How to configure macOS Plist with On-Demand connect method and pre-defined portal
25613
Created On 05/14/20 04:46 AM - Last Modified 06/15/20 21:55 PM
Objective
- Initial deployment of GlobalProtect (GP) app for macOS users using global plist (Property List) with GP client configured for connect method On-Demand and a pre-defined portal.
- This enables deployment of GlobalProtect app settings to macOS endpoints prior to their first connection to the GlobalProtect portal.
Environment
- PAN-OS 7.1 and above.
- Palo Alto Firewall.
- GlobalProtect Portal/Gateway
- GlobalProtect app version 5.0 and above
Procedure
Note: This article assumes that a plist file has been created and ready to be copied to the appropriate local folder.
- Uninstall previous GP version to clear local GP user cache.
- Copy plist file "com.paloaltonetworks.GlobalProtect.settings.plist" to /Library/Preferences/
Example: Plist file "com.paloaltonetworks.GlobalProtect.settings.plist"
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Palo Alto Networks</key>
<dict>
<key>GlobalProtect</key>
<dict>
<key>PanGPS</key>
<dict/>
<key>PanSetup</key>
<dict>
<key>Portal</key>
<string>mygp.portal.com</string>
</dict>
<key>Settings</key>
<dict>
<key>connect-method</key>
<string>on-demand</string>
</dict>
</dict>
</dict>
</dict>
</plist>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Palo Alto Networks</key>
<dict>
<key>GlobalProtect</key>
<dict>
<key>PanGPS</key>
<dict/>
<key>PanSetup</key>
<dict>
<key>Portal</key>
<string>mygp.portal.com</string>
</dict>
<key>Settings</key>
<dict>
<key>connect-method</key>
<string>on-demand</string>
</dict>
</dict>
</dict>
</dict>
</plist>
- Go to /Library/Preferences and verify the copied plist.
Open Terminal and run these commands.
- cd /Library/Preferences/
- pwd > Verify correct directory "/Library/Preferences"
- cat <plist file> > Validate the file exist in the directory and desired settings (on-demand, portal).
- Install the latest GP v5.1.3 (or latest preferred version)
- After install, GP GUI should display "Not Connected" and "Connect" button is clickable.
- From GP console, open Settings > General. This should show the portal name as a configured portal in the plist file.
Additional Information
- macOS endpoints, plist files are either located in /Library/Preferences or in ~/Library/Preferences.
- For the initial installation of GP, plist file needs to be copied in both /Library/Preferences and ~/Library/Preferences folder of the Mac endpoint.