Posted on 05-03-2020 12:53 PM
I'm attempting to create a configuration profile for GlobalProtect so that users don't have to enter the vpn server address. When testing the following which was added to a configuration profile in Jamf, it still prompts. Any ideas?
And, yes, I have our real address in the one I'm using.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Palo Alto Networks</key>
<dict>
<key>GlobalProtect</key>
<dict>
<key>PanSetup</key>
<dict>
<key>Portal</key>
<string>vpn.server.edu</string>
<key>Prelogon</key>
<string>0</string>
</dict>
</dict>
</dict>
</dict>
</plist>
Posted on 05-03-2020 03:02 PM
Hello,
I use a script to accomplish this, please edit the portal address and the script will take care of the rest.
#!/bin/sh
#
# Set the portal address for GlobalProtect
#
portalAddress="LINKGOESHERE"
#
# Modify PLIST to reflect the correct portal address.
#
echo '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>Palo Alto Networks</key><dict><key>GlobalProtect</key><dict><key>PanSetup</key><dict><key>Portal</key><string>'$portalAddress'</string><key>Prelogon</key><integer>0</integer></dict></dict></dict></dict></plist>' >> /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist
Posted on 05-04-2020 06:25 AM
This is what we use for our config profile. Granted, we have two separate portals, so we use an array.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PanPortalList</key>
<array>
<string>vpn1.server.com</string>
<string>vpn2.server.com</string>
</array>
</dict>
</plist>
Posted on 05-04-2020 06:36 AM
In our deployment, we pushed out /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist which contains portal address. However, we also needed to remove user config files in all existing user home folders:
#!/bin/sh
rm -rf /Users/*/Library/Application Support/PaloAltoNetworks/GlobalProtect
rm -rf /Users/*/Library/Preferences/com.paloaltonetworks.GlobalProtect*
rm -rf /Users/*/Library/Preferences/PanGPS*
Otherwise the user config files seem to override the system library file.
Uninstalling GlobalProtect only removes the config files in current console user profile folder.
Posted on 05-04-2020 07:50 AM
So, what I did was upload a working plist file to a Computer level Configuration Profile with the "Preference Domain": com.paloaltonetworks.GlobalProtect
I have recently found that switching to a different portal (we have several VPNs for different users) will not take the new domain without doing a complete uninstall and reinstall. I found these instructions on the PaloAlto site.:
So I have a GP remove policy that runs the following script and then calls the Global Protect installer once the new Profile is installed:
#!/bin/sh
/Applications/GlobalProtect.app/Contents/Resources/uninstall_gp.sh
kextunload -b com.paloaltonetworks.GlobalProtect.gplock
# Pre Catalina
rm -r /System/Library/Extensions/gplock*.kext
# Catalina
rm -r /Library/Extensions/gplock*.kext
rm /Library/Preferences/com.paloaltonetworks.GlobalProtect.plist
for USER in $(ls -ld /Users/* | grep ^d | grep -v "Shared" | awk {'print $NF'})
do
rm "$USER"/Library/Application Support/PaloAltoNetworks/GlobalProtect
rm "$USER"/Library/Preferences/com.paloaltonetworks.GlobalProtect*
rm "$USER"/Library/Preferences/PanGPS*
done
killall cfprefsd
Posted on 06-04-2020 12:01 PM
@jason.bracy Would you be willing to share the XML of the plist you're deploying? In limited testing, my custom Configuration Profile conflicted with settings GlobalProtect configured after initial setup.
My current approach is to use the following in our install policy, Files and Processes > Execute Command > …
/usr/libexec/PlistBuddy -c "Add :Palo Alto Networks:GlobalProtect:PanSetup:Portal string YOUR.FQDN.GOES.HERE" /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist ; /usr/bin/su - "`/usr/bin/stat -f%Su /dev/console`" -c "/usr/bin/pkill -l -U `/usr/bin/stat -f%Su /dev/console` GlobalProtect" ; /bin/sleep 3 ; /usr/local/bin/jamf recon
Posted on 06-05-2020 11:06 AM
@dan-snelson The plist uploaded to the configuration profile is very simple, the Domain that I am using is in the Profile is: com.paloaltonetworks.GlobalProtect and then I uploaded the following XML
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Portal</key> <string>xxx.xxxx.xxx</string> </dict> </plist>
-portal address scrubbed to protect my network :-)
Posted on 06-05-2020 11:24 AM
Thanks, @jason.bracy … I had w-a-y more keys in mine.
Posted on 06-05-2020 11:31 AM
@dan-snelson looks like you were also using the domain "com.paloaltonetworks.GlobalProtect.settings" not "com.paloaltonetworks.GlobalProtect". In my testing using that did not work. Deleting all GP settings files (previous comment) and using the Configuration Profile with the the com.paloaltonetworks.GlobalProtect domain and the single portal key has been very solid and will then create the com.paloaltonetworks.GlobalProtect.settings file with the config that it gets from the server.
defaults read com.paloaltonetworks.GlobalProtect.settings { "Palo Alto Networks" = { GlobalProtect = { PanMSAgent = { "Client.DebugLevel" = 5; PanGPS = 5; SearchOrder = 1; "Service.DebugLevel" = 5; }; Settings = { ConfFromPortal = 7212; Configurations = 154; Configurations2 = 79; DisallowLocalAccess = 0; DisplayTrafficBlockingMsg = 1; DisplayWelcome = 1; HipCheckInterval = 0; LastUrl = "xxx.xxxx.xxx"; LocalSSLEnabled = 0; OtherDisableStarted = 0; OverrideMethod = allowed; UserOverrides = 3; "agent-user-override-timeout" = 0; "mfa-prompt-suppress-time" = 0; "ssl-only-selection" = 0; }; "Settings\xxx.xxxx.xxx" = { AuthTypes = 32; ConfFromPortal = 7212; Configurations = 154; Configurations2 = 79; DisplayTrafficBlockingMsg = 1; DisplayWelcome = 1; HipCheckInterval = 0; LocalSSLEnabled = 0; OtherDisableStarted = 0; OverrideMethod = allowed; UserOverrides = 3; "agent-user-override-timeout" = 0; "mfa-prompt-suppress-time" = 0; }; }; }; }
Posted on 06-07-2020 11:21 AM
I've just gone through all of this. Palo Alto has changed the preference file, domain and format.
So for client version 5.0.4:
Domain: com.paloaltonetworks.GlobalProtect
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Palo Alto Networks</key>
<dict>
<key>GlobalProtect</key>
<dict>
<key>PanGPS</key>
<dict>
<key>UserProfileType</key>
<integer>0</integer>
</dict>
<key>Settings</key>
<dict>
<key>connect-method</key>
<string>on-demand</string>
<key>disable-globalprotect</key>
<integer>1</integer>
<key>prelogon</key>
<integer>0</integer>
<key>regioncode</key>
<string>US</string>
</dict>
</dict>
</dict>
<key>PanPortalList</key>
<array>
<string>vpn.corp.com</string>
</array>
</dict>
</plist>
For client version 5.1.3-12
Domain: com.paloaltonetworks.GlobalProtect.client
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PanPortalList</key>
<array>
<string>vpn.corp.com</string>
</array>
<key>User</key>
<string></string>
</dict>
</plist>
I hope that helps. I'm deploying both right now just to cope. I really wish devs wouldn't do this.
Posted on 06-07-2020 06:29 PM
@franton Thanks for the heads up on this. Developers should be required to do IT support for their product and see first hand how much people appreciate such major structural changes in minor version updates.
Posted on 06-08-2020 04:54 PM
@sdagley This kind of arbitrary change from Vendor's really annoys me. It's caused no end of bother in my org.
Posted on 06-17-2020 02:22 PM
Thanks, @franton; worked like a champ.
Posted on 07-15-2020 12:07 PM
@franton are these profiles being deployed as custom configuration profiles in Jamf. If so, are they set at the computer level or user level? Or, are the profiles deployed manually through a package or other means?
Posted on 07-16-2020 12:38 PM
@franton are these profiles being deployed as custom configuration profiles in Jamf. If so, are they set at the computer level or user level? Or, are the profiles deployed manually through a package or other means?
I'm also curious the best way to get this into the user's ~/Library/Preferences - I have tried "write defaults" as a script but can't get it to write it to the local user.
TIA
Posted on 07-17-2020 09:48 AM
@captam3rica I'm deploying as computer level for everything.
Posted on 07-17-2020 11:08 AM
When I use @franton's profile, my GP hangs at "Connecting..." indefinitely. As soon as I unscope the profile, GP prompts for the portal and can connect. This is GP 5.1.5 - upgrading from 5.0.3.
Posted on 07-22-2020 11:19 PM
@tep had issues with that. found that one of the background processes can get stuck, but force killing them and effectively restarting the client helps. Our situation is mostly caused by our SAML based login.
Posted on 08-18-2020 01:47 PM
@franton Do you have an example of a plist for 5.1.3-12 that also includes the
<key>connect-method</key> <string>on-demand</string>
portion? No matter what I try on that, I cannot get it to work. I know I'm missing something simple, but I'm about to tear my hair out over this... their website is absolutely no help!
Posted on 08-19-2020 08:32 AM
@elsmith sadly I do not. If you find it, please post it here.
Posted on 08-19-2020 08:36 AM
@franton Will do! Thank you :) I think I'm close (or maybe I just haven't had enough coffee)
Posted on 09-29-2020 11:37 AM
@elsmith I am having the exact same problem - I was able to set the portal address using @franton s method (thank you for that) but I cannot get the connect-method setting to work no matter where I put it. using the new 5.2.2 client btw. I think I will have to get my networking team to engage with PAN support unless someone knows the secret sauce
Posted on 10-14-2020 07:37 PM
@franton Am I imagining things, or did Palo Alto change the configuration back to the 5.0.x format for 5.2.x? (My org skipped the 5.1.x Mac releases)
Posted on 10-15-2020 08:09 AM
@sdagley I am still having to use Franton's method for the portal address plist file for both 5.2.2 and the new 5.2.3, I am unable to get the connect-method setting to work at all still, even when I place the plist files manually in both preferences folders without using jamf . I am having our network engineers open a TAC case for me on this, I will let you know what I discover.
Posted on 11-17-2020 01:06 PM
@dan-snelson thanks for your Files and Process Execute Command. And it's much appreciated!
Posted on 11-23-2020 05:24 PM
@sdagley No idea. Only just started on 5.2.4 testing ... and I've still got both sets of profiles deployed.
Posted on 11-23-2020 10:02 PM
I am not able to get connect-method key to work either ... I also think that the setting can be pushed/overridden once the agent's 1st connection is made.
Posted on 12-15-2020 08:44 AM
After my ticket with PAN I was able to get the connect-method and portal address working, however I had to abandon the config profile and just use a separate Composer Package to drop the plist file in the directory. So I have one stock PKG file to install the client, then a PKG I created to drop the plist in /Library/Preferences. I will paste my plist that worked below if anyone needs it. (This worked for 5.2.2 and 5.2.3)
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Palo Alto Networks</key> <dict> <key>GlobalProtect</key> <dict> <key>PanGPS</key> <dict/> <key>PanSetup</key> <dict> <key>Portal</key> <string>YOUR PORTAL HERE</string> </dict> <key>Settings</key> <dict> <key>connect-method</key> <string>on-demand</string> </dict> </dict> </dict> </dict> </plist>
Posted on 08-09-2022 02:35 PM
this worked on my end. i had to kill global protect process then re-launch it.
Posted on 12-19-2020 06:26 PM
I've ended up taking the above info, and some of @elliotjordan 's work and come up with this. It sits in the postinstall pkg I wrap around Palo Alto's installer.
# Remove GlobalProtectService keychain item from all users' login keychains.
USER_LIST=$(/usr/bin/dscl . -list /Users UniqueID | awk '$2 > 500 {print $1}')
for THIS_USER in $USER_LIST; do
USER_HOME=$(/usr/bin/dscl . -read "/Users/$THIS_USER" NFSHomeDirectory | awk '{print $2}')
USER_KEYCHAIN="$USER_HOME/Library/Keychains/login.keychain-db"
if [[ -f "$USER_KEYCHAIN" ]]; then
if /usr/bin/security find-generic-password -s "GlobalProtectService" "$USER_KEYCHAIN" &>/dev/null; then
/usr/bin/security delete-generic-password -s "GlobalProtectService" "$USER_KEYCHAIN" &>/dev/null
fi
fi
done
# Fix for the GP connecting all the time instead of on demand
defaults delete /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist
rm /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist
defaults write /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist '{ "Palo Alto Networks" = { GlobalProtect = { Settings = { "connect-method" = "on-demand" }; }; }; }'
It's not that sophisticated but it works, and unlike deploying a plist as mentioned above ... it is cfprefsd compatible.
08-05-2022 12:30 PM - edited 08-05-2022 12:30 PM
im seeing this on the 6.x client as well. My portal address is pre-configured with a config profile, machine wide, via Jamf. If I set on-demand manually before installing like your script there does everything works fine.
However if I set on-demand with a config profile it doesn't work, hangs up while trying to auto connect. Any ideas?
Posted on 12-19-2020 06:55 PM
Blast. Made a mistake with the copy. The defaults line is missing a ;
defaults write /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist '{ "Palo Alto Networks" = { GlobalProtect = { Settings = { "connect-method" = "on-demand"; }; }; }; }'
Posted on 01-04-2021 08:47 AM
Does anyone have information regarding a Content Filter for Global Protect? I want to prevent the filter prompts that appear during installation.
Posted on 01-11-2021 08:37 AM
As far as i'm aware GP isn't installing a content filter, even on latest 5.2.4.
Posted on 01-11-2021 08:52 AM
@franton I'm currently testing Global Protect 5.2.4 on 11.1 and during installation I'm receiving Content Filter prompts that disrupt DEPNotify. Palo Alto provided 4 configuration profiles to get around this issue in addition to the System Extension/Kernel Extension/PCC/Notificaion profile that you need to configure yourself. One of the provided profiles does not install if you are running Jamf Cloud version 26 due to a Jamf Pro issue. Jamf says that the issue should be resolved in the next release.
You may also not see this if your GP Protect Admins have turned specific features such as "Enforcement" off.
Posted on 10-29-2024 04:23 PM
Hello @bwoods , I think this is what you are looking for.
Posted on 01-19-2021 09:33 AM
@bwoods Could you share the CP's from Palo Alto that allowed you to get around these issues?
Thanks in advance...
Posted on 01-19-2021 04:05 PM
@smpotter contact me on the macadmins #paloalto Slack channel. My name is brndnwds6 on Slack.
Posted on 01-20-2021 06:21 AM
I have recently configured for my environment and this solution worked perfectly.
Policies > Files and Processes
Execute Command
/usr/libexec/PlistBuddy -c "Add :Palo Alto Networks:GlobalProtect:PanSetup:Portal string servername" /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist ; /usr/bin/su - "/usr/bin/stat -f%Su /dev/console
" -c "/usr/bin/pkill -l -U /usr/bin/stat -f%Su /dev/console
GlobalProtect" ; /bin/sleep 3 ; /usr/local/bin/jamf recon
Post installation, it updates the server name and works great.
Posted on 05-22-2022 08:16 PM
@Saikat thanks for sharing, how would you add the CERTIFICATESTORELOOKUP= "user and machine" key? would that be possible with this method?