Testing out GlobalProtect for our Mac users and running into this keychain issue. We are using a local Certificate for authentication but the machine wants to use the system keychain every time GP tries to connect. The goal is to have the users never have to authenticate or enter a password after the local cert is installed.
I have already amended the ACL to include the GP app but the keychain still wants to be accessed. I am also using an administrator account, but still am prompted. If I manually unlock the System keychain from the keychain menu I am still prompted when I try and connect.
Thank you for any help or tips someone may have.
Can likely automate this with the security tool... I'm playing with this right now. Something like:
security add-generic-password -a login -D "application password" -G GlobalProtect -s GlobalProtect -T /Applications/GlobalProtect.app -U
Note that this does not actually work to do what the article referenced above says. I'm trying to figure that part out, how to add PanGPS to the private key of the computer's certificate.
I am having this problem again recently.
I think the last round of supplemental Apple updates broke my solution.
I have tried both putting the certificate in a config profile, and adding the cert directly to the system keychain.
@Sterritt @awueschinski I built a pkg that places MySpecialCert.p12 in /private/var/tmp/GlobalProtectCert/
Then post install does this
#!/bin/sh security import /private/var/tmp/GlobalProtectCert/MySpecialCert.p12 -k "/Library/Keychains/System.keychain" -P SecretWord -T /Applications/GlobalProtect.app/Contents/Resources/PanGPS
That does set the permissions and has worked for a year or two.
BUT since the latest update the system asks for the system credentials again at every restart regardless.
A workaround at paloalto https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkECAS suggests moving the certificate to the user's login keychain, but I have not been able to get this to work.
I can move the cert, but the prompt is still to change the system keychain.
Lots of my domain users are not admins, and our methods for allowing temporary escalation rely on checking AD membership, which is failing because no VPN.
Working with Palo Alto, I finally got a support person with a good answer for this.
1. Open Keychain Access.app 2. Under the "System" keychain select Category: "Passwords" and search for "GlobalProtectService" 3. Delete the GlobalProtectService application-password from the system keychain 4. Reboot MacOS 5. Test if GlobalProtect version 5.2.3 still gives you the same issue
I took these steps, and no more prompt to change the system keychain, and the GlobalProtectService application-password is automatically recreated.
In at least my case, this has to do with the change in bundleIdentifier that happened between 5.0 and 5.1.2+ where the GlobalProtectService item is a password for the old identifier and there is a collision. Deleting the old file allows the new app to update the keychain, I suppose with the proper permissions.
For those of us who don't want to take all the manual steps at all the remote workstations, run as root (or sudo) :
security delete-generic-password -l GlobalProtectService "/Library/Keychains/System.keychain"
Stage a restart in a nice way, and on login, the service should start without the "macOS wants to use the "System" keychain" prompt.
I able to package with the version 5.2.8 but I had to perform manually configure keychain access 1st time after global protect. I had to add PanGPS to the machine certificate that allow user to login on Global protect without Admin credential.