Global Protect 5.1.x PPPC Settings

tommersyip
New Contributor

Hi All,

So we're moving to a newer version of Global Protect, 5.1.4 from 5.0.4, and have PPPC settings via Configuration Profile allowing access to the Download, Desktop, and Documents folders explicitly - just to reduce the number of click thru's required and potential calls from employees.

The changes in 5.1.4 seems to require an addition to the PPPC settings since apparently the bundle now has an additional '.client' at the end of it. I made the additions but something is still off and and the requests for access are still coming through.

a3cb3b40193d41ea98e9b3db709e7a3c

Wondering if anybody else has run into this also or has any ideas.

Thanks.

15 REPLIES 15

dan-snelson
Valued Contributor II

@tommersyip Looks right to me, but we're still deploying 5.0.x

What does the output of codesign -dr - /Applications/GlobalProtect.app look like?


--
Dan

tommersyip
New Contributor

Looks correct, right? Weird.

This is the output of codesign -dr - /Applications/GlobalProtect.app

Executable=/Applications/GlobalProtect.app/Contents/MacOS/GlobalProtect
designated => identifier "com.paloaltonetworks.GlobalProtect.client" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PXPZ95SK77

I did use that to create the PPPC originally. Wouldn't shock me if PAN did something weird with GlobalProtect

tommersyip
New Contributor

Upon further testing. The PPPC settings do work, for a brand new install of 5.1.4. When upgrading from 5.0.4 to 5.1.4, however, something 'different' is happening which is causing the Download, Desktop, and Documents access requests to pop up.

tep
Contributor II

I am having the same issue. Upgrading from 5.0.3 to 5.1.4 or 5.1.5 ignores the PPPC profile - even if I do a full uninstall of 5.0.3 first. SUPER annoying...I've tried "Deny" and "Allow" with the same result.

donmontalvo
Esteemed Contributor II

Could it be the app is now requiring more access, where the PPPC whitelist needs to be updated?

Anyone open a ticket with Palo Alto yet?

--
https://donmontalvo.com

tep
Contributor II

I've opened a ticket with them and they are no help...

donmontalvo
Esteemed Contributor II

My colleague tells me the same thing. Might be time to escalate the ticket. #rollsUpSleeves

--
https://donmontalvo.com

nikjamf
New Contributor III

Hello,
Is there some workflow on how to deploy the 5.1.4 Global Protect pkg with the configuration script and Configuration profile?

gachowski
Valued Contributor II

There are GP install directions and docs that are only available, with a support account. They also have profiles to install the right System Extensions.

I think the current release version is 5.2.x there was a few versions back to back last week

C

nikjamf
New Contributor III

That is a PaloAlto System Engineer support answer:

"We do not currently qualify JAMF as a Mac management vendor. This is why our TAC does not have complete instructions for deploying GlobalProtect with JAMF. There is an existing feature request to support this and "company" has been added as a customer interested in this. However, there is not currently any timeline or commitment for it.

Have you worked with JAMF? I have no experience with it and my inquiries to other colleagues have yielded no additional information. "
Unfortunetly, I do not have GP support account yet.

tom-monkhouse
New Contributor II
"We do not currently qualify JAMF as a Mac management vendor. "

Wow...

dlondon
Valued Contributor

If you deploy your PPPC profile before installing Global Protect, 5.1.4 does it still get ignored?

mbezzo
Contributor III

We're noticing this as well - newer app version (5.2.6-87) seems to ignore/not like kernel extension whitelisting suddenly... and an additional "WOW" to Palo Alto "not qualifying Jamf as a Mac management vendor"....
Anybody aware of any solutions?

sdagley
Honored Contributor II

@mbezzo On Catalina GP 5.2.x will use a System Extension unless you're using the option in GP 5.2.5-H1 and later to use a Kernel Extension instead: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001UoHCAU

mbezzo
Contributor III

thanks @sdagley - that's very helpful!