Why we are seeing this error "You are making changes to the System Certificate Trust Settings" message only on Macbook Pro OSX Big Sur when upgrade to version 5.2.4 and later?
Question
Why we are seeing this error "You are making changes to the System Certificate Trust Settings" message only on Macbook Pro OSX Big Sur when upgrade to version 5.2.4 and later?
Environment
- Macbook Pro OSX Big Sur
- Globalprotect 5.2.4 and later
Answer
When you try to upgrade Globalprotect to version 5.2.4 and later on Macbook Big Sur , you are seeing the prompt for "you are making changes to the system certificate trust settings" and need to Authenticate to access to the Keychain.
This is the new feature on Macbook Big Sur :
-
MacOS Big Sur 11 beta improves system security by requiring an administrator password when a certificate trust settings change is made in the admin trust domain. Running as the root user alone is no longer sufficient to modify certificate trust. User trust domain settings continue to require confirmation by entering the password for the user’s account. This change may affect you if one of the following is true:
-
You have written scripts which call
/usr/bin/security add-trusted-cert -d ...as root. -
Your process runs as root and calls the SecTrustSettingsSetTrustSettings function to trust a certificate.
-
-
Workflows that add trust settings in the admin trust domain, such as for an enterprise root certificate, may require modification if the user can’t authenticate as an administrator at the time settings are changed. (21855995)
Workaround: Use Apple Configurator 2 to create and install a configuration profile containing your root certificate.
As per the workaround provided by Apple, a configuration profile which includes the root certificate will need to be created to install on the clients.
The certificate being installed by GlobalProtect is required for various reasons.
On-prem GlobalProtect
If you are using GlobalProtect with on-prem firewalls, the root certificate install is part of the portal configuration and the certificate will be present and can be exported from the portal firewall.
The certificate being installed will be shown under the portal configuration (Trusted Root CA)
Make a note of the certificate name and then from Device -> Certificate Management -> certificates find and select the certificate listed in the GlobalProtect Portal and you can then export the certificate. Do NOT export the private the key.
Prisma Access
If you are using Prisma Access, the root certificate is used for Prisma Access features and you can get the certificate using the following steps.
On a MacOS workstation that has had the certificate installed:
Open Keychain Access.
Find the certificate called PaloAltoCA and export the certificate.
You can then deploy and trust the certificate to the MacOS workstations using your normal MDM.
Additional Information
For further information please check this Dev apple link :
https://developer.apple.com/documentation/macos-release-notes/macos-big-sur-11_0_1-release-notes