Posted on 04-02-2014 11:13 AM
My searches have turned up nothing. Just looking for gotchas, do's and don'ts, etc.
Posted on 04-18-2019 06:06 AM
I went a slightly different route, I crated a package with just the settings plist that put it in the plist in right place, then the Global Protect installer.
copied both to
private/tmp
Then packaged both files up into another package that run the post install script of...
#!/bin/sh
## postinstall
installer -pkg /private/tmp/GlobalProtect.pkg -target /
sleep 15
installer -pkg /private/tmp/GP_settings_plist.pkg -target /
sleep 5
rm -rf /private/tmp/GlobalProtect.pkg
rm -rf /private/tmp/GP_settings_plist.pkg
exit 0 ## Success
exit 1 ## Failure
I'm sure there's a more eloquent way of doing it, but this works.
**Edit: updated path
Posted on 06-04-2019 12:05 PM
I know this is an old post, but I am trying to deploy PAN GP 5.0.2. When it deploys to a machine, everything seems to match up correctly (plist, etc) but when you launch it gets stuck in a connecting loop, it never ask for the username and password. Anyone have any ideas?
Posted on 06-17-2019 02:51 PM
We are running into the same issue as @VictoriousLoser Can't seem to figure out a way around it.
Posted on 06-20-2019 06:12 AM
@VictoriousLoser @Tfinn am getting the same problem as well.. Haven't found a solution apart from reinstalling it.
Posted on 06-20-2019 09:19 AM
@simon.brown Currently the work around I have going is to push the installer as a package, then push the .plist file as a .dmg file after. That has gotten me back to seeing the user login screen, but I am not 100% happy with the way it works - it seems that there should be an easier and cleaner way to do it.
Posted on 06-25-2019 11:39 AM
@VictoriousLoser That appears to be working for us right now. Thanks for the tidbit
Posted on 08-14-2019 07:39 PM
Hello @VictoriousLoser, did you push both package and dmg file on the same policy or separate? My one has blocked by Privacy&Security which is grey out for users? Thank you for your share.
Posted on 09-10-2019 08:54 AM
@nikjamf sorry I am just now getting to this, what OS are you running? I started to see this same issue on Mojave computers and had to create a separate policy to allow changes by Palo Alto Networks.
Posted on 09-29-2019 09:57 AM
Ran in to the same issues, for me it appeared the apps launchd wasn't loading.
adding:
launchctl load /Library/LaunchDaemons/com.paloaltonetworks.gp.pangpsd.plist
to the end of the script seemed to fix the issue.
Posted on 10-08-2019 11:43 AM
We running OS Mojave and few High Sierra, and both cannot bypass the Security prompt, and the configuration file with kext extension and Team ID pushed to the system. I'm still working on modifying the .plst file.
Posted on 10-11-2019 08:22 AM
To be honest, we're having issues just having the package install via Jamf, without any config attached. Seems it doesn't like being installed as root via Jamf.
Posted on 10-23-2019 08:45 AM
Hello, is anybody else can post it how the edit .plist file should look like and any working workflow f to deployed. I follow up on the @jwojda steps and end up with the packages installed on /private/tmp folder without the script to execute them. Also, the current Team ID and .kext can not bypass the installer Security prompt. I appreciate any help thanks for your efforts and time. Global Protect 5.0.4 version.
Posted on 10-28-2019 09:24 AM
After a little bit of digging I was able to figure out how to deploy the portal(s) via configuration profile. I noticed after a fresh install of Global Protect under ~/Library/Preferences, there was a plist called com.paloaltonetworks.GlobalProtect. When I opened it up, it contained a key for Pan Portal List that was set to type array. I added our two portals to the array list & saved the plist. To test, I created a new configuration profile with the custom settings payload configured. Used com.paloaltonetworks.GlobalProtect as the preference domain and then uploaded the plist that I edited. To test, I removed Global Protect, then pushed the configuration profile to my machine ahead of time. Re-installed Global Protect, and as soon as it launched, both of our portals were now pre-populated. Seems that Palo Alto need to update their documentation.
Heres what the general structure of the plist needs to look like:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PanPortalList</key>
<array>
<string>palo.portal1.com</string>
<string>palo.portal2.com</string>
</array>
</dict>
</plist>
Hopefully this helps!
Posted on 11-01-2019 07:50 AM
Thank you very much coaty.obrien for your responds and efforts, my question here is what option you used when creating the configuration profile with the custom settings, could you give us more details?
And thanks again for your help.
To bypass the security&privacy prompt for latest agent 5.0.5.28 I use; Team ID PXPZ95SK77
Bundle ID kext :
com.paloaltonetworks.kext.pangpd ;
com.paloaltonetworks.GlobalProtect.gpsplit ;
com.paloaltonetworks.GlobalProtect.gplock
Posted on 12-05-2019 01:59 PM
I am stuck in the connecting loop... I've got the portal to load correctly via but now when it opens it is just stuck in the connecting loop. I've tried pushing the launch d with launchctl which used to work but I can't get it to work anymore... Can anyone shed some light onto this?
Posted on 12-09-2019 08:16 AM
@sintichn we had a similar issue with the new version on Mojave and the then Catalina. I am thinking you are in a security check loop. If you go to System Preferences and then Security and Privacy on one of the machines with the issue, you should see a security confirmation dialogue. This is similar to the non-certified App installation dialogue.
The way we got around this was a Kernel Extension with the following info:
Display Name: Palo Alto Networks
Bundle ID: PXPZ95SK77
Posted on 12-17-2019 08:18 AM
Deploy globalprotect but software is using the administrator credentials to connect instead of using the user credentials to connect.
Posted on 01-16-2020 01:30 PM
So I finally got this to work in my environment. I kept running into the issue of the connecting loop. This is what I did...
- I started to build a DMG for GlobalProtect in composer by way of a normal snapshot
- Next before building the DMG I edited the two launch agent plist files in /Library/LaunchAgents com.paloaltonetworks.gp.pangps.plist, com.paloaltonetworks.gp.pangpa.plist Taking out the LimitLoadToSessionType
key and string Aqua
in both plist files. (https://www.jamf.com/jamf-nation/discussions/29172/installing-globalprotect-4-1-3-vpn-client)
- Then in /Users/currentuser/Library/Preferences I put the portal address in the com.paloaltonetworks.GlobalProtect.plist.
<key>PanPortalList</key><array><string>yourportalhere</string></array>
- Then I built the DMG uploaded it to jamf admin and checked FUT and FEU
- When creating a policy I added two scripts, one to run before the DMG is installed and one after. The before script is just to stop the GlobalProtect process if it's running.
#!/bin/sh
killall GlobalProtect
The the one that runs after is...
#!/bin/sh
# Finds the logged on user
USER_NAME=$(printf '%s' "${SUDO_USER:-$USER}")
# Opens the updated GlobalProtect app
open /Applications/GlobalProtect.app
# Waits 5 seconds
sleep 5
# Uses the logged in user to load the LaunchDaemon via launchctl
sudo -u $USER_NAME launchctl load /Library/LaunchDaemons/com.paloaltonetworks.gp.pangpsd.plist
echo "done"
(This doesn't work unless the launchctl line is run as the current logged in user, thus the $USER_NAME parameter.)
And finally, it works!
Posted on 01-17-2020 10:07 AM
You could just deploy your plist settings at a system level with a script and then push out the native GlobalProtect package. This is what we're doing and seems a little cleaner than a custom package with FUT and FEU.
Here is an example setup script based on what I've been doing. GlobalProtect doesn't appear to respect these settings if deployed with a Configuration Profile so a script is required from what I've seen.
#!/bin/bash
plistBuddy='/usr/libexec/PlistBuddy'
GPplistFile='/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist'
if [[ -f ${GPplistFile} ]]; then
echo "Removing existing GlobalProtect prefs file"
rm -f ${GPplistFile}
fi
${plistBuddy} -c "print : 'Palo Alto Networks':'GlobalProtect':'PanSetup':'Portal'" ${GPplistFile}
${plistBuddy} -c "add :'Palo Alto Networks' dict" ${GPplistFile}
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect' dict" ${GPplistFile}
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup' dict" ${GPplistFile}
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup':'Portal' string 'vpn.example.com'" ${GPplistFile}
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup':'Prelogon' integer 1" ${GPplistFile}
Posted on 08-15-2022 12:09 PM
Thank you @cbrewer!
Question: how do you go about adding more than one string portal IP?
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup':'Portal' string 'vpn.example.com'" ${GPplistFile}
Example:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Palo Alto Networks</key>
<dict>
<key>GlobalProtect</key>
<dict>
<key>PanSetup</key>
<dict>
<key>Portal</key>
<string>vpn.example.com</string>
<string>vpn.example2.com</string>
<string>vpn.example3.com</string>
</dict>
</dict>
</dict>
</dict>
</plist>
========
How do you go about adding the extra string portal addresses?
Posted on 08-15-2022 12:19 PM
Your XML is malformed. It should look more like this:
<key>Portal</key>
<array>
<string>vpn.example.com</string>
<string>vpn.example2.com</string>
<string>vpn.example3.com</string>
</array>
Posted on 08-15-2022 02:20 PM
How do you do the above using the script?
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup':'Portal' string 'vpn.example.com'" ${GPplistFile}
I tried this but it didnt create correctly: I must be mis-using "array"
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup':'Portal' array" ${GPplistFile}
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup':'Portal' string 'vpn.example.com'" ${GPplistFile}
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup':'Portal' string 'vpn.example2.com'" ${GPplistFile}
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup':'Portal' string 'vpn.example3.com'" ${GPplistFile}
Posted on 01-23-2020 09:11 AM
@cbrewer Thanks so much, this works well!
Posted on 01-23-2020 10:13 AM
Anyone have a EA to get the VPN IP address the client is on when connected via GP?
Posted on 02-27-2020 12:10 PM
@cbrewer We just switched to GlobalProtect and this worked like a charm. Thanks!
Posted on 03-04-2020 06:26 AM
I am fully stuck on this one. I have deployed the pkg and plist as recommended by @cbrewer and that part works like a champ. I still get stuck at the connecting loop. I've deployed the kext multiple times multiple ways with no luck. The latest is shown below. I took it and deployed it via JAMF but with those settings. That is directly from their website. Any help would be much appreciated!
Posted on 03-10-2020 06:46 AM
@ncottle ,
We have this all the time and it has been a continuous issue. Most of the time, killing the client and allowing it to relaunch automatically gets around this. What happens when you run the below in Terminal:
sudo killall GlobalProtect
On a related note, has anyone gotten GlobalProtect v5 working in Catalina? This is the officially supported version and we are continuously seeing a (false) "Cannot connect to gateway" error, even though the client connects just fine.
I know v4 is not officially supported in Catalina but it seems to work fine, and to me is a better solution than deploying a broken client. Has anyone validated 4.1.13 in Catalina?
Thanks,
Justin.
Posted on 03-10-2020 07:14 AM
5.1.1 working fine in Catalina here.
Anytime you do things with command line or scripts related to GlobalProtect, you want to be aware of which user you are running that task as. GlobalProtect has both a system LaunchDaemon as well as user level LaunchAgents. Here is the script I use to make sure GlobalProtect is started correctly for the logged in user. I run this after installation.
#!/bin/bash
# Make sure GP is installed
if [[ ! -d /Applications/GlobalProtect.app ]]; then
echo "GlobalProtect not installed"
exit 0
fi
# Get logged in user
loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )
# Stop GlobalProtect Services
if [[ -n ${loggedInUser} ]]; then
if [[ -f /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist ]]; then
echo "Attempting to stop com.paloaltonetworks.gp.pangpa"
su -l $loggedInUser -c "/bin/launchctl unload /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist"
fi
if [[ -f /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist ]]; then
echo "Attempting to stop com.paloaltonetworks.gp.pangps"
su -l $loggedInUser -c "/bin/launchctl unload /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist"
fi
fi
if [[ -f /Library/LaunchDaemons/com.paloaltonetworks.gp.pangpsd.plist ]]; then
echo "Attempting to stop com.paloaltonetworks.gp.pangpsd"
/bin/launchctl unload /Library/LaunchDaemons/com.paloaltonetworks.gp.pangpsd.plist
fi
sleep 3
# Start GlobalProtect Services
if [[ -f /Library/LaunchDaemons/com.paloaltonetworks.gp.pangpsd.plist ]]; then
echo "Attempting to start com.paloaltonetworks.gp.pangpsd"
/bin/launchctl load /Library/LaunchDaemons/com.paloaltonetworks.gp.pangpsd.plist
fi
if [[ -n ${loggedInUser} ]]; then
if [[ -f /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist ]]; then
echo "Attempting to start com.paloaltonetworks.gp.pangps"
su -l $loggedInUser -c "/bin/launchctl load /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist"
fi
if [[ -f /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist ]]; then
echo "Attempting to start com.paloaltonetworks.gp.pangpa"
su -l $loggedInUser -c "/bin/launchctl load /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist"
fi
fi
Posted on 03-10-2020 07:22 AM
@cbrewer ,
Thanks for this. Our issue appears to be related to the encryption/decryption of cookies at appliance level.
Regarding the logged in user, we avoided this whole situation by not touching the installer package and adding our pre-configuration as a separate package in the same policy.
We found that modifying the package in any way resulted in a failed installation, so the above makes total sense.
Thanks,
Justin.
Posted on 03-10-2020 10:02 AM
Thanks for the updates everyone. I've tried it all and still no luck. I think I've narrowed it down to either a firewall or a kext issue. Attempting to work without network team to address that side of it now.
Posted on 03-10-2020 11:22 AM
Try enabling debug logging under Settings > Troubleshooting. That will get you a complete dump of all applicable logs and make it easier to identify the issue.
Posted on 03-19-2020 10:38 AM
I anybody just doing a wipe and pave for updates?
Posted on 03-20-2020 04:05 AM
@cbrewer Thanks! This product is a nightmare to deploy!
Posted on 03-23-2020 01:42 PM
I am in the same boat as @jared_f and curious how people are handling GlobalProtect updates.
Posted on 03-23-2020 03:56 PM
We recently deployed Global Protect, how often are updates pushed?
As for our deployment I pushed the KEXT a few days prior and then began the software deployment. We haven't seen any issues deploying. We also did not push a .plist with the portal url baked in.
Posted on 04-16-2020 03:38 PM
GlobalProtect 5.1.2 appears to have resolved some of the issues around starting the services as the currently logged in user when deployed from Jamf.
Fixed an issue in GlobalProtect for macOS endpoints where installing or upgrading the package using a Mobile Device Management (MDM) solution such as JAMF Pro resulted in a GlobalProtect app initialization failure.
Posted on 06-16-2020 01:30 PM
We were having the Connecting Loop issue while trying to deploy GlobalProtect 5.1.3. I ended up having to use composer to package placing the installer in a Jamf folder I created in the Root Library. I then used a script to run the installer followed up by @cbrewer script above to create a plist with our portal and it worked perfectly. Now for updates I just need to update the installer.
Posted on 06-17-2020 11:39 AM
I had been fighting several issues with versions 5.1.2 and 5.1.3. Finally they released version 5.1.4 and it appears most of the issues have been resolved, production rollout it is...
Posted on 06-17-2020 01:25 PM
@smpotter just a regular package created with 5.1.4?
Posted on 06-18-2020 02:20 PM
Yes that is correct...