Manage Upgrade Options for the GlobalProtect App
Focus
Focus

Manage Upgrade Options for the GlobalProtect App

Table of Contents

Manage Upgrade Options for the GlobalProtect App

Control how Prisma Access manages the GlobalProtect app. Control the active app versions on the Prisma Access portal. Manage the active GlobalProtect version.
Prisma Access hosts the GlobalProtect app version that macOS and Windows users in your organization can download from the Prisma Access portal. Prisma Access offers several versions of the GlobalProtect app, and you can choose to make one of those versions the active version. You can also manage mobile users' access to the GlobalProtect app, or perform staged upgrades.

Select the Active GlobalProtect App Version

Prisma Access manages the GlobalProtect app version for Windows and macOS users in your organization. While Prisma Access hosts several GlobalProtect app versions, only one of the hosted versions is active. When mobile users log in to the Prisma Access portal, the active version is the one they download and use on their Windows and macOS devices.
The System Status page also provides you information about your current Panorama version, Cloud Services plugin version, and dataplane version. You can receive notifications and alerts on this page when plugin or Panorama versions become end of support (EoS) for use with Prisma Access. See Notifications and Alerts for Panorama, Cloud Services Plugin, and PAN-OS Dataplane Versions for details.
If your currently-active version is end-of-life, Prisma Access notifies you and requests that you activate a supported version.
You can select different GlobalProtect versions in a multitenant deployment. The GlobalProtect app version settings you apply are per tenant and not global; you control the app version on a per-tenant basis.
You can replace the current active version with another hosted version from the Service Setup page by completing the following steps.
  1. Select PanoramaCloud ServicesConfigurationService Setup.
  2. Select Activate new GlobalProtect App version and compare it to the active GlobalProtect version.
    If your current GlobalProtect version is end-of-life (EoL), a message displays in this area on the Service Setup page; if you receive this message, upgrade your GlobalProtect app version by continuing to the next step.
  3. Select the version to which you want to upgrade.
    A window displays to verify your choice.
    After the app has been activated, you receive a success message.
  4. View the System Status page to verify that the GlobalProtect app version you selected as active is the Active GlobalProtect App version.

Manage Users’ Access to GlobalProtect App Updates

To manage mobile users' access to the active GlobalProtect app version that is hosted by Prisma Access, complete the following steps.
  1. In Panorama, select NetworkGlobalProtectPortals.
  2. Select the Mobile_User_Template from the Template drop-down.
  3. Select GlobalProtect_Portal to edit the Prisma Access portal configuration.
  4. Select the Agent tab and select the app configuration.
  5. Select the App tab.
  6. In the App Configurations area, select a choice in Allow User to Upgrade GlobalProtect App to specify whether mobile users can upgrade their GlobalProtect app version to the active version that is hosted on Prisma Access and, if they can, whether they can choose when to upgrade:
    • Allow with Prompt (default)—Prompt users when a new version is activated and allow users to upgrade their software when it is convenient.
    • Disallow—Prevent users from upgrading the app software.
    • Allow Manually—Allow users to manually check for and initiate upgrades by selecting Check Version in the GlobalProtect app.
    • Allow Transparently—Automatically upgrade the app software whenever a new version becomes available on the portal.
    • Internal—Automatically upgrade the app software whenever a new version becomes available on the portal, but wait until the endpoint is connected internally to the corporate network. This prevents delays caused by upgrades over low-bandwidth connections.

Perform Staged Updates of the GlobalProtect App

If you manage a large organization, you might want to update mobile users to the latest version of the GlobalProtect app in stages. For example, you could assign a smaller group to update their GlobalProtect app before rolling out the update to everybody in your organization. To do so, complete the following task.
  1. If you have not yet created it, create a user group for the first group of users to which you want to roll out the GlobalProtect app update.
    You can use User-ID to map users to groups, or select DeviceLocal User DatabaseUser Groups to manually create a group.
  2. Create a new GlobalProtect agent configuration to use for the first group of users.
    1. In Panorama, select NetworkGlobalProtectPortals.
    2. Select the Mobile_User_Template from the Template drop-down.
    3. Select GlobalProtect_Portal to edit the Prisma Access portal configuration.
    4. Select the Agent tab.
    5. Select the DEFAULT configuration and Clone it.
      You can also Add a new configuration; but cloning the existing configuration copies over required information for the new configuration.
    6. Specify a Name for the configuration.
    7. Select the Config Selection Criteria tab.
    8. In the User/User Group area, select the user you created in Step 1.
    9. Select the App tab.
    10. Change Allow User to Upgrade GlobalProtect App to either Allow with Prompt or Allow Transparently.
      Allow with Prompt prompts users when a new version is activated and allows them to upgrade their software when it is convenient; Allow Transparently automatically upgrades the app software whenever a new version becomes available on the portal.
    11. Click OK to save your changes.
  3. Select Move Up to move your configuration above the default configuration.
    When an app connects, the portal compares the source information in the packet against the agent configurations you have defined. As with security rule evaluation, the portal looks for a match starting from the top of the list. When it finds a match, it delivers the corresponding configuration to the app.
  4. Repeat these steps for the DEFAULT configuration, but change Allow User to Upgrade GlobalProtect App to Disallow to prevent users from updating to the latest GlobalProtect app software.
  5. When you want to let the rest of the users update their apps, change Allow User to Upgrade GlobalProtect App in the DEFAULT configuration to a selection that allows it (either Allow with Prompt or Allow Transparently).