Control how Prisma Access manages the GlobalProtect app.
Control the active app versions on the Prisma Access portal. Manage
the active GlobalProtect version.
Prisma Access hosts the GlobalProtect app
version that macOS and Windows users in your organization can download
from the Prisma Access portal. Prisma Access offers several versions
of the GlobalProtect app, and you can choose to make one of those
versions the active version. You can also manage mobile users' access
to the GlobalProtect app, or perform staged upgrades.
Prisma Access manages the GlobalProtect app
version for Windows and macOS users in your organization. While
Prisma Access hosts several GlobalProtect app versions, only one
of the hosted versions is active. When mobile users log in to the
Prisma Access portal, the active version is the one they download and
use on their Windows and macOS devices.
The System Status
page also provides you information about your current Panorama version,
Cloud Services plugin version, and dataplane version. You can receive
notifications and alerts on this page when plugin or Panorama versions become
end of support (EoS) for use with Prisma Access. See Notifications and Alerts for Panorama, Cloud Services Plugin, and PAN-OS Dataplane Versions for details.
If
your currently-active version is end-of-life, Prisma Access notifies
you and requests that you activate a supported version.
You
can select different GlobalProtect versions in a multitenant deployment.
The GlobalProtect app version settings you apply are per tenant
and not global; you control the app version on a per-tenant basis.
You
can replace the current active version with another hosted version
from the Service Setup page by completing the following steps.
Select
Panorama
Cloud Services
Configuration
Service Setup
.
Select
Activate new GlobalProtect App version
and
compare it to the active GlobalProtect version.
If
your current GlobalProtect version is end-of-life (EoL), a message
displays in this area on the Service Setup page; if you receive
this message, upgrade your GlobalProtect app version by continuing
to the next step.
Select the version to which you want to upgrade.
A window displays to verify your choice.
After the
app has been activated, you receive a success message.
View the System Status page to verify that the GlobalProtect
app version you selected as active is the
Active GlobalProtect
App version
.
Manage Users’ Access to GlobalProtect App Updates
To manage mobile users' access to the active
GlobalProtect app version that is hosted by Prisma Access, complete
the following steps.
In Panorama, select
Network
GlobalProtect
Portals
.
Select the
Mobile_User_Template
from the
Template
drop-down.
Select
GlobalProtect_Portal
to
edit the Prisma Access portal configuration.
Select the
Agent
tab and select
the app configuration.
Select the
App
tab.
In the
App Configurations
area,
select a choice in
Allow User to Upgrade GlobalProtect
App
to specify whether mobile users can upgrade their
GlobalProtect app version to the active version that is hosted on
Prisma Access and, if they can, whether they can choose when to
upgrade:
Allow with Prompt
(default)—Prompt
users when a new version is activated and allow users to upgrade
their software when it is convenient.
Disallow
—Prevent users from upgrading
the app software.
Allow Manually
—Allow users to manually
check for and initiate upgrades by selecting
Check Version
in
the GlobalProtect app.
Allow Transparently
—Automatically
upgrade the app software whenever a new version becomes available
on the portal.
Internal
—Automatically upgrade the
app software whenever a new version becomes available on the portal,
but wait until the endpoint is connected internally to the corporate
network. This prevents delays caused by upgrades over low-bandwidth
connections.
Perform Staged Updates of the GlobalProtect App
If you manage a large organization, you might
want to update mobile users to the latest version of the GlobalProtect
app in stages. For example, you could assign a smaller group to
update their GlobalProtect app before rolling out the update to
everybody in your organization. To do so, complete the following
task.
If
you have not yet created it, create a user group for the first group
of users to which you want to roll out the GlobalProtect app update.
prompts users
when a new version is activated and allows them to upgrade their
software when it is convenient;
Allow Transparently
automatically
upgrades the app software whenever a new version becomes available
on the portal.
Click
OK
to save your changes.
Select
Move Up
to move your configuration above
the default configuration.
When an app connects, the portal compares the source information
in the packet against the agent configurations you have defined.
As with security rule evaluation, the portal looks for a match starting
from the top of the list. When it finds a match, it delivers the
corresponding configuration to the app.
Repeat these steps for the
DEFAULT
configuration,
but change
Allow User to Upgrade GlobalProtect App
to
Disallow
to
prevent users from updating to the latest GlobalProtect app software.
When you want to let the rest of the users update their
apps, change
Allow User to Upgrade GlobalProtect App
in
the
DEFAULT
configuration to a selection
that allows it (either