As an alternative to deploying app settings from the portal configuration, you can define them directly from the Windows Registry, global macOS plist, or—on Windows endpoints only—using the Windows Installer (Msiexec). The benefit is that it enables deployment of GlobalProtect app settings to endpoints prior to their first connection to the GlobalProtect portal.

Settings defined in the portal configuration always override settings defined in the Windows Registry or macOS plist. If you define settings in the registry or plist, but the portal configuration specifies different settings, the settings that the app receives from the portal overrides the settings defined on the endpoint. This override also applies to login-related settings, such as whether to connect on-demand, whether to use single sign-on (SSO), and whether the app can connect if the portal certificate is invalid. Therefore, you should avoid conflicting settings. In addition, the portal configuration is cached on the endpoint, and that cached configuration is used anytime the GlobalProtect app restarts or the endpoint reboots.

The following sections describe what customizable app settings are available and how to deploy these settings transparently to Windows and macOS endpoints: