update plist of Global Protect

arjunumesh
New Contributor II

Hi All,

I am trying to update the new server address of Global Protect VPN. I have created a new plist with updated VPN address and uploaded it into a new configuration profile. Scoped it to my machine only. In logs, it says completed but I still see the old server address in the plist. Any suggestion?

1 ACCEPTED SOLUTION

arjunumesh
New Contributor II

The issue is resolved. The Configuration profile name should be com.paloaltonetworks.GlobalProtect and the issue is resolved.

View solution in original post

18 REPLIES 18

talkingmoose
Moderator
Moderator

@arjunumesh When applying a Configuration Profile to a device, you won't see the plist change. A Configuration Profile overrides the settings in plists, but it won't overwrite them.

Test your settings and verify whether they work. If you are still using the old server address, then you may have an error with the format of your profile.

You may find this documentation for GlobalProtect useful: Deploy Agent Settings to Mac Endpoints

sdagley
Esteemed Contributor II

For anyone else thinking of using using a Configuration Profile to set the default GlobalProtect settings, that doesn't appear to work...

I created a .plist based on the docs @talkingmoose referenced above that specified the portal address so the user wouldn't be prompted, and then deployed the settings via a Configuration Profile with a Custom Settings payload. On 1st launch GlobalProtect still prompted for the portal address. I ran the GlobalProtect uninstaller, then created a /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist containing the same content as the plist that generated my Custom Settings payload. After re-installing GlobalProtect did pick up the portal setting, and did not prompt the user.

arjunumesh
New Contributor II

The issue is resolved. The Configuration profile name should be com.paloaltonetworks.GlobalProtect and the issue is resolved.

markopolo
Contributor
The issue is resolved. The Configuration profile name should be com.paloaltonetworks.GlobalProtect and the issue is resolved.

I'm still having trouble deploying a custom plist for GlobalProtect. What do you mean by profile name? Is that the Preference Domain inside the payload? I've tried both com.paloaltonetworks.GlobalProtect and com.paloaltonetworks.GlobalProtect.settings but neither do anything. Any help or suggestions appreciated!

markopolo
Contributor

On further investigation it looks like my plist is going into a Managed Preferences folder (/Library/Managed Preferences/ and /Library/~/Managed Preferences/) and also contents getting scrambled (and still not passing config to GlobalProtect when it runs first time). What's that all about?

arjunumesh
New Contributor II

Could you please share some screenshot of the Configuration Profile?

jhuls
Contributor III

Good timing to come across this right now. Our campus is evaluating GlobalProtect so if anyone has any feedback that they'd like to provide on it, I'd appreciate it.

sdagley
Esteemed Contributor II

@mcantwell The name of the initial configuration file must be com.paloaltonetworks.GlobalProtect.settings.plist and you need to put it in /Library/Preferences/.

The GlobalProtect documentation could also be much clearer on the configuration of the plist, as there's a specific hierarchy necessary. Here's an example:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Palo Alto Networks</key>
    <dict>
        <key>GlobalProtect</key>
        <dict>
            <key>PanSetup</key>
            <dict>
                <key>Portal</key>
                <string>your.portal.here.com</string>
                <key>Prelogon</key>
                <string>0</string>
            </dict>
            <key>Settings</key>
            <dict>
                <key>connect-method</key>
                <string>on-demand</string>
            </dict>
        </dict>
    </dict>
</dict>
</plist>

cbrewer
Valued Contributor II

Here is a script to create the plist with the correct structure.

#!/bin/bash

plistBuddy='/usr/libexec/PlistBuddy'
GPplistFile='/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist'

if [[ -f ${GPplistFile} ]]; then
  echo "Removing existing GlobalProtect prefs file"
  rm -f ${GPplistFile}
fi

${plistBuddy} -c "print : 'Palo Alto Networks':'GlobalProtect':'PanSetup':'Portal'" ${GPplistFile}

${plistBuddy} -c "add :'Palo Alto Networks' dict" ${GPplistFile}
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect' dict" ${GPplistFile}
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup' dict" ${GPplistFile}
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup':'Portal' string 'vpn.example.com'" ${GPplistFile}
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup':'Prelogon' integer 1" ${GPplistFile}

More information can also be found in this thread.

dvasquez
Valued Contributor

This was incredibly helpful!! 

Thank you.

markopolo
Contributor

I think I'm pretty clear on the formatting of the plist file and its contents. What I'm not so clear on his how to get Jamf to place that file into the correct folder so that GlobalProtect can use it. Here's a screenshot of my profile after uploading my plist, if it helps:

c15740984b4f45c2bfda49826e7c4c41

BOBW
Contributor II

@mcantwell Hi mcantwell, just letting you know you don't need to capture everything on your plist. You captured things like you preferred IP address which will be pushed to all devices. I'm not sure how this is going to work on devices where this would be hardcoded onto a plist and enforced. You are better off just editing the plist down to only the fields you need. See images below, all I need is the vpn address to be enforced so that is all I have.
the plist I created by doing this command in terminal:
sudo defaults write ~/Desktop/com.paloaltonetworks.GlobalProtect.client.plist PanPortalList ENTERYOURVPNHERE
sudo plutil -convert xml1 ~/Desktop/com.paloaltonetworks.GlobalProtect.client.plist
this will create a preformatted plist on your desktop ready to be uploaded to JAMF config profiles

if you NEED to enforce other settings take a look at the plistbuddy commands above from @cbrewer to set them to this same file before the plutil command. If you do need to make changes just make one at a time, test deployment then add another once it is working

bf24cebb400f408f9f70133988aaffc4

f34c5c9290d14fbeaec6ec37ccdcbdaf

sdagley
Esteemed Contributor II

@mcantwell You need to use Composer to create an installer .pkg that places your plist named com.paloaltonetworks.GlobalProtect.settings.plist in /Library/Preferences/ and then have that .pkg installed by a Policy. I never had any luck setting this via a Configuration Profile, but the .plist has been reliable.

markopolo
Contributor
@mcantwell You need to use Composer to create an installer .pkg that places your plist named com.paloaltonetworks.GlobalProtect.settings.plist in /Library/Preferences/ and then have that .pkg installed by a Policy. I never had any luck setting this via a Configuration Profile, but the .plist has been reliable.

Thanks for the help. I tried this but it seemed to just supersede it with the plist saved to the user Library (it didn't apply my portal URL). Is there a trick to getting the package to install the plist to ~/Library/Preferences/?

sdagley
Esteemed Contributor II

@mcantwell The GP configuration in ~/Library/Preferences/ should be what GP pushes down after the initial connection which uses the info configured in /Library/Preferences/. As @BOBW posts above I don't think you really want to/should do that.

If you do want to put a full configuration .plist into ~/Library/Preferences/ you'd use Composer create a .pkg that put your configuration file in a temporary location like /tmp and use a postinstall script to move it into the appropriate ~/Library/Preferences/

dvasquez
Valued Contributor

Thank you for the clarification on this here. So helpful!

 

markopolo
Contributor

@cbrewer Thank you! I used your plist buddy script and it appears to have worked!

Hmm - how do I @ somebody here? Jamf Nation neophyte I am. :)

sdagley
Esteemed Contributor II

@mcantwell If you type an @ symbol then start typing a Jamf Nation ID it should pop up a list of matching IDs and you can just select the one you want there. The markup for an @ reference is a [~ before the name and a ] to close - e.g. [~mcantwell]