Why we are seeing this error "You are making changes to the System Certificate Trust Settings. Enter your password to allow this" message only on Macbook with GlobalProtect installation.

Why we are seeing  this error PanGPS You are making changes to the System Certificate Trust Settings. Enter your password to allow this” message only on Macbook when installing GlobalProtect client for the first time?

• Macbook Pro OSX Big Sur/ 11.7.11 or above
• GlobalProtect 5.2.4 and later

• First-Time Authorization: MacOS requires an administrator password during the initial connection to verify changes to your System Certificate Trust Settings.
• Certificate Security: This prompt occurs because GlobalProtect is importing a security certificate into the system keychain to ensure a trusted connection.
• Administrative Requirement: Even when the application has system-level access, macOS security protocols mandate manual user approval for these specific trust settings.
• One-Time Event: This authorization typically only triggers once, as the security certificate persists on the device after the first successful connection and a reboot. 
• Expected behaviour: This behaviour is expected as the GlobalProtect app attempts to install the configured certificates into Mac's system keychain. If the certificates already exists, the call is completely skipped which is why there is no prompt post restart after a first successful connection 

On-prem GlobalProtect/ Strata Firewalls
If you are using GlobalProtect with on-prem firewalls, the root certificate install is part of the portal configuration and the certificate will be present and can be exported from the portal firewall.

The certificate being installed will be shown under the portal configuration (Trusted Root CA)


 
Make a note of the certificate name and then from Device -> Certificate Management -> certificates find and select the certificate listed in the GlobalProtect Portal and you can then export the certificate. Do NOT export the private the key.



Prisma Access
If you are using Prisma Access, the root certificate is used for Prisma Access features and you can get the certificate using the following steps.

Login to the Strata Cloud manager and navigate to Onboarding section. 

 
Download/Export the certificates from the Certificate management section in Objects from SCM.

 
To get the certificates On a MacOS workstation that has had the certificate installed:
Open Keychain Access.



Find the certificate called PaloAltoCA and export the certificate.


You can then deploy and trust the certificate to the MacOS workstations using your normal MDM.
 

• For a MacOS deployment where MDM (example Intune)  is used, Identify the certificates which the GlobalProtect needs to install.
• Pre-install those certificates nto the System Keychain via Intune MDM Certificate Configuration Profile (com.apple.security.root payload) before GP connects for the first time
• This would pre-populate the certificates before GP connects and eliminate the admin password prompt entirely.
• Reach out to the MDM vendor support on instructions for creating certificate profile. 
• Check the PanGPS.log to identify and validate that the pop up shows up when the GlobalProtect is trying to install these certificates.

• P 412-T19842 11/02/2026 09:14:22:105 Info (1627): Imported <cert(0x12b005190) s: Internal Network Forward Trust CA i: Corporate Root CA>
  P 412-T19842 11/02/2026 09:14:22:342 Error( 381): Failed to set trust for cert 3958210476211843072 Forward Trust CA in keychain /Library/Keychains/System.keychain, domain 1: 0 No error.
  P 412-T19842 11/02/2026 09:14:22:345 Info (1627): Imported <cert(0x13fc072b0) s: Internal Network Forward Trust CA ECDSA i: Corporate Root CA>
  P 412-T19842 11/02/2026 09:14:22:388 Error( 381): Failed to set trust for cert 3958210476211843072 Forward Trust CA ECDSA in keychain /Library/Keychains/System.keychain, domain 1: 0 No error.
  P 412-T19842 11/02/2026 09:15:01:921 Error( 381): Failed to set trust for cert 3958210476211843072 Root CA in keychain /Library/Keychains/System.keychain, domain 1: 0 No error.

• Note:- The MacOS will still needs to be restarted one time after first installation and a connection attempt to initialise the network extensions. 
• For further information please check this Dev apple link :
  
  https://developer.apple.com/documentation/macos-release-notes/macos-big-sur-11_0_1-release-notes