Currently we are trying to do Certificate authentication with global Protect. We have a mixed Catalina and Mojave environment with GP 5.1.1 and currently our portal and network is setup for user and machine auth. We are using OneLogin for 2FA and our machines our not bound to AD. We are getting an issue when our machines are logging in where it is asking our users for access to the keychain 3 times. I haven't seen a script out there that will allow for us to bypass this and Palo offers this manual workaround but I don't know how to script this out. The Palo portal is going to the Private Key in the Keychain and for some reason we cannot make the PanGPS stick and Always Allow doesn't show up like in the below URL. We have Gatekeeper and Personal Firewalls enabled.
Can anyone possibly look at this and give me some advice on what to do?
I'd recommend using client version 5.1.3. Look at the release notes. Palo Alto fixed both keychain and install issues in the Mac version.
They actually did not. We actually got a response from them recently saying that they are now saying its an O/S issue and not a Palo Product issue but that they were able to re-create the issue in their lab.
Here is the official response from Palo Alto engineering:
As per our engineering team there is no way to block the pop up from showing multiple times. This is an MAC OS related issue and GP cannot fix this. Following is an explaination provided by our engineering team.
If using the System keychain, there is no "Always Allow" button in pop-up dialog, the system API will trigger the pop-up every time when a new connection is establishing. Sometime System keychain is in "Locked" status for GP process, GP will call some system API to "Unlock" it to retrieve info. In this case, there will have one more pop-up. Basically it's system behavior and GP cannot control it.
I've been using GP at my current employer for several years. If you are installing certs into the users keychains 'always allow' will suppress the continuous pop ups.
Are you using SCEP to deliver certs? There is an option in the SCEP payload to 'Allow all apps access' to the certificate in keychain.
Adding additional certs to the user keychain really isn't ideal. Would like to keep this working under our current setup which is the computer certificate being located in the system keychain. Is this a complete no-go or could this be something addressed on the PA side (what changed to make this no longer work in the 5.1.x line) or could something be scripted to allow this to work?
They've referred me to Apple at this point, but my experience so far with Apple Support has been quite disappointing so I'm not optimistic they'd be able to provide a solution either.
There are some limitations with the Global Protect Agent related to certificates. If you have a Certificate Profile set in the portal, then the agent will enumerate through all devices certificates. If these certificates have not been configured to allow Global Protect, and PanGPS, then the user will be prompted to allow access.
Users with local administrator privileges can manually add these processes to the certificate by following the steps documented here: How to permanently allow GlobalProtect access to the System keychain.
I have lodged a feature request with PA to allow us to configure the Agent with details of the certificate that should be used to authenticate during pre-logon.