GlobalProtect app crashes in MacOS with SentinelOne managed endpoint preventing user to enter password credential
9325
Created On 04/04/20 03:45 AM - Last Modified 04/27/20 17:15 PM
Symptom
When user attempt to enter their password credentials into GlobalProtect (GP) login prompt, the login prompt will disappear along with GP icon on the menu bar. After few minutes, the GP app will come back and when user attempt again to enter credentials same process will again.
Environment
- MacOS 10.15.3
- 2018 15" Macbook Pro
- GlobalProtect app version 5.0.x and above
- SentinelOne Endpoint Protection installed in Mac and manage thru SentinelOne admin.
Cause
Upon further investigation by Engineering in Mac crash dump from the GP logs, looks like SentinelOne was injecting some libraries into the GP process at startup causing the GP app to crash.
To confirm this:
- Collect GP logs from the device.
- Open the GP logs and look for the files that ends in .crash.
- Check and open the file with last user attempt, format should be something like this "PanGPS_2020-03-11-134746_lblack-mac.crash".
- Check the Binary Images section of the crash dump for "/usr/local/lib/sentinel.dylib". See below example.
Binary Images:
0x105e52000 - 0x106109447 +com.paloaltonetworks.GlobalProtect.client (5.1.1-12 - 0) <20F0BFD7-1D46-3122-95BA-D518253C4771> /Applications/GlobalProtect.app/Contents/MacOS/GlobalProtect
0x106518000 - 0x106536fff +sentinel.dylib (0) <BF1DE1FD-9DA9-36F7-98BC-428A3A281858> /usr/local/lib/sentinel.dylib
Resolution
Workaround:
Add /Applications/GlobalProtect.app/Contents/MacOS/GlobalProtect in SentinelOne whitelist process. This should be done by local admin who has access to SentinelOne administration.
Additional Information
Reference:
Similar issue was reported in Reddit tech community regarding this issue.