Frequent GlobalProtect Disconnects Noticed by macOS Users

•  Frequent GlobalProtect disconnects on macOS endpoints due to "Sig 15" error as shown below:

P4988-T259   09/21/2021 14:16:12:136 Debug( 356): receive sig 15
P4988-T259   09/21/2021 14:16:12:136 Info ( 301): Stop PanGPS
P4988-T12547 09/21/2021 14:16:13:172 Info ( 228): close client socket
P4988-T12547 09/21/2021 14:16:13:172 Info ( 232): Server thread will quit
P4988-T12547 09/21/2021 14:16:13:172 Info ( 244): ServerThread exited
P4988-T259   09/21/2021 14:16:13:172 Debug(4592): StopServer() called
P4988-T259   09/21/2021 14:16:13:172 Debug(4602): StopServer() SetVpnStatus to GP_VPN_STATUS_DISCONNECTED

•  System logs showing JAMF task executing such as below:

Sep 20 13:32:55 ExampleDeviceName com.apple.xpc.launchd[1] (com.jamfsoftware.task.Every 15 Minutes[16802]): Service exited with abnormal code: 1

•  GlobalProtect "PanGPInstall" logs showing multiple installations of the App as shown below:

Tue Sep 21 10:47:31 CDT 2021 GP endpoint was installed:5.2.8-23
...
Tue Sep 21 11:07:26 CDT 2021 GP endpoint was installed:5.2.8-23
...
Tue Sep 21 14:16:42 CDT 2021 GP endpoint was installed:5.2.8-23

•   Any version of GlobalProtect (GP) App deployed using JAMF 
•  JAMF policy configured to execute on multiple trigger events 
•  macOS endpoints 

•  The JAMF policy associated to the GP install was configured to execute based on multiple trigger events resulting in constant app re-installations 

1. The JAMF Mobile Device Management (MDM) solution provides various ways to initiate software upgrades/installs on managed devices which includes things such as "trigger events."  
2. In our environment, the associated policy to install the GP App was configured with multiple triggers such as "Network State Change" and "Recurring Check-in" as shown below:

 

3.  Our endpoint was experiencing substantial local network connectivity issues as shown in the GP logs below:

P4988-T12547 09/21/2021 13:25:34:508 Debug(1439): Route change message RTM_IFINFO: iface status change,  down
P4988-T12547 09/21/2021 13:25:34:508 Debug(6645): NetworkConnectionMonitorThread: got exit event.

4.  With this configuration in place, the application will install each time the endpoint experiences local network changes (temporary disconnect, changing between network types, etc) or whenever the endpoints are configured to check into the Dashboard
5.  To avoid the issue going forward, please select only the appropriate events needed for the install, or even use a custom event to properly execute the policy

•  Please note that JAMF currently is not listed as supported MDM solution with the GlobalProtect App; you can find a list of approved vendors here
•  Please note that this could be present in other MDM vendor solutions also that provides similar configuration options