Deploy the Prisma Access Browser
Focus
Focus
Prisma Access Browser

Deploy the Prisma Access Browser

Table of Contents

Deploy the Prisma Access Browser

Learn about deployment methods for the Prisma Access Secure Enterprise Browser (Prisma Access Browser) based on your organization’s policies and preferences. You can use self-service, MSI installer, Jamf, or Intune.
Where Can I Use This?What Do I Need?
  • Strata Cloud Manager
  • Prisma Access Browser standalone
  • Prisma Access with Prisma Access Browser bundle license or Prisma Access Browser standalone license
  • Superuser or Prisma Access Browser role
You can choose from a variety of deployment methods for the Prisma Access Browser based on your organization’s policies and preferences.
Select the method that you prefer for deployment:

Deploy Prisma Access Browser Using Self-Service Methods

The self-service installation allows end users to install the Prisma Access Browser without administrator intervention. This method does not require any special privileges on the computer.
  1. Direct users to the link https://get.pabrowser.com to proceed with browser installation.
  2. Users will need to log in with their SSO credentials (after the administrator configures SSO).
  3. For more information and getting started for end users, see the User Guide.

Deploy Prisma Access Browser Using Offline MSI Installer

NOTE: The Offline Installer is available for Windows devices only.
You can decide to install updates manually instead of relying on the automatic updates. This would be the case when you want to test the updates before releasing them to your users.
The Prisma Access Browser Offline MSI Installer provides functionality that is designed for organizations employing mobile device management (MDM) utilities to govern the managed devices. This allows you complete oversight over Prisma Access Browser updates, allowing more opportunity to test before implementation.
Organizations opting for this feature will have the automatic browser updates disabled. We strongly recommend that you regularly update the browser; failure to update the browser in a timely manner could expose your organization to critical security risks.
  1. Monitor the various support links and RSS feeds to monitor when updates are available.
  2. Check them on your testing environment and when you're confident with the update, you can push the update to your users.
  3. The offline MSI Installer is available at: https://updates.talon-sec.com/sparkle/PAB/offline-win/2804.5/stable_prisma_access_browser_installer_125_142_2804_5-sEL3FStyfY.msi

Deploy Prisma Access Browser Using Jamf

Jamf is a comprehensive management system for Apple macOS and iOS devices. With Jamf, you can proactively manage the entire lifecycle of Apple devices. This includes deploying and maintaining software, responding to security threats, distributing settings, and analyzing inventory data.
Deploying the Prisma Access Browser using Jamf is a 2-step procedure.
  1. Open the Jamf Dashboard and select Settings.
    1. Select Computer ManagementScripts.
    2. On the Scripts page, select New.
    3. On the New Script page, on the General tab, enter the Display Name - a name for the script. Use any name that meets your organizational requirements.
    4. Select the Script tab.
      1. Install the Installomator script.
      2. Locate the line: DEBUG=1, and change it to: DEBUG=0.
        .
      3. Locate the label: prism9. Enter the following script before this label:
        pabrowser) name="Prisma Access Browser" type="dmg" if [[ $(arch) != "i386" ]]; then printlog "Architecture: arm64 (not i386)" downloadURL=$(curl -s https://bfe078e7921507bb.talon-sec.com/sparkle/PAB/stable-a64/appcast.xml | grep -Eo 'url="(.*)"' | cut -d '"' -f2 | tail -n1) appNewVersion=$(curl -s https://bfe078e7921507bb.talon-sec.com/sparkle/PAB/stable-a64/appcast.xml | grep -Eo 'sparkle:shortVersionString="(.*)"' | cut -d '"' -f2 | tail -n1) else printlog "Architecture: i386" downloadURL=$(curl -s https://bfe078e7921507bb.talon-sec.com/sparkle/PAB/stable/appcast.xml | grep -Eo 'url="(.*)"' | cut -d '"' -f2 | tail -n1) appNewVersion=$(curl -s https://bfe078e7921507bb.talon-sec.com/sparkle/PAB/stable/appcast.xml | grep -Eo 'sparkle:shortVersionString="(.*)"' | cut -d '"' -f2 | tail -n1) fi expectedTeamID="XZMH593AYG" ;;
        .
      4. Click the Options tab. Under Parameter 4, enter the Application name. Select Save.
      5. The script is saved; you can now create a new Policy.
  2. Create the Policy.
    1. In the Jamf Dashboard, select ComputersPoliciesNew.
    2. On the Policies page, select New.
    3. On the New Policy page, enter the Display Name for the policy.
    4. Select Scripts.
    5. In the Configure Scripts field, click Configure.
    6. On the New Policy page, select the Script and click Add.
    7. In the Parameter Values section, select the Application Name field, and enter pabrowser.
    8. Save.
      The Script is added to the policy.

Deploy Prisma Access Browser Using Intune

Learn how to deploy Prisma Access Secure Enterprise Browser (Prisma Access Browser) using Intune.
Microsoft Intune is a cloud-based endpoint management solution. It manages user access to organizational resources and simplifies app and device management across your many devices, including mobile devices, desktop computers, and virtual endpoints.
  1. Open the Microsoft Intune Admin Center.
  2. Select AppsAll apps.
  3. Click + Add.
  4. In the Select app type window, select Line-of-business app.
  5. Click Select.
  6. In the App information step, click Select app package file.
  7. In the App package file window, browse to the MSI installation file, named PrismaAccessBrowserSetup.msi.
  8. Click Ok.
  9. Enter all the needed properties.
    1. Enter a name for the app. This will be visible in the Intune list and in the Company Portal.
    2. Provide a brief description of the app and its benefits for users. This description will be available in the Company Portal, where you can use rich text formatting to enhance it.
    3. Enter the name of the app’s publisher, which appears in the Company Portal.
    4. App install context – Select the Device.
    5. Show this as a featured app in the Company Portal – we recommend that you select Yes so that it will be easier for your users to find.
    6. Select the appropriate Logo for the application. Contact support for the correct file.
  10. Click Next.
  11. Select the Assignments for this app.
    1. For Available for enrolled devices, select Add group, and select the required Entra groups assigned to the application.
    2. If you select Add all users, then the Entra assignment will include all Entra users in your organization.
  12. Click Next.
  13. Review all the settings and click Create to create the new app, or Previous to make changes.
    Creating the app might take a few additional minutes. The application will be available for use after this step.

Set Prisma Access Browser Mobile as the Default Browser for Intune-managed Apps

If you are using Intune to manage your deployment, you can set Prisma Access Browser Mobile as the default browser. Intune empowers you to set a default browser for organization-managed apps. This can be applied globally through App Protection Policies, or selectively for specific, critical applications. This is particularly relevant for mobile devices (iOS and Android), as they are often employee-owned. However, enforcing a company browser as the default for all apps might raise employee concerns.
Enforcing the Prisma Access Browser for your Intune-managed apps significantly enhances your organization's data security. This approach safeguards against phishing and identity theft by limiting how URLs are opened. Only the approved Prisma Access Browser can be used, minimizing the risk of exposure to malicious links.
Furthermore, Intune's clipboard control adds another layer of protection. It prevents users from copying and pasting links into unmanaged apps. This ensures that organizational data is always accessed through trusted and controlled applications.
In essence, designating the Prisma Access Browser for Intune apps mitigates the risks associated with phishing and other identity-based attacks.
This requires an Intune Plan 1 license.
  1. Browse to the Intune Admin Portal → App Protection Policies → Select the policy you want to modify or create.
  2. At the Data Protection step, select "Restrict web content transfer with other apps", and enter Unmanaged browser
  3. (Optional) For iOS devices: In the Unmanaged browser protocol field, enter pab://.
    This requires Prisma Access Browser iOS version 1.4046 or later.
  4. (Optional) For Android devices:
    1. In the Unmanaged Browser ID field, enter com.talonsec.talon.
    2. In the Unmanaged Browser Name field, enter PA Browser.
  5. More information on Intune's App Protection Policies.

Deploy Prisma Access Browser Using Workplace ONE

Workspace ONE is a digital platform that delivers and manages any app on any device by integrating access control, application management, and unified endpoint management. The platform allows IT to deliver a digital workspace that includes the devices and apps of the business's choice, without sacrificing the security and control that IT professionals need.
To deploy the Prisma Access Browser, follow the appropriate steps for your operating system.

Deploy for Windows

Create an Internal Application using the Windows Installer. The installer is available here: Windows Prisma Access Browser Installer.
  1. Run the installer. In the Add Application window, add the following:
    1. Organizational Group ID - Palo Alto Networks Inc.
    2. Application File - Select the app file (usually PrismaAccessBrowserSetup.exe), and click Upload.
    3. Is this a dependency app? - Click No.
  2. On the Add Application - PrismaAccessBrowserSetup.exe v n.n.n.n window, select the Files tab.
  3. In the App Uninstall Process section, enter the following:
    1. Custom Script Type - Select Upload.
    2. Uninstall Script - Select the appropriate script, and click Upload.
    3. Uninstall Command - Enter powershell -ExecutionPolicy Bypass -File uninstall_pab.ps1.
  4. On the Add Application - PrismaAccessBrowserSetup.exe v n.n.n.n window, select the Deployment Options.
  5. Enter the following information:
    1. Install Context - Select Device.
    2. Install Command - Enter PrismaAccessBrowserSetup.exe
    3. Admin Privileges - Select Yes.
    4. Identify Application By: Select Defining Criteria
    5. File exists: C:\Program Files (x86)\Palo Alto Networks\Update\PrismaAccessBrowserUpdate.exe.
      AND
    6. Registry exists - HKLM\SOFTWARE\WOW6432Node\Palo Alto Networks\Update\Clients\{DFEF2477-4F0E-454B-BC0D-03CE61074E4C}.
  6. Save and Assign.

Deploy for Mac

Create an Internal Application using the macOS installer. You can download the installer, found here: Latest macOS Prisma Access Browser.
Using the VMware Workspace ONE Admin Assistant tool, create a package as follows on a machine running macOS:
  1. Download the latest Mac Browser from the URL (Latest Mac PAB)
  2. Use the VMware Workspace ONE Admin Assistant tool to create a package.
    1. On a Mac machine, download the tool from this URL: Admin Assistant
    2. Run the tool, and drag and drop the latest PAB Browser into the app.
    3. After “Parsing”, the app should produce a package containing a .DMG and .PLIST file.
  3. Create an Internal Application using the output of the previous step.