GlobalProtect Requests System Keychain Access on Mac OS X Clients
Symptom
-
Machine Certificate authentication is used on MAC OS X clients. During the GlobalProtect connection process, the user needs to enter the Local Administrator account credentials to allow access to the System keychain twice.
Environment
- Existing GlobalProtect Infrastructure
- macOS endpoints
Cause
-
When using Machine Certificates with GlobalProtect on Mac OS X Clients, the certificate must be accessed from the "System" keychain in MAC OS X. This will cause a Keychain Access prompt to appear twice when the client attempts to access the certificate for verification against both portal and gateway.
Resolution
As a workaround, you can implement the following steps:
- Open the Keychain Access application and locate the Machine Certificate issued to Mac OS X Client in the System keychain.
- Right-click on the private key associated with Certificate and click Get Info, then go to the Access Control tab
- Click '+' to select an Application to allow
- Press key combination <Command> + <Shift> + G to open Go to Folder
- Enter '/Applications/GlobalProtect.app/Contents/Resources' and click Go
- Find PanGPS and click it, and then press Add
- Find GlobalProtect.app and click it, and then press Add
- Save Changes to private key
Note: The steps above allows GlobalProtect access to only THIS certificate and private key. It will no longer prompt for keychain access, giving users a seamless, no-touch experience with Palo Alto Networks GlobalProtect.
Note: If the workaround provided above doesn't work, please do:
- Move the certificate from System keychain to Login keychain
- Step-1 should then create a prompt similar to below. Click on "Always Allow"
- The procedure has to be done again every time client is updated.