GlobalProtect Requests System Keychain Access on Mac OS X Clients

GlobalProtect Requests System Keychain Access on Mac OS X Clients

Created On 09/25/18 20:40 PM - Last Modified 08/15/22 22:57 PM


  • Machine Certificate authentication is used on MAC OS X clients. During the GlobalProtect connection process, the user needs to enter the Local Administrator account credentials to allow access to the System keychain twice.


  • Existing GlobalProtect Infrastructure
  • macOS endpoints 


  • When using Machine Certificates with GlobalProtect on Mac OS X Clients, the certificate must be accessed from the "System" keychain in MAC OS X.  This will cause a Keychain Access prompt to appear twice when the client attempts to access the certificate for verification against both portal and gateway.



As a workaround, you can implement the following steps:

  1. Open the Keychain Access application and locate the Machine Certificate issued to Mac OS X Client in the System keychain.
  2. Right-click on the private key associated with Certificate and click Get Info, then go to the Access Control tab
  3. Click '+' to select an Application to allow
  4. Press key combination <Command> + <Shift> + G to open Go to Folder
  5. Enter '/Applications/' and click Go
  6. Find PanGPS and click it, and then press Add
  7. Find and click it, and then press Add
  8. Save Changes to private key


Note: The steps above allows GlobalProtect access to only THIS certificate and private key.  It will no longer prompt for keychain access, giving users a seamless, no-touch experience with Palo Alto Networks GlobalProtect.

Note: If the workaround provided above doesn't work, please do: 

  1. Move the certificate from System keychain to Login keychain
  2. Step-1 should then create a prompt similar to below.  Click on "Always Allow"

User-added image

  • The procedure has to be done again every time client is updated.


  • Print
  • Copy Link

Choose Language