>
    Strata Copilot
    Deploy the Prisma Access Agent Using Unified Configuration Profiles (V3)
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access Agent
    3. Prisma Access Agent Administration
    4. Deploy the Prisma Access Agent
    5. Deploy Prisma Access Agents Using Jamf Pro
    6. Deploy Prisma Access Agents to macOS Endpoints Using Jamf Pro
    7. Deploy the Prisma Access Agent Using Unified Configuration Profiles (V3)
    Download PDF
    Prisma Access Agent

    Deploy the Prisma Access Agent Using Unified Configuration Profiles (V3)

    Table of Contents

    Deploy the Prisma Access Agent Using Unified Configuration Profiles (V3)

    Install Prisma Access Agent using unified configuration profiles for a seamless installation that does not require end-user interaction.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • NGFW (Managed by Panorama)
    • Check the prerequisites for the deployment you're using
    • Minimum Prisma Access Agent version: 25.7
    • macOS 14 and later desktop devices
    • Contact your Palo Alto Networks account representative to activate the Prisma Access Agent feature
    To set up the Prisma Access Agent on macOS devices, you will need to deploy an installation package to the target endpoint. During the installation process, macOS will prompt for various system permissions including system extension approval, notification permissions, and Full Disk Access permissions for Prisma Access Agent processes.
    For a streamlined deployment that eliminates the need for end-user interaction or manual configuration by you, Palo Alto Networks offers two unified configuration profiles to aid in your deployment of Prisma Access Agent. You can use these profiles with Jamf Pro to deploy the Prisma Access Agent to your managed macOS endpoints.
    One configuration profile contains specifications for Prisma Access Agent. The other configuration profile contains specifications for Endpoint DLP. Both configuration files must be installed for Prisma Access Agent to work properly on your endpoints, regardless of whether you use Endpoint DLP.
    If you prefer to create your own configuration profiles directly within Jamf Pro, refer to Manually Create Configuration Profiles (V3) for Prisma Access Agent.
    The Prisma Access Agent configuration profiles include the following payloads:
    • Content Filter
      Payload type: com.apple.webcontent-filter
    • Notifications
      Payload type: com.apple.notificationsettings
    • Privacy Preferences Policy Control
      Payload type: com.apple.TCC.configuration-profile-policy
    • System Extensions
      Payload type: com.apple.system-extension-policy
    • VPN
      Payload type: com.apple.vpn.managed
    The macOS System Settings window does not show Full Disk Access permissions granted to the Prisma Access Agent by the configuration profile.
    The following procedure shows how to deploy Prisma Access Agent on macOS endpoints using both unified configuration profile files from Palo Alto Networks. Ensure that you perform the steps consecutively as described below. If you change the order, the configuration profiles might not be available at the time the agent requires them, which could cause unexpected behavior.
    1. Download the zipped bundle that contains the two configuration profiles.
    2. Uncompress the PrismaAccessAgent_ConfigProfiles_V3.zip file that you downloaded.
      This creates the PrismaAccessAgent_ConfigProfiles_V3 folder that contains the two configuration profiles with the following hash information.
      • PrismaAccessAgent_V3.mobileconfig
        SHA256: b5925aba052c79bc18b61e6d820d8134fc151fa619a004c278d6aa8b5df30f31
        MD5: ffa31dabd1ae50050a80ae6fce8d9095
      • PrismaAccessAgentDLP_V3.mobileconfig
        SHA256: e6c96b8751ce7da4b58ec21d51c8cc218f19d0f079dfe3c85c00fee634233864
        MD5: e5f70bcff5358ba2bd076d4df4c496b2
    3. Verify that the hash of each downloaded .mobileconfig file matches the hash provided for each file as listed above. If the hash for a configuration profile does not match, download the zipped bundle again. For example:
      • To check the SHA256 hash, run the following command:
        openssl sha256 <mobileconfig_filename>
      • To check the md5 hash, run the following command:
        md5 <mobileconfig_filename>
    4. Upload the two configuration profiles to Jamf Pro. The configuration profiles aren't signed. If required, you can sign the configuration profiles using your own signing certificate.
      1. Upload both configuration profiles to Jamf Pro.
      2. In the Scope tab for each configuration profile in Jamf Pro, add a deployment target by selecting Target ComputersAll Computers.
        As a best practice, create a target group for macOS endpoints that are running the version of macOS that Prisma Access Agent supports. Then, deploy the configuration profile to that group. Prisma Access Agent supports macOS 14 and later operating systems.
      3. Save the configuration profiles.
    5. Upload the Prisma Access Agent installation package to Jamf Pro.
      1. If you have not done so, download the Prisma Access Agent installation package (.pkg) and configuration file (config.json).
      2. (Optional) Set predeployment options in the config.json file, such as enabling pre-logon support and disabling the GlobalProtect app (if installed on the endpoint) during the installation of the Prisma Access Agent.
      3. Put the .pkg and config.json files into a folder and give the folder a meaningful name (such as the name of the .pkg). Zip up the folder by compressing it.
      4. Upload the ZIP archive you created to Jamf Pro.
    6. Proceed to distribute the Prisma Access Agent package across your endpoints by creating a Jamf policy for Prisma Access Agent deployment.

    © 2025 Palo Alto Networks, Inc. All rights reserved.