Deploy App Settings in the macOS Plist

You can set the GlobalProtect app customization settings in the macOS global plist (Property list) file. This enables deployment of GlobalProtect app settings to macOS endpoints prior to their first connection to the GlobalProtect portal.
On macOS endpoints, plist files are either located in
/Library/Preferences
or in
~/Library/Preferences
. The tilde (
~
) symbol indicates that the location is in the current user's home folder. The GlobalProtect app on a macOS endpoint first checks for the GlobalProtect plist settings. If the plist does not exist at that location, the GlobalProtect app searches for plist settings in
~/Library/Preferences
.
In addition to using the macOS plist to deploy GlobalProtect app settings, you can enable the GlobalProtect app to collect specific macOS plist information from the endpoints. You can then monitor the data and add it to a security rule to use as matching criteria. Endpoint traffic that matches registry settings you define can be enforced according to the security rule. Additionally, you can set up custom checks to Collect Application and Process Data From Endpoints.
  1. Open the GlobalProtect plist file and locate the GlobalProtect app customization settings.
    Use Xcode or an alternate plist editor to open the plist file:
    /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist
    Then go to:
    /Palo Alto Networks/GlobalProtect/Settings
    If the
    Settings
    dictionary does not exist, create it. Add each key to the
    Settings
    dictionary as a string.
  2. (
    Optional
    ) Predeploy the portal name.
    If you do not want the end user to manually enter the portal address even for the first connection, you can pre-deploy the portal address through the plist. In the
    PanSetup
    dictionary, configure an entry for
    Portal
    .
  3. (
    Optional
    ) Predeploy the IP address of a preferred gateway.
    If you want to use a specific gateway for the first connection, you can pre-deploy the gateway IP address through the plist. In the
    PanGPS
    dictionary, configure an entry for
    PreferredIP
    . When
    PreferredIP_
    <md5_of_username _and_gateway>
    does not exist, the GlobalProtect app uses the specified value for the first connection.
  4. Deploy various settings to the macOS endpoint, including the connect method for the GlobalProtect app.
    View Customizable App Settings for a full list of the keys and values that you can configure using the macOS plist.

Related Documentation