My searches have turned up nothing. Just looking for gotchas, do's and don'ts, etc.
Page 5 / 5
@jwojda My experience is that GlobalProtect 5.2.3 and later automatically install the System Extension on macOS Catalina and Big Sur when initiating a connection if it wasn't installed when the .pkg installer was run. If you have a Configuration Profile in place approving the System Extension when that happens there should be no user prompting.
@jwojda I'm using the installer choice changes method to enforce it. I'm lucky in that my estate can actually deal with it nicely.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <array> <dict> <key>attributeSetting</key> <integer>1</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>default</string> </dict> <dict> <key>attributeSetting</key> <integer>0</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>second</string> </dict> <dict> <key>attributeSetting</key> <integer>1</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>third</string> </dict> </array> </plist>
Hi folks, sdagley asked me to post in this discussion.
Looking in to upgrading to GPVPN 5.2.3 from 5.0.5 at the moment, so having to update some of our scripts from gpd0 to utun. Problem being which utun interface is used by ifconfig to show whether the connection is active or not seems to change from machine to machine.
In our environment, ifconfig doesn't return any other lines with either "flags=8050" which the selected interface will return if it's disconnected. And it also doesn't return "-->" which it will return in the line with your IP address. So if those statements are both true in your environment, you could use this EA to show whether GPVPN is connected, and if so, the IP address.
#!/bin/bash
GP_Status=$(ifconfig | grep "flags=8050")
GP_IP=$(ifconfig | grep -e "-->" | sed 's/|/ /'|awk '{print $2}')
if [[ -n "$GP_Status" ]]; then
GP_Status_Check="Not Connected"
/bin/echo "<result>$GP_Status_Check</result>"
/bin/echo "$GP_Status"
else
GP_Status_Check="Connected"
/bin/echo "<result>$GP_Status_Check - $GP_IP</result>"
fi
Also, while I'm at it. Here's an EA to check whether or not a machine is on a compatible version. This is probably easier to do in python, but I'm crap at python, so there's some logic to do the floating point comparison in bash and mark any version above your defined version as compatible.
#!/bin/zsh
# Global Protect Version Compare
# This EA compares two versions of Global Protect. It takes the version currently installed, and a version specified
# Under 'APPROVEDVERSION' at the top of the script. It removes the decimal points from each version number to
# allow zsh to compare the two numbers without floating points (which it can't do accurately) then removes all
# but the first three digits of the version number, because we know the formatting of Global Protect versions
# EG the installed version is 1.2.3-45 and the approved version is 4.5.6-78 it would reduce these numbers to
# 123 and 456 and see that the installed version is lower than the approved version. There are three possible
# outputs to this script:
# Compatible - if the installed version is equal to or greater than the approved version.
# Old (with version no) - if the installed version is less than the approved version
# Not Installed - Global Protect not installed
# NB this script only works where the major version of the software release is in the first 3 digits, you can adjust
# this by changing the number in the second sed in lines 21 and 22
APPROVEDVERSION=5.2.3-22
INSTALLEDVERSION=$(defaults read /Applications/GlobalProtect.app/Contents/Info.plist CFBundleShortVersionString)
if [ -f "/Applications/GlobalProtect.app/Contents/Info.plist" ] ; then
INSTVERSION=$(echo "$INSTALLEDVERSION" | sed 's|[.]||g' | sed -E 's/(.{3}).*/1/')
APPVERSION=$(echo "$APPROVEDVERSION" | sed 's|[.]||g' | sed -E 's/(.{3}).*/1/')
if [[ $INSTVERSION -ge $APPVERSION ]]; then
echo "<result>Compatible</result>"
else
echo "<result>Old - $INSTALLEDVERSION</result>"
fi
else
echo "<result>Not Installed</result>"
fiTangential to the EA that @davidjess posted above here is an EA that just returns the GlobalProtect app version string with the "-" (which I presume is used to separate the Build number from the Version number) with a "." so that you can use a regex generated by @talkingmoose's Match Version Number or Higher or @hsucmoore's make_ge_version_regex.bash scripts in a Smart Group criteria to evaluate the version installed on a machine:
#!/bin/sh
# EA - Get GlobalProtect Version
#
# GlobalProtect uses a version number in the format X.X.X-X which doesn't work
# with the Match Version Number or Higher.bash or make_ge_version_regex.bash scripts to
# generate regex expressions to evaluate version numbers in the form of X.X.X.X.
#
# This EA simply reads the CFBundleShortVersionString info from the GlobalProtect app
# if it's installed and replaces any - in that string with a .
result="Not Installed"
PListToCheck="/Applications/GlobalProtect.app/Contents/Info.plist"
if [ -f "$PListToCheck" ] ; then
GPVersion=$( /usr/bin/defaults read "$PListToCheck" CFBundleShortVersionString )
if [ -n "$GPVersion" ]; then
result=$(/bin/echo $GPVersion | /usr/bin/tr '-' '.')
fi
fi
echo "<result>$result</result>"You could just deploy your plist settings at a system level with a script and then push out the native GlobalProtect package. This is what we're doing and seems a little cleaner than a custom package with FUT and FEU.
Here is an example setup script based on what I've been doing. GlobalProtect doesn't appear to respect these settings if deployed with a Configuration Profile so a script is required from what I've seen.
#!/bin/bash
plistBuddy='/usr/libexec/PlistBuddy'
GPplistFile='/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist'
if [[ -f ${GPplistFile} ]]; then
echo "Removing existing GlobalProtect prefs file"
rm -f ${GPplistFile}
fi
${plistBuddy} -c "print : 'Palo Alto Networks':'GlobalProtect':'PanSetup':'Portal'" ${GPplistFile}
${plistBuddy} -c "add :'Palo Alto Networks' dict" ${GPplistFile}
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect' dict" ${GPplistFile}
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup' dict" ${GPplistFile}
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup':'Portal' string 'vpn.example.com'" ${GPplistFile}
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup':'Prelogon' integer 1" ${GPplistFile}Thank you @cbrewer!
Question: how do you go about adding more than one string portal IP?
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup':'Portal' string 'vpn.example.com'" ${GPplistFile}Example:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Palo Alto Networks</key>
<dict>
<key>GlobalProtect</key>
<dict>
<key>PanSetup</key>
<dict>
<key>Portal</key>
<string>vpn.example.com</string>
<string>vpn.example2.com</string>
<string>vpn.example3.com</string>
</dict>
</dict>
</dict>
</dict>
</plist>
========
How do you go about adding the extra string portal addresses?
Thank you @cbrewer!
Question: how do you go about adding more than one string portal IP?
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup':'Portal' string 'vpn.example.com'" ${GPplistFile}Example:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Palo Alto Networks</key>
<dict>
<key>GlobalProtect</key>
<dict>
<key>PanSetup</key>
<dict>
<key>Portal</key>
<string>vpn.example.com</string>
<string>vpn.example2.com</string>
<string>vpn.example3.com</string>
</dict>
</dict>
</dict>
</dict>
</plist>
========
How do you go about adding the extra string portal addresses?
Your XML is malformed. It should look more like this:
<key>Portal</key>
<array>
<string>vpn.example.com</string>
<string>vpn.example2.com</string>
<string>vpn.example3.com</string>
</array>
Your XML is malformed. It should look more like this:
<key>Portal</key>
<array>
<string>vpn.example.com</string>
<string>vpn.example2.com</string>
<string>vpn.example3.com</string>
</array>
How do you do the above using the script?
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup':'Portal' string 'vpn.example.com'" ${GPplistFile}
I tried this but it didnt create correctly: I must be mis-using "array"
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup':'Portal' array" ${GPplistFile}
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup':'Portal' string 'vpn.example.com'" ${GPplistFile}
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup':'Portal' string 'vpn.example2.com'" ${GPplistFile}
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup':'Portal' string 'vpn.example3.com'" ${GPplistFile}
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.