Deploy Scripts Using the Mac Plist
When a user connects to the GlobalProtect gateway for the first time, the GlobalProtect agent downloads a configuration file and stores agent settings in a GlobalProtect Mac property file (plist). In addition to making changes to the agent settings, you use the Mac plist to deploy scripts at any or all of the following events: before and after establishing the tunnel, and before disconnecting the tunnel. Use the following workflow to get started using the Mac plist to deploy scripts to Mac endpoints.
The Mac plist settings that enable you to deploy scripts are supported in GlobalProtect agent 2.3 and later releases.
- (Endpoints running Mac OS X 10.9 or a later OS)
Flush the settings cache. This prevents the OS from using the cached
preferences after making changes to the plist.To clear the default preferences cache, run the killall cfprefsd command from a Mac terminal.
- Open the GlobalProtect plist file, and locate or create
the GlobalProtect dictionary associated with the connect or disconnect
event. The dictionary under which you will add the settings will
determine when the GlobalProtect agent runs the script(s).Use Xcode or an alternate plist editor to open the plist file (/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist) and go to the location of the dictionary:
/Palo Alto Networks/GlobalProtect/Settings/pre-vpn-connect /Palo Alto Networks/GlobalProtect/Settings/post-vpn-connect /Palo Alto Networks/GlobalProtect/Settings/pre-vpn-disconnectCode copied to clipboardUnable to copy due to lack of browser support.If the Settings dictionary does not exist, create it. Then, in Settings, create a new dictionary for the event or events at which you want to run scripts.
- Enable the GlobalProtect agent to run scripts by creating
a new String named command.The value specified here should reference the shell script (and the parameters to pass to the script) that you want run on your devices. See Mac OS Script Examples.If the command string does not already exist, add it to the dictionary and specify the script and parameters in the Value field, for example:
$HOME\pre_vpn_connect.sh /Users/username usernameCode copied to clipboardUnable to copy due to lack of browser support.Environmental variables are supported.As a best practice, specify the full path in commands.
- (Optional) Add additional settings related to the command,
including administrator privileges, a timeout value for the script,
checksum value for the batch file, and an error message to display
if the command fails to execute successfully.Create or modify additional strings in the plist (context, timeout, file, checksum, and/or error-msg) and enter their corresponding values. For additional information, see Customizable Agent Settings.
- Save the changes to the plist file.Save the plist.
Deploy Agent Settings in the Mac Plist
Deploy Agent Settings in the Mac Plist You can set the GlobalProtect agent customization settings in the Mac global plist (Property list) file. This enables ...
Deploy Agent Settings to Mac Endpoints
Deploy Agent Settings to Mac Endpoints Use the Mac global plist (property list) file to set GlobalProtect agent customization settings for or to deploy scripts ...
Customizable Agent Settings
Customizable Agent Settings In addition to pre-deploying the portal address, you can also define the agent configuration settings. To Deploy Agent Settings to Windows Endpoints ...
Script Deployment Options
Script Deployment Options The following table displays options that enable GlobalProtect to initiate scripts before and after establishing a VPN tunnel and before disconnecting a ...
Deploy Scripts Using the Windows Registry
Deploy Scripts Using the Windows Registry You can enable deployment of custom scripts to Windows endpoints using the Windows registry. You can configure the GlobalProtect ...
Mac OS Script Examples
Mac OS Script Examples You can configure the GlobalProtect agent to initiate and run a script for any or all of the following events: before ...
Deploy Scripts Using Msiexec
Deploy Scripts Using Msiexec On Windows endpoints, you can use the Windows Installer (Msiexec) to deploy the agent, agent settings, and scripts that the agent ...
Customize the GlobalProtect Agent
Customize the GlobalProtect Agent The portal agent configuration allows you to customize how your end users interact with the GlobalProtect agents installed on their systems ...
Deploy Agent Settings Transparently
Deploy Agent Settings Transparently As an alternative to deploying agent settings from the portal configuration, you can define them directly from the Windows registry or ...