Manually Create a Configuration Profile for Prisma Access Agent

Table of Contents

Deploy Prisma Access Agents to macOS Endpoints Using Jamf Pro

Create a Jamf Policy for Prisma Access Agent Deployment

Manually Create a Configuration Profile for Prisma Access Agent

Learn how to create and deploy a configuration profile that defines how the Prisma Access Agent is configured and run on macOS devices.

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Strata Cloud Manager) Prisma Access (Managed by Panorama) NGFW (Managed by Panorama)	Check the prerequisites for the deployment you're using Prisma Access Agent version: 25.3.1.14 macOS 14 and later desktop devices Contact your Palo Alto Networks account representative to activate the Prisma Access Agent feature

Create and deploy a configuration profile for Prisma Access Agents that defines how the Prisma Access Agent is configured on managed macOS devices. For example, you can set up the configuration profile to automatically load system extensions to provide a seamless experience for users running the Prisma Access Agent to access the internet, SaaS applications, and private applications and resources in your organization.

This configuration profile will automatically load the following Prisma Access Agent extensions on a managed endpoint:

PAA Network Extension (com.paloaltonetworks.pang.networkextension)
PAA Security Extension (com.paloaltonetworks.pang.securityextension)

After you deploy the agent, you can run the systemextensionsctl list command on an endpoint to verify that the extensions have been loaded. For example:

Endpoint DLP Considerations

If you plan to use Endpoint DLP with Prisma Access Agent, complete the following steps:

Add the com.paloaltonetworks.pangdlp.enforcer extension in the System Extensions payload.
Add two App access sections for Endpoint DLP in the Privacy Preferences Policy Control payload.

If you previously deployed other Palo Alto Networks apps such as GlobalProtect™ and Cortex® XDR® to your endpoints, when deploying the system extensions via mobile device management (MDM) software, the configuration profiles for Prisma Access Agent and the other Palo Alto Networks apps must include the Allowed System Extension and Removable System Extension settings. If only one of the profiles has the removable system extension, the uninstallation of Prisma Access Agent won’t complete.

Create a Jamf Smart Computer Group to target specific managed macOS devices for the installation of the Prisma Access Agent.
Create a configuration profile for the Prisma Access Agent.
1. In Jamf Pro, select ComputersConfiguration ProfilesNew.
2. Specify General settings:
  Name = Enter a display name for the configuration profile
  Level = Computer Level
Configure a Content Filter payload to push the Prisma Access Agent content filter to your users' devices and suppress the following prompts on the endpoints:
1. Select OptionsContent Filter.
2. Enter a Filter Name, such as PAA Content Filter.
3. For the Identifier, enter com.paloaltonetworks.pang.
4. Enable Filter Order and select Firewall.
5. Enable the Socket Filter and enter the following:
  Socket Filter Bundle Identifier = com.paloaltonetworks.pang.networkextension
  Socket Filter Designated Requirement =
  identifier "com.paloaltonetworks.pang.networkextension" and anchor apple generic and certificate leaf[subject.OU] = PXPZ95SK77
6. Save your settings.
Create a Notifications payload to configure how Prisma Access Agent notifications are displayed on the end users' devices.
1. If you saved your settings in the previous step, click Edit.
2. Select OptionsNotificationsAdd.
3. Enter the App Name, such as Prisma Access Agent.
4. For Bundle ID, enter com.paloaltonetworks.PrismaAccessAgent.
5. Specify how you want alerts and notifications for the Prisma Access Agents to appear on the end users' devices. For example, to configure notifications that are not overly intrusive, select:
  NotificationsEnable
  Banner alert typePersistent
6. Save your settings.
Create a Privacy Preferences Policy Control payload to configure access settings for the Prisma Access Agent. This will provide Full Disk Access permissions for Prisma Access Agent processes.
1. If you saved your settings in the previous step, click Edit.
2. Select OptionsPrivacy Preferences Policy ControlConfigure.
3. In the App Access section, specify the values as shown for the following fields:
  Identifier = com.paloaltonetworks.pang.securityextension
  Identifier Type = Bundle ID
  Code Requirement =
  identifier "com.paloaltonetworks.pang.securityextension" and anchor apple generic and certificate leaf[subject.OU] = PXPZ95SK77
  APP OR SERVICE = SystemPolicyAllFiles
  ACCESS = Allow
4. (Optional) To enable Endpoint DLP during the installation of Prisma Access Agent, add two App access sections to provide Full Disk Access permissions for Endpoint DLP processes.
  Click the + sign to add an App access section for com.paloaltonetworks.pangdlp.enforcer.
  Specify the values as shown for the following fields:
  Identifier = com.paloaltonetworks.pangdlp.enforcer
  Identifier Type = Bundle ID
  Code Requirement =
  identifier "com.paloaltonetworks.pangdlp.enforcer" and anchor apple generic and certificate leaf[subject.OU] = PXPZ95SK77
  APP OR SERVICE = SystemPolicyAllFiles
  ACCESS = Allow
  
  Click the + sign to add an App access section for com.paloaltonetworks.pangdlp.
  Specify the values as shown for the following fields:
  Identifier = com.paloaltonetworks.pangdlp
  Identifier Type = Bundle ID
  Code Requirement =
  identifier "com.paloaltonetworks.pangdlp" and anchor apple generic and certificate leaf[subject.OU] = PXPZ95SK77
  APP OR SERVICE = SystemPolicyAllFiles
  ACCESS = Allow
5. Save your settings.
Configure a System Extensions payload to automatically load Prisma Access Agent system extensions on the end users' devices and suppress notifications such as the following:
1. If you saved your settings in the previous step, click Edit.
2. Select System ExtensionsConfigure.
3. Enter a Display Name such as PAA Allowed System Extensions.
4. Specify the values as shown for the following fields:
  For System Extension Types, select Allowed system extensions.
  For Team Identifier, enter PXPZ95SK77.
  In Allowed System Extensions, add the following extensions:
  com.paloaltonetworks.pang.networkextension (Prisma Access Agent network extension)
  com.paloaltonetworks.pang.securityextension (Prisma Access Agent security extension)
  (Optional) com.paloaltonetworks.pangdlp.enforcer (if you plan to use Endpoint DLP with Prisma Access Agent)
5. To avoid potential conflict between nonremovable and removable system extensions, configure removable system extensions for Prisma Access Agent:
  Click the + sign to add a second Allowed System Extensions and Team IDs section.
  Enter a Display Name such as PAA Removable System Extensions.
  For System Extension Types, select Removable system extensions.
  For Team Identifier, enter PXPZ95SK77.
  Add the following Removable System Extensions:
  com.paloaltonetworks.pang.networkextension (Prisma Access Agent network extension)
  com.paloaltonetworks.pang.securityextension (Prisma Access Agent security extension)
  (Optional) com.paloaltonetworks.pangdlp.enforcer (if you plan to use Endpoint DLP with Prisma Access Agent)
6. Save your payload settings.
Configure a VPN payload to specify how the device connects to your wireless network via the tunnel.
1. If you saved your settings in the previous step, click Edit.
2. Select OptionsVPNConfigure.
3. Enter a Connection Name, such as PAA Transparent Proxy.
4. For the VPN Type, select VPN.
5. Specify the values as shown for the following fields:
  Connection Type = Custom SSL
  Identifier = com.paloaltonetworks.pang.
  Server = A placeholder IP address such as 8.8.8.8
  Provider Bundle Identifier = com.paloaltonetworks.pang.networkextension
6. For Custom Data, add the following key and value:
  Key = ztna-spdo-dyn-uuid
  Value = 339E19CD-B2EF-4DB4-8E7F-D6E72BDFA7CB
7. Select Provider TypeApp-proxy.
8. Enable Exclude Local Networks.
9. For Provider Designated Requirement, enter:
  identifier "com.paloaltonetworks.pang.networkextension" and anchor apple generic and certificate leaf[subject.OU] = PXPZ95SK77
10. Select Enable VPN on Demand and enter the following On Demand Rules Configuration XML:
  <array> <dict> <key>Action</key> <string>Connect</string> </dict> </array>
11. Save your settings.
Set the scope for the configuration profile.
1. Edit the configuration profile.
2. Select Scope and Add the Smart Computer Group that you created to target the specific managed macOS devices for the installation of the Prisma Access Agent. You can also select specific computers as deployment targets. For example:
3. Save the scope of the profile. Jamf will target the selected computers and computer groups for the distribution of the configuration profile.
To verify the status of the configuration profile installation:
1. In Jamf Pro, select ComputersConfiguration Profiles.
2. Find the configuration profile that you set up and select View.
3. Select the log that you want to view:
4. To show the configuration profiles that have been installed, select InventoryProfiles.
  To show the status of the configuration profiles that are pending or failed the push, select Management and view the Pending Commands or Failed Commands.
After the profile has been deployed, verify the status of the profile installation on a macOS endpoint:
1. In System Settings, search for Profiles.
2. Double-click the Prisma Access Agent profile that you deployed.
3. Review the profile settings to ensure that the correct settings have been deployed.