Prisma Access Browser
Deploy the Prisma Access Browser
Table of Contents
Expand All
|
Collapse All
Prisma Access Browser Docs
Deploy the Prisma Access Browser
Learn about deployment methods for the Prisma Access Secure Enterprise Browser (Prisma Access Browser)
based on your organization’s policies and preferences. You can use self-service, MSI
installer, Jamf, or Intune.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
You can choose from a variety of deployment methods for the Prisma Access Browser based on your organization’s policies and preferences.
Select the method that you prefer for deployment:
Deploy Prisma Access Browser Using Self-Service Methods
The self-service installation allows end users to install the Prisma Access Browser without administrator intervention. This method does not require
any special privileges on the computer.
- Direct users to the link https://get.pabrowser.com to proceed with browser installation.
- Users will need to log in with their SSO credentials (after the administrator configures SSO).
- For more information and getting started for end users, see the User Guide.
Deploy Prisma Access Browser Using Offline MSI Installer
NOTE: The Offline Installer is available for Windows
devices only.
You can decide to install updates manually instead of relying on the
automatic updates. This would be the case when you want to test the updates before
releasing them to your users.
The Prisma Access Browser Offline MSI Installer provides functionality that is
designed for organizations employing mobile device management (MDM) utilities to
govern the managed devices. This allows you complete oversight over Prisma Access
Browser updates, allowing more opportunity to test before implementation.
Organizations opting for this feature will have the automatic browser updates
disabled. We strongly recommend that you regularly update the
browser; failure to update the browser in a timely manner could expose your
organization to critical security risks.
- Monitor the various support links and RSS feeds to monitor when updates are available.
- Check them on your testing environment and when you're confident with the update, you can push the update to your users.
- The offline MSI Installer is available at: https://updates.talon-sec.com/sparkle/PAB/offline-win/2804.5/stable_prisma_access_browser_installer_125_142_2804_5-sEL3FStyfY.msi
Deploy Prisma Access Browser Using Jamf
Jamf is a comprehensive management system for Apple macOS and iOS
devices. With Jamf, you can proactively manage the entire lifecycle of Apple
devices. This includes deploying and maintaining software, responding to
security threats, distributing settings, and analyzing inventory data.
Deploying the Prisma Access Browser using Jamf is a 2-step procedure.
- Open the Jamf Dashboard and select Settings.
- Select Computer ManagementScripts.
- On the Scripts page, select New.
- On the New Script page, on the General tab, enter the Display Name - a name for the script. Use any name that meets your organizational requirements.
- Select the Script tab.
-
Install the Installomator script.
- Locate the line: DEBUG=1, and change it to: DEBUG=0..
- Locate the label: prism9. Enter
the following script before this label:.pabrowser) name="Prisma Access Browser" type="dmg" if [[ $(arch) != "i386" ]]; then printlog "Architecture: arm64 (not i386)" downloadURL=$(curl -s https://bfe078e7921507bb.talon-sec.com/sparkle/PAB/stable-a64/appcast.xml | grep -Eo 'url="(.*)"' | cut -d '"' -f2 | tail -n1) appNewVersion=$(curl -s https://bfe078e7921507bb.talon-sec.com/sparkle/PAB/stable-a64/appcast.xml | grep -Eo 'sparkle:shortVersionString="(.*)"' | cut -d '"' -f2 | tail -n1) else printlog "Architecture: i386" downloadURL=$(curl -s https://bfe078e7921507bb.talon-sec.com/sparkle/PAB/stable/appcast.xml | grep -Eo 'url="(.*)"' | cut -d '"' -f2 | tail -n1) appNewVersion=$(curl -s https://bfe078e7921507bb.talon-sec.com/sparkle/PAB/stable/appcast.xml | grep -Eo 'sparkle:shortVersionString="(.*)"' | cut -d '"' -f2 | tail -n1) fi expectedTeamID="XZMH593AYG" ;;
- Click the Options tab. Under Parameter 4, enter the Application name. Select Save.
- The script is saved; you can now create a new Policy.
- Create the Policy.
- In the Jamf Dashboard, select ComputersPoliciesNew.
- On the Policies page, select New.
- On the New Policy page, enter the Display Name for the policy.
- Select Scripts.
- In the Configure Scripts field, click Configure.
- On the New Policy page, select the Script and click Add.
- In the Parameter Values section, select the Application Name field, and enter pabrowser.
- Save.The Script is added to the policy.
-
Deploy Prisma Access Browser Using Intune
Learn how to deploy Prisma Access Secure Enterprise Browser (Prisma Access Browser) using
Intune.
Microsoft Intune is a cloud-based endpoint management solution. It manages user
access to organizational resources and simplifies app and device management
across your many devices, including mobile devices, desktop computers, and
virtual endpoints.
- Open the Microsoft Intune Admin Center.
- Select AppsAll apps.
- Click + Add.
- In the Select app type window, select Line-of-business app.
- Click Select.
- In the App information step, click Select app package file.
- In the App package file window, browse to the MSI installation file, named PrismaAccessBrowserSetup.msi.
- Click Ok.
- Enter all the needed properties.
-
Enter a name for the app. This will be visible in the Intune list and in the Company Portal.
-
Provide a brief description of the app and its benefits for users. This description will be available in the Company Portal, where you can use rich text formatting to enhance it.
-
Enter the name of the app’s publisher, which appears in the Company Portal.
-
App install context – Select the Device.
-
Show this as a featured app in the Company Portal – we recommend that you select Yes so that it will be easier for your users to find.
- Select the appropriate Logo for the application. Contact support for the correct file.
-
- Click Next.
- Select the Assignments for this app.
- For Available for enrolled devices, select Add group, and select the required Entra groups assigned to the application.
- If you select Add all users, then the Entra assignment will include all Entra users in your organization.
- Click Next.
- Review all the settings and click Create to create the new app, or
Previous to make changes.Creating the app might take a few additional minutes. The application will be available for use after this step.
Set Prisma Access Browser Mobile as the Default Browser for Intune-managed Apps
If you are using Intune to manage your deployment, you can set Prisma Access Browser Mobile as the default browser. Intune empowers you to set a
default browser for organization-managed apps. This can be applied globally
through App Protection Policies, or selectively for specific, critical
applications. This is particularly relevant for mobile devices (iOS and
Android), as they are often employee-owned. However, enforcing a company browser
as the default for all apps might raise employee concerns.
Enforcing the Prisma Access Browser for your Intune-managed apps
significantly enhances your organization's data security. This approach
safeguards against phishing and identity theft by limiting how URLs are opened.
Only the approved Prisma Access Browser can be used, minimizing the risk of
exposure to malicious links.
Furthermore, Intune's clipboard control adds another layer of
protection. It prevents users from copying and pasting links into unmanaged
apps. This ensures that organizational data is always accessed through trusted
and controlled applications.
In essence, designating the Prisma Access Browser for Intune apps
mitigates the risks associated with phishing and other identity-based attacks.
This requires an Intune Plan 1 license.
- Browse to the Intune Admin Portal → App Protection Policies → Select the policy you want to modify or create.
- At the Data Protection step, select "Restrict web content transfer with other apps", and enter Unmanaged browser
- (Optional) For iOS devices: In the Unmanaged browser
protocol field, enter pab://. This requires Prisma Access Browser iOS version 1.4046 or later.
- (Optional) For Android devices:
- In the Unmanaged Browser ID field, enter com.talonsec.talon.
- In the Unmanaged Browser Name field, enter PA Browser.
- More information on Intune's App Protection Policies.
Deploy Prisma Access Browser Using Workplace ONE
Workspace ONE is a digital platform that delivers and manages any app on
any device by integrating access control, application management, and unified
endpoint management. The platform allows IT to deliver a digital workspace that
includes the devices and apps of the business's choice, without sacrificing the
security and control that IT professionals need.
To deploy the Prisma Access Browser, follow the appropriate steps for your
operating system.
Deploy for Windows
Create an Internal Application using the Windows Installer. The installer is
available here: Windows Prisma Access Browser
Installer.
- Run the installer. In the Add Application window,
add the following:
- Organizational Group ID - Palo Alto Networks Inc.
- Application File - Select the app file (usually PrismaAccessBrowserSetup.exe), and click Upload.
- Is this a dependency app? - Click No.
- On the Add Application - PrismaAccessBrowserSetup.exe v n.n.n.n window, select the Files tab.
- In the App Uninstall Process section, enter the following:
- Custom Script Type - Select Upload.
- Uninstall Script - Select the appropriate script, and click Upload.
- Uninstall Command - Enter powershell -ExecutionPolicy Bypass -File uninstall_pab.ps1.
- On the Add Application - PrismaAccessBrowserSetup.exe v n.n.n.n window, select the Deployment Options.
- Enter the following information:
-
Install Context - Select Device.
-
Install Command - Enter PrismaAccessBrowserSetup.exe
-
Admin Privileges - Select Yes.
-
Identify Application By: Select Defining Criteria
-
File exists: C:\Program Files (x86)\Palo Alto Networks\Update\PrismaAccessBrowserUpdate.exe.AND
- Registry exists - HKLM\SOFTWARE\WOW6432Node\Palo Alto Networks\Update\Clients\{DFEF2477-4F0E-454B-BC0D-03CE61074E4C}.
-
- Save and Assign.
Deploy for Mac
Create an Internal Application using the macOS installer. You can download the
installer, found here: Latest macOS Prisma Access Browser.
Using the VMware Workspace ONE Admin Assistant tool, create a package as follows
on a machine running macOS:
- Download the latest Mac Browser from the URL (Latest Mac PAB)
- Use the VMware Workspace ONE Admin Assistant tool to create a
package.
- On a Mac machine, download the tool from this URL: Admin Assistant
- Run the tool, and drag and drop the latest PAB Browser into the app.
- After “Parsing”, the app should produce a package containing a .DMG and .PLIST file.
- Create an Internal Application using the output of the previous step.