As an alternative to deploying app settings from the
portal configuration, you can define them directly from the Windows
Registry, global macOS plist, or—on Windows endpoints only—using
the Windows Installer (Msiexec). The benefit is that it enables
deployment of GlobalProtect app settings to endpoints prior to their
first connection to the GlobalProtect portal.
Settings defined in the portal configuration always override
settings defined in the Windows Registry or macOS plist. If you
define settings in the registry or plist, but the portal configuration
specifies different settings, the settings that the app receives
from the portal overrides the settings defined on the endpoint.
This override also applies to login-related settings, such as whether
to connect on-demand, whether to use single sign-on (SSO), and whether
the app can connect if the portal certificate is invalid. Therefore,
you should avoid conflicting settings. In addition, the portal configuration
is cached on the endpoint, and that cached configuration is used
anytime the GlobalProtect app restarts or the endpoint reboots.
The following sections describe what customizable app settings
are available and how to deploy these settings transparently to
Windows and macOS endpoints:
In addition to using the Windows Registry and macOS plist
to deploy GlobalProtect app settings, you can enable the GlobalProtect
app to collect specific Windows Registry or macOS plist information
from the endpoints, including data on applications installed on
the endpoints, processes running on the endpoints, and attributes
or properties of those applications and processes. You can then
monitor the data and add it to a security rule to use as matching
criteria. Endpoint traffic that matches the registry settings you
define can be enforced according to the security rule. Additionally,
you can set up custom checks to Collect
Application and Process Data From Endpoints.