Deploy Scripts Using the Mac Plist
When a user connects to the GlobalProtect gateway for the first time, the GlobalProtect agent downloads a configuration file and stores agent settings in a GlobalProtect Mac property file (plist). In addition to making changes to the agent settings, you use the Mac plist to deploy scripts at any or all of the following events: before and after establishing the tunnel, and before disconnecting the tunnel. Use the following workflow to get started using the Mac plist to deploy scripts to Mac endpoints.
The Mac plist settings that enable you to deploy scripts are supported in GlobalProtect agent 2.3 and later releases.
- (Endpoints running Mac OS X 10.9 or a later OS) Flush the settings cache. This prevents the OS from using the cached preferences after making changes to the plist.To clear the default preferences cache, run thekillall cfprefsdcommand from a Mac terminal.
- Open the GlobalProtect plist file, and locate or create the GlobalProtect dictionary associated with the connect or disconnect event. The dictionary under which you will add the settings will determine when the GlobalProtect agent runs the script(s).Use Xcode or an alternate plist editor to open the plist file (/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist) and go to the location of the dictionary:/Palo Alto Networks/GlobalProtect/Settings/pre-vpn-connect /Palo Alto Networks/GlobalProtect/Settings/post-vpn-connect /Palo Alto Networks/GlobalProtect/Settings/pre-vpn-disconnectCode copied to clipboardUnable to copy due to lack of browser support.If the Settings dictionary does not exist, create it. Then, inSettings, create a new dictionary for the event or events at which you want to run scripts.
- Enable the GlobalProtect agent to run scripts by creating a newStringnamedcommand.The value specified here should reference the shell script (and the parameters to pass to the script) that you want run on your devices. See Mac OS Script Examples.If the command string does not already exist, add it to the dictionary and specify the script and parameters in theValuefield, for example:$HOME\pre_vpn_connect.sh /Users/username usernameCode copied to clipboardUnable to copy due to lack of browser support.Environmental variables are supported.As a best practice, specify the full path in commands.
- (Optional) Add additional settings related to the command, including administrator privileges, a timeout value for the script, checksum value for the batch file, and an error message to display if the command fails to execute successfully.Create or modify additional strings in the plist (context,timeout,file,checksum, and/orerror-msg) and enter their corresponding values. For additional information, see Customizable Agent Settings.
- Save the changes to the plist file.Save the plist.