Prisma Access Agent
Deploy the Prisma Access Agent Using a Unified Configuration Profile (V2_1)
Table of Contents
Deploy the Prisma Access Agent Using a Unified Configuration Profile (V2_1)
Install Prisma Access Agent using a unified configuration profile for a
seamless installation that does not require end-user interaction.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
To set up the Prisma Access Agent on macOS devices, you will need to deploy an
installation package to the target endpoint. During the installation process, macOS
will prompt for various system permissions including system extension approval,
notification permissions, and Full Disk Access permissions for Prisma Access Agent processes.
For a streamlined deployment that eliminates the need for end-user interaction or
manual configuration by you, Palo Alto Networks offers a unified configuration
profile. You can use this profile with Jamf Pro to deploy the Prisma Access Agent to your managed macOS endpoints. If you prefer to create
your own configuration profile directly within Jamf Pro, refer to Manually Create a Configuration Profile (V2_1) for Prisma Access Agent.
The Prisma Access Agent configuration profile includes the following
payloads:
- Content FilterPayload type: com.apple.webcontent-filter
- NotificationsPayload type: com.apple.notificationsettings
- Privacy Preferences Policy ControlPayload type: com.apple.TCC.configuration-profile-policy
- System ExtensionsPayload type: com.apple.system-extension-policy
- VPNPayload type: com.apple.vpn.managed
The unified configuration profile also contains specifications for enabling Prisma Access Agent with Endpoint DLP.
The macOS System Settings window does not show Full Disk
Access permissions granted to the Prisma Access Agent by the configuration
profile.
The following procedure shows how to deploy Prisma Access Agent on macOS
endpoints using the unified configuration profile file from Palo Alto Networks.
Ensure that you perform the steps consecutively as described below. If you change
the order, the configuration profiles might not be available at the time the agent
requires them, which could cause unexpected behavior.
- Upload the Prisma Access Agent configuration profile to Jamf Pro. The configuration profile isn’t signed. If required, you can sign the configuration file using your own signing certificate.
- Download the configuration profile (PrismaAccessAgent_V2_1.mobileconfig).SHA256: 318a194243f45ea3b82f5225200f045c5b0016b96656286d9abbc98dc70928d3MD5: cd89ef6e86272866b46b3f0065f92e15Before using the configuration profile, ensure that the file isn’t corrupted by verifying that the hash of the downloaded .mobileconfig file matches the hash provided for the file as listed above. If the hash for the configuration profile does not match, download the file again.Upload the configuration profile to Jamf Pro.In the Scope tab in Jamf Pro, add a deployment target by selecting .As a best practice, create a target group for macOS endpoints that are running the version of macOS that Prisma Access Agent supports. Then, deploy the configuration profile to that group.Prisma Access Agent supports macOS 14 and later operating systems.Save the configuration profile.Upload the Prisma Access Agent installation package to Jamf Pro.
- If you have not done so, download the Prisma Access Agent installation package (.pkg) and configuration file (config.json).(Optional) Set predeployment options in the config.json file, such as enabling pre-logon support and disabling the GlobalProtect™ app (if installed on the endpoint) during the installation of the Prisma Access Agent.Put the .pkg and config.json files into a folder and give the folder a meaningful name (such as the name of the .pkg). Zip up the folder by compressing it.Upload the ZIP archive you created to Jamf Pro.Proceed to distribute the Prisma Access Agent package across your endpoints by creating a Jamf policy for Prisma Access Agent deployment.
