Agent Configurations Based on the Endpoint Serial Number

Use the following steps to push agent configurations to connecting endpoints based on the presence of the endpoint serial number in the Active Directory or Azure AD:
This enhancement is applicable only to Android, Windows, macOS, and Linux endpoints.
To verify the presence of an endpoint serial number on the firewall, you must first populate a directory server with the list of serial numbers for all managed endpoints.
  1. To identify the endpoint status based on the endpoint serial number, you must configure group mapping. If an endpoint is managed, you can bind the serial number of the endpoint to the machine account of the endpoint in your directory server (such as Active Directory). The firewall can then pre-fetch the serial numbers of these managed endpoints when it retrieves group mapping information from the directory server.
    In your Group Mapping configuration (
    Device
    User Identification
    Group Mapping Settings
    <group-mapping-config>
    ), you must enable the option to
    Fetch list of managed devices
    . This allows the firewall to retrieve serial numbers from the directory server.
    group-mapping-fetch-managed-devices.png
  2. Add config selection criteria for your agent configuration based on the presence of the endpoint serial number in the Active Directory or Azure AD.
    When a user attempts to establish a GlobalProtect connection, the GlobalProtect app sends the serial number of the connecting endpoint to the portal to match against the list of serial numbers in the Active Directory or Azure AD. If an endpoint matches all config selection criteria for an agent configuration, including the presence of the endpoint serial number in the Active Directory or Azure AD, the portal pushes that agent configuration to the endpoint.
    To deliver your agent configuration to connecting endpoints based on the presence of the endpoint serial number in the Active Directory or Azure AD, use the following steps:
    1. Select
      Config Selection Criteria
      Device Checks
      .
    2. In the Serial Number Check area, select an option from the
      Machine account exists with device serial number
      drop-down. If you set this option to
      Yes
      , the agent configuration applies only to endpoints with a serial number that exists (managed endpoints). If you set this option to
      No
      , the agent configuration applies only endpoints with a serial number that does not exist (unmanaged endpoints). If you set this option to
      None
      , the configuration is not delivered to apps based on the presence of the endpoint serial number.
      device-checks-serial-number.png
  3. Save the portal configuration.
    1. Click
      OK
      twice.
    2. Commit
      your changes.

Recommended For You