or Mac plist. So if you define settings in the registry or plist, but the portal configuration specifies different settings, the settings the agent receives from the portal will override the settings defined on the client. This override also applies to login-related settings, such as whether to connect on-demand, whether to use single sign-on (SSO), and whether the agent can connect if the portal certificate is invalid. Therefore, you should avoid conflicting settings. In addition, the portal configuration is cached on the endpoint and that cached configuration is be used anytime the GlobalProtect agent is restarted or the client machine is rebooted.
The following sections describe the customizable agent settings available and how to deploy these settings transparently to Windows and Mac clients:
In addition to using Windows registry and Mac plist to deploy GlobalProtect agent settings, you can enable the GlobalProtect agent to collect specific Windows registry or Mac plist information from clients, including data on applications installed on the clients, processes running on the clients, and attributes or properties of those applications and processes. You can then monitor the data and add it to a security rule as matching criteria. Device traffic that matches registry settings you have defined can be enforced according to the security rule. Additionally, you can set up custom checks to Collect Application and Process Data From Clients.

Related Documentation