@sdagley Right, but if the set up is that you can't log into the client because the connection is needed to verify that it's you, then it's a chicken and egg situation. Meanwhile the user gets prompted with asks to allow for extensions where the buttons are not clickable and in the case of standard users they can't allow for the extension in System Prefs.

@TechM If you deploy a Configuration Profile to approve the System Extension before GlobalProtect is installed then the user won't see that prompt.

@sdagley I should have stated that this is the behavior with all the provided config profiles provided by Palo Alto that's on the KB behind the sign-in page.

@TechM Those Configuration Profiles are for enabling specific functions of the GP client that require payloads not yet directly supported as of Jamf Pro 10.25.1. You still need to create the Configuration Profile with the System Extension payload described in the Enable System and Network Extensions using jamf PRO KB article.

@sdagley Yep. All those are in there. I worked with PA to provide feedback for that page. However, when they were given the feedback that the UI was not allowing those buttons to be actioned, they ignored the feedback. All those payloads plus the ones that have to be configured on the customer end were not even on their radar until we encouraged them to update their documentation and separate their macOS KB from their iOS/iPadOS KBs.

In our case, clients MUST log in to their GP client before making a VPN connection. There is no way for that connection to be made without that login. How is GP going to know where to connect to if it can't even authenticate to begin with?

Or am I missing something?

@TechM Are you using purely AD based logins? That's not really recommended. The more common approach is to have a local account on the Mac that is password synchronized with AD via a tool like Enterprise Connect or NoMAD (or Jamf Connect to use a Cloud IdP). That way a user can authenticate as admin on their Mac without an active network connection.

@sdagley Yes, this is an AD environment. We know it's not recommended and have advised the business accordingly, As for being admins, not all business have their users set as admins for lots of reasons, regardless of active network connections.

My main gripe is the UI should at least be showing the buttons in the dialog so that some sort of dismissive action can be taken and to have PA acknowledge as much.

Hello All,
Our company just got this client and I'm looking for the workflow on how to deploy the global Protect .pkg with the .plst connection file, I appreciated any help and suggestions.
I try this script and cannot deploy the client.

!/bin/sh

sudo installer -pkg /private/var/tmp/GlobalProtectVPN/GlobalProtect.pkg -target /

In addition, this is an answer from Global Protect support on a support ticket:

"We do not currently qualify JAMF as a Mac management vendor. This is why our TAC does not have complete instructions for deploying GlobalProtect with JAMF. There is an existing feature request to support this and " company" has been added as a customer interested in this. However, there is not currently any timeline or commitment for it.

Have you worked with JAMF? I have no experience with it and my inquiries to other colleagues have yielded no additional information."

I am curious to find out if you figure out how to suppress that pop up so user don't see the pop up at all, it will automatically allowed it?