How to set up different Global Protect Agent upgrade options for different users
116119
Created On 09/26/18 13:44 PM - Last Modified 05/07/20 19:01 PM
Symptom
How to set up different Global Protect Agent upgrade options for different users
Environment
- Global Protect
- Pan_OS
Resolution
Suppose we want all users belonging to "admins" group to not have an option to upgrade the GlobalProtect client. All users belonging to "maud-vpn-users" group should be prompted to upgrade the GlobalProtect client.
Note: Group Mapping must be configured with User-to-Group mapping.
1. Different agent configuration needs are required for each user group as follows: (Network > Global Protect > Portal > Agent):
2. Each user group in agent configuration will still have the same gateway information:
3. Under each agent configuration, different upgrade options would be configured:
Network > Global Protect > Portal > Agent > Configs > App > Allow User to Upgrade GlobalProtect App.
Additional Information
Upgrade Options:
- Allow with Prompt (Default)—Users are prompted to upgrade when a new version of the app is activated on the firewall.
- Allow Transparently—Upgrades occur automatically without user interaction. Upgrades can occur when the user is working remotely or connected within the corporate network.
- Internal—Upgrades occur automatically without user interaction, provided the user is connected within the corporate network. This setting is recommended to prevent slow upgrades in low-bandwidth situations. When a user connects outside the corporate network, the upgrade is postponed and re-activated when the user connects within the corporate network. Note that you must configure internal gateways and internal host detection to use this option.
- Disallow—This option prevents app upgrades.
- Allow Manually—End users initiate app upgrades. In this case, the user must select "Check Version" from the settings menu on the GlobalProtect status panel to determine if there is a new app version available, and then upgrade if desired. Note that this option will not work if the GlobalProtect app is hidden from the user.