Jamf Nation Community

For anyone else thinking of using using a Configuration Profile to set the default GlobalProtect settings, that doesn't appear to work...

I created a .plist based on the docs @talkingmoose referenced above that specified the portal address so the user wouldn't be prompted, and then deployed the settings via a Configuration Profile with a Custom Settings payload. On 1st launch GlobalProtect still prompted for the portal address. I ran the GlobalProtect uninstaller, then created a /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist containing the same content as the plist that generated my Custom Settings payload. After re-installing GlobalProtect did pick up the portal setting, and did not prompt the user.

The issue is resolved. The Configuration profile name should be com.paloaltonetworks.GlobalProtect and the issue is resolved.

I'm still having trouble deploying a custom plist for GlobalProtect. What do you mean by profile name? Is that the Preference Domain inside the payload? I've tried both com.paloaltonetworks.GlobalProtect and com.paloaltonetworks.GlobalProtect.settings but neither do anything. Any help or suggestions appreciated!

On further investigation it looks like my plist is going into a Managed Preferences folder (/Library/Managed Preferences/ and /Library/~/Managed Preferences/) and also contents getting scrambled (and still not passing config to GlobalProtect when it runs first time). What's that all about?

Could you please share some screenshot of the Configuration Profile?

Good timing to come across this right now. Our campus is evaluating GlobalProtect so if anyone has any feedback that they'd like to provide on it, I'd appreciate it.

@mcantwell The name of the initial configuration file must be com.paloaltonetworks.GlobalProtect.settings.plist and you need to put it in /Library/Preferences/.

The GlobalProtect documentation could also be much clearer on the configuration of the plist, as there's a specific hierarchy necessary. Here's an example:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Palo Alto Networks</key>
    <dict>
        <key>GlobalProtect</key>
        <dict>
            <key>PanSetup</key>
            <dict>
                <key>Portal</key>
                <string>your.portal.here.com</string>
                <key>Prelogon</key>
                <string>0</string>
            </dict>
            <key>Settings</key>
            <dict>
                <key>connect-method</key>
                <string>on-demand</string>
            </dict>
        </dict>
    </dict>
</dict>
</plist>

Here is a script to create the plist with the correct structure.

#!/bin/bash

plistBuddy='/usr/libexec/PlistBuddy'
GPplistFile='/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist'

if [[ -f ${GPplistFile} ]]; then
  echo "Removing existing GlobalProtect prefs file"
  rm -f ${GPplistFile}
fi

${plistBuddy} -c "print : 'Palo Alto Networks':'GlobalProtect':'PanSetup':'Portal'" ${GPplistFile}

${plistBuddy} -c "add :'Palo Alto Networks' dict" ${GPplistFile}
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect' dict" ${GPplistFile}
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup' dict" ${GPplistFile}
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup':'Portal' string 'vpn.example.com'" ${GPplistFile}
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup':'Prelogon' integer 1" ${GPplistFile}

More information can also be found in this thread.

I think I'm pretty clear on the formatting of the plist file and its contents. What I'm not so clear on his how to get Jamf to place that file into the correct folder so that GlobalProtect can use it. Here's a screenshot of my profile after uploading my plist, if it helps:

@mcantwell Hi mcantwell, just letting you know you don't need to capture everything on your plist. You captured things like you preferred IP address which will be pushed to all devices. I'm not sure how this is going to work on devices where this would be hardcoded onto a plist and enforced. You are better off just editing the plist down to only the fields you need. See images below, all I need is the vpn address to be enforced so that is all I have.
the plist I created by doing this command in terminal:
sudo defaults write ~/Desktop/com.paloaltonetworks.GlobalProtect.client.plist PanPortalList ENTERYOURVPNHERE
sudo plutil -convert xml1 ~/Desktop/com.paloaltonetworks.GlobalProtect.client.plist
this will create a preformatted plist on your desktop ready to be uploaded to JAMF config profiles

if you NEED to enforce other settings take a look at the plistbuddy commands above from @cbrewer to set them to this same file before the plutil command. If you do need to make changes just make one at a time, test deployment then add another once it is working

@mcantwell You need to use Composer to create an installer .pkg that places your plist named com.paloaltonetworks.GlobalProtect.settings.plist in /Library/Preferences/ and then have that .pkg installed by a Policy. I never had any luck setting this via a Configuration Profile, but the .plist has been reliable.

@mcantwell You need to use Composer to create an installer .pkg that places your plist named com.paloaltonetworks.GlobalProtect.settings.plist in /Library/Preferences/ and then have that .pkg installed by a Policy. I never had any luck setting this via a Configuration Profile, but the .plist has been reliable.

Thanks for the help. I tried this but it seemed to just supersede it with the plist saved to the user Library (it didn't apply my portal URL). Is there a trick to getting the package to install the plist to ~/Library/Preferences/?

@mcantwell The GP configuration in ~/Library/Preferences/ should be what GP pushes down after the initial connection which uses the info configured in /Library/Preferences/. As @BOBW posts above I don't think you really want to/should do that.

If you do want to put a full configuration .plist into ~/Library/Preferences/ you'd use Composer create a .pkg that put your configuration file in a temporary location like /tmp and use a postinstall script to move it into the appropriate ~/Library/Preferences/

@cbrewer Thank you! I used your plist buddy script and it appears to have worked!

Hmm - how do I @ somebody here? Jamf Nation neophyte I am. :)

@mcantwell If you type an @ symbol then start typing a Jamf Nation ID it should pop up a list of matching IDs and you can just select the one you want there. The markup for an @ reference is a [~ before the name and a ] to close - e.g. [~mcantwell]