My searches have turned up nothing. Just looking for gotchas, do's and don'ts, etc.
Page 1 / 5
We have, initial deploys are fine but pushing out updates to GP is more tedious.
@philwillchen, please elaborate. Looks like I might be doing this for iOS & OSX this month.
I asked on MacE months ago, but got no reply.
https://groups.google.com/forum/m/#!topic/macenterprise/DYsDkunPlg0
As much detail as possible please, we're moving from IPSEC using the builtin VPN client. So worried this will be a step back.
Is it a PKG? Does it have any dependencies? Remotely manageable? Is the iOS app something you've played with?
It is a pkg just based on experience for updates to GP you had to install manually or else there would be two instances running and a lot of angry users. It actually wasn't that big of a PITA since we're a small company. Currently we are running 1.2.8-5 and it seems to be pretty stable.
Additionally PA support is pretty horrible in regards to mac support.
Thanks @philwillchen, we'll be deploying to 200 global mac clients.
By 2 versions, is the app bundle need as per the version number? Do the supply an uninstaller?
What version of GP? We were just given 2.0.1 yesterday but have no intentions of deploying it at this time.
As far as the uninstaller it is part of the installer.
Thanks. All I know is that it's on my upcoming projects. Is there any technical documentation you can link us to?
https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/2020-102-19-14175/GlobalProtect-Configuration-Rev-I.pdf
Starting to look into this too and found this guide below. There's a section called "Deploy Agent Settings Transparently" in the link below that discusses setting keys in the plist /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist. However, it's not really clear what the plist structure should look like.
https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/technical-documentation/pan-os-60/GlobalProtect_Admin_Guide_v6.0.pdf
We're going through this ourselves. The structure of the plist is pretty simple (at least in our simple setup – no internal gateways, etc.). Most of the configuration is set by policy on the gateway.
Unfortunately, the client doesn't seem to respect managed preferences (we pushed it out via ConfigurationProfile). We'll probably just symlink from /Library/Preferences. It's a suboptimal result, but we'll live with it.
May try to open an RFE with PAN.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Palo Alto Networks</key>
<dict>
<key>GlobalProtect</key>
<dict>
<key>PanSetup</key>
<dict>
<key>Portal</key>
<string>your_portal_hostname</string>
<key>Prelogon</key>
<integer>0</integer>
</dict>
</dict>
</dict>
</dict>
</plist>Can anyone elaborate more clearly on what they've done to successfully deploy PAN GlobalProtect?
I package it up in Composer and deploy it to a test machine and the agent never connects or looks for my pfx cert in keychain.
In response to myself, a reboot of the machine works.
We've deployed GlobalProtect for our users however, when a user logs in a GlobalProtect window pops up asking for the user's VPN login credentials. This window pops up at every login until a user makes a successful connection to the VPN.
I can't see a setting in the UI or plist to modify this behaviour to prevent the pop up window. Has anyone got a solution to this?
Thanks,
Paul
We're having this issue as well; my understanding is that this is a bug that was squashed in the latest update to the GP client, but I can't verify as I haven't tested it yet.
Thanks for the response, what version are you deploying? We're running 2.3.1-7 which appears to be the current version.
I've used the installer that you download form the portal site, then capture the /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist in a separate package. Then I turn around and deploy both packages. The first time the PAN VPN is launched it should start up with the portal address already filled in. As for updates, we've turn on automatic updates on our Palo so that the clients get updated when they connect.
Andy
@paulnz We're still on 2.2, so sounds like the rumors of a fix were greatly exaggerated. :(
@stevehahn Do'h!
@adhuston This is the pop up window we see on each login until the user makes a single successful connection to the VPN.
1 user logs in
2 The agent appears in the menu bar
3 the pop up window appears
Do you not see this window in your deployment?
Hi paulnz,
Yep, we do see that authentication window when someone logs in. Unfortunate side affect of the application. We just try to make sure that the portal address is filled in so that end users only need to put in their credentials. We tried adding a login task to kill the service, but it keeps respawning and keeps popping up the authentication window. So much for a on demand service I guess. I would like it so much better if you could launch it interactively.
Andy
We're moving to GP VPN here as well and have felt the pain of the app auto-launching since we started using this.
After getting fed up with it and realizing we're not using on-demand, I went ahead and fixed it my own way:
Did a usual Composer pre-capture and then did the following...
-Installed the latest version of GP available on our PANs (2.3.0-28)
-Dropped a known good/working (see @dfuhriman's post) /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist into the correct place and set permissions/ownership - this places our VPN address in the app automatically.
Captured the changes and then...
-Deleted the LaunchAgent called "com.paloaltonetworks.gp.pangpa.plist" from /Library/LaunchAgents - this is what starting the app.
Here's a look at the result in Composer:
Packaged the App and dumped into Admin...
Since doing this, I've tested and deployed it, and watched the app not auto-start anymore.
I know that this is old, but we are just looking to deploy Global Protect for Always on VPN. I found this page:
Deploy Agent Settings to Mac Clients
Thought that might help out other users searching on here.
OK, so ignore my post. Looks like even their instructions do not work. :-(
Hi Jason,
Is there a particular part of the deployment that is not working for you? We've just finished deploying into our environment so happy to share our experience.
Raj
The app just would not read the deployed plist file. I finally found that there is a second file installed in the users Preferences folder called "com.paloaltonetworks.GlobalProtect.plist". This file only lists the Portal address. Moving this to the /Library/Preferences/ allows the Portal to be pre-populated for the user.
I am now testing deploying this settings file alongside the GlobalProtect client to a few other users.
I found that it's best to deploy the plist prior to installing the PAN VPN client. That way when the installer runs and pops up the dialog to sign in for the first time it will find the plist and put in the portal address. You can do that pretty easy with the following script:
!/bin/sh
portalAddress="pan-vpn.address.com"
echo '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>Palo Alto Networks</key><dict><key>GlobalProtect</key><dict><key>PanSetup</key><dict><key>Portal</key><string>'$portalAddress'</string><key>Prelogon</key><integer>0</integer></dict></dict></dict></dict></plist>' >> /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist
exit 0
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.