Global Protect Deployment

I'd recommend using client version 5.1.3. Look at the release notes. Palo Alto fixed both keychain and install issues in the Mac version.

https://docs.paloaltonetworks.com/globalprotect/5-1/globalprotect-app-release-notes/gp-app-release-information/globalprotect-addressed-issues.html#

They actually did not. We actually got a response from them recently saying that they are now saying its an O/S issue and not a Palo Product issue but that they were able to re-create the issue in their lab.

Here is the official response from Palo Alto engineering:
As per our engineering team there is no way to block the pop up from showing multiple times. This is an MAC OS related issue and GP cannot fix this. Following is an explaination provided by our engineering team.

If using the System keychain, there is no "Always Allow" button in pop-up dialog, the system API will trigger the pop-up every time when a new connection is establishing. Sometime System keychain is in "Locked" status for GP process, GP will call some system API to "Unlock" it to retrieve info. In this case, there will have one more pop-up. Basically it's system behavior and GP cannot control it.

I've been using GP at my current employer for several years. If you are installing certs into the users keychains 'always allow' will suppress the continuous pop ups.

Are you using SCEP to deliver certs? There is an option in the SCEP payload to 'Allow all apps access' to the certificate in keychain.

Anyone figure out a trick to get this working? Our certs go into system rather than login so we are running into this as well on 5.1.5.

@mpi If you want to push a cert to the user's keychain use a user level config profile in Jamf.

Adding additional certs to the user keychain really isn't ideal. Would like to keep this working under our current setup which is the computer certificate being located in the system keychain. Is this a complete no-go or could this be something addressed on the PA side (what changed to make this no longer work in the 5.1.x line) or could something be scripted to allow this to work?

They've referred me to Apple at this point, but my experience so far with Apple Support has been quite disappointing so I'm not optimistic they'd be able to provide a solution either.

Hello, we just get it this crapy client and I'm looking for policies workflow to deployed, I appreciate any advice on how to push it.
Thanks in advance.

There are some limitations with the Global Protect Agent related to certificates. If you have a Certificate Profile set in the portal, then the agent will enumerate through all devices certificates. If these certificates have not been configured to allow Global Protect, and PanGPS, then the user will be prompted to allow access. 

Users with local administrator privileges can manually add these processes to the certificate by following the steps documented here: How to permanently allow GlobalProtect access to the System keychain.

I have lodged a feature request with PA to allow us to configure the Agent with details of the certificate that should be used to authenticate during pre-logon.