Help

Global Protect 5.1.x PPPC Settings

tommersyip
New Contributor

Posted on ‎07-08-2020 04:43 PM

Hi All,

So we're moving to a newer version of Global Protect, 5.1.4 from 5.0.4, and have PPPC settings via Configuration Profile allowing access to the Download, Desktop, and Documents folders explicitly - just to reduce the number of click thru's required and potential calls from employees.

The changes in 5.1.4 seems to require an addition to the PPPC settings since apparently the bundle now has an additional '.client' at the end of it. I made the additions but something is still off and and the requests for access are still coming through.

a3cb3b40193d41ea98e9b3db709e7a3c

Wondering if anybody else has run into this also or has any ideas.

Thanks.

0 Kudos
Reply
15 REPLIES 15

dan-snelson
Valued Contributor II

Posted on ‎07-09-2020 05:06 AM

@tommersyip Looks right to me, but we're still deploying 5.0.x

What does the output of codesign -dr - /Applications/GlobalProtect.app look like?

Reply

tommersyip
New Contributor

Posted on ‎07-09-2020 08:03 AM

Looks correct, right? Weird.

This is the output of codesign -dr - /Applications/GlobalProtect.app

Executable=/Applications/GlobalProtect.app/Contents/MacOS/GlobalProtect
designated => identifier "com.paloaltonetworks.GlobalProtect.client" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PXPZ95SK77

I did use that to create the PPPC originally. Wouldn't shock me if PAN did something weird with GlobalProtect

0 Kudos
Reply

tommersyip
New Contributor

Posted on ‎07-09-2020 08:33 AM

Upon further testing. The PPPC settings do work, for a brand new install of 5.1.4. When upgrading from 5.0.4 to 5.1.4, however, something 'different' is happening which is causing the Download, Desktop, and Documents access requests to pop up.

0 Kudos
Reply

tep
Contributor II

Posted on ‎07-09-2020 03:45 PM

I am having the same issue. Upgrading from 5.0.3 to 5.1.4 or 5.1.5 ignores the PPPC profile - even if I do a full uninstall of 5.0.3 first. SUPER annoying...I've tried "Deny" and "Allow" with the same result.

0 Kudos
Reply

donmontalvo
Esteemed Contributor III

Posted on ‎07-09-2020 04:23 PM

Could it be the app is now requiring more access, where the PPPC whitelist needs to be updated?

Anyone open a ticket with Palo Alto yet?

--
https://donmontalvo.com
0 Kudos
Reply

tep
Contributor II

Posted on ‎07-10-2020 09:33 AM

I've opened a ticket with them and they are no help...

Reply

donmontalvo
Esteemed Contributor III

Posted on ‎07-11-2020 06:10 AM

My colleague tells me the same thing. Might be time to escalate the ticket. #rollsUpSleeves

--
https://donmontalvo.com
0 Kudos
Reply

nikjamf
New Contributor III

Posted on ‎11-23-2020 10:58 AM

Hello,
Is there some workflow on how to deploy the 5.1.4 Global Protect pkg with the configuration script and Configuration profile?

0 Kudos
Reply

gachowski
Valued Contributor II

Posted on ‎11-23-2020 10:10 PM

There are GP install directions and docs that are only available, with a support account. They also have profiles to install the right System Extensions.

I think the current release version is 5.2.x there was a few versions back to back last week

C

0 Kudos
Reply

nikjamf
New Contributor III

Posted on ‎01-08-2021 12:09 PM

That is a PaloAlto System Engineer support answer:

"We do not currently qualify JAMF as a Mac management vendor. This is why our TAC does not have complete instructions for deploying GlobalProtect with JAMF. There is an existing feature request to support this and "company" has been added as a customer interested in this. However, there is not currently any timeline or commitment for it.

Have you worked with JAMF? I have no experience with it and my inquiries to other colleagues have yielded no additional information. "
Unfortunetly, I do not have GP support account yet.

0 Kudos
Reply

tom-monkhouse
New Contributor II

Posted on ‎04-29-2021 03:24 AM

"We do not currently qualify JAMF as a Mac management vendor. "

Wow...

0 Kudos
Reply

dlondon
Valued Contributor

Posted on ‎04-30-2021 01:03 AM

If you deploy your PPPC profile before installing Global Protect, 5.1.4 does it still get ignored?

0 Kudos
Reply

mbezzo
Contributor III

Posted on ‎05-04-2021 08:24 AM

We're noticing this as well - newer app version (5.2.6-87) seems to ignore/not like kernel extension whitelisting suddenly... and an additional "WOW" to Palo Alto "not qualifying Jamf as a Mac management vendor"....
Anybody aware of any solutions?

0 Kudos
Reply

sdagley
Esteemed Contributor II

Posted on ‎05-04-2021 08:56 AM

@mbezzo On Catalina GP 5.2.x will use a System Extension unless you're using the option in GP 5.2.5-H1 and later to use a Kernel Extension instead: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001UoHCAU

0 Kudos
Reply

mbezzo
Contributor III

Posted on ‎05-04-2021 08:57 AM

thanks @sdagley - that's very helpful!

0 Kudos
Reply