How To Enable System and Network Extensions using jamf PRO
Objective
Background
GlobalProtect App starting 5.1.4 uses system extensions on macOS Catalina 10.15.4 or later endpoints for enabling capabilities such as:
- Split tunnel based on the destination domain name and application process name
- Enforce GlobalProtect connections for network access (see GlobalProtect App Customization) without requiring kernel extensions
GlobalProtect App starting 5.2 uses system extensions on macOS Catalina 10.15.4 or later endpoints for enabling capabilities such as:
When GlobalProtect app is installed on a macOS Catalina 10.15.4 or later device for the first time or is upgraded to GlobalProtect app 5.1.4, they must now enable the system extensions. If you have configured split tunnel on the gateway or enforced GlobalProtect connections for network access on the portal, the System Extension Blocked notification message displays on the app during the installation, prompting users to enable and allow the system extensions in macOS that are blocked from loading to use these GlobalProtect features.
Objective:
Objective of this document is to utilize GlobalProtect 5.1.6 signed configuration profiles and deploy them using jamf PRO to suppress macOS 10.15.4 or later system and network extension pop-ups. The workflow can be used for any other Mobile Device Manager (MDM) provider which supports deploying configuration profiles.
Note: This document assumes that the macOS endpoint does not have network extensions enabled manually. If network extensions are already enabled manually via GlobalProtect pop-up’s than using configuration profile, via jamf PRO, to enable network extensions will create a duplicate network extension entries.
Environment
- GlobalProtect 5.1.6 or later
- macOS Catalina 10.15.4 or later / macOS BigSur 11.
Prerequisite:
- jamf PRO Configuration profiles are supported with GlobalProtect 5.1.6 and onwards only.
- macOS Catalina 10.15.4 or later / macOS BigSur 11.
- Before using the configuration profile files, please make sure that the file is not corrupted by verifying the hash of the downloaded file with the hash provided for each file in this document and making sure they both match. If otherwise please re-download the files.
Procedure
Table of Contents:
Enable GlobalProtect System Extension
Enable GlobalProtect Network Extension on macOS BigSur 11 Endpoints
Steps for Adding a Configuration Profile for Enforcer on jamfPro v10.26.0
Verify Configuration Profiles
Steps for Adding a Configuration Profile to remove System Extensions on macOS Monterey 12 Endpoints
Enable GlobalProtect System Extension:
- Upon successful installation of GlobalProtect Client, following system extension pop-up will be seen as explained in GlobalProtect app guide.
- To enable the System extension, please follow below steps:
- On jamf PRO, navigate to Computers > Configuration Profiles > New.
- Here, create a configuration profile as shown below with following information:
- Select System Extensions.
- Enter the Team Identifier used by the GlobalProtect app (PXPZ95SK77).
- Enter the Bundle Identifier (com.paloaltonetworks.GlobalProtect.client.extension).
Note: To enable System Extensions immediately after installation of the GlobalProtect App, use the following command:
sudo installer -pkg GlobalProtect.pkg -applyChoiceChangesXML install_system_extensions.xml -target /
The content of install_system_extensions.xml is
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <array> <dict> <key>attributeSetting</key> <integer>1</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>third</string> </dict> <dict> <key>attributeSetting</key> <integer>1</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>com.paloaltonetworks.globalprotect.systemext.pkg</string> </dict> </array> </plist>
Enable GlobalProtect Network Extension on macOS BigSur 11 Endpoints:
- On macOS Big Sur Endpoints, upon successful installation of GlobalProtect Client, following network extension pop-up will be seen as explained in GlobalProtect app user guide.
- On macOS BigSur endpoints, a single configuration profile is enough to suppress network extension pop-up unlike macOS Catalina. The steps to add a configuration profile for macOS Big Sur endpoints is the same as the Steps for adding a configuration profile for Enforcer on jamfPro v10.26.0.
Steps for Adding a Configuration Profile for Enforcer on jamfPro v10.26.0.
Jamf Pro v10.26.0 introduced the Content Filtering payload for macOS devices. It appears that this work also introduced an issue (JAMF Bug# PI-009162) which prevents the ability to upload profiles that include this payload (for example, GlobalProtect Enforcer mobileconfig), both via the GUI and the API. At this time, the only workaround available is to construct the profile using the GUI that’s now available in Jamf Pro v10.26 and later. Following are the steps to configure GlobalProtect Enforcer mobileconfig using the GUI.
1. Once logged in to jamf PRO, navigate to Computers > Configuration Profiles. Select "New" to add configuration profile for GlobalProtect Enforcer.
- Select Content Filter from the options and configure the following values and save the configuration profile.
- FilterName = GlobalProtectEn
- Identifier = com.paloaltonetworks.GlobalProtect.client
- Socket Filter Bundle Identifier = com.paloaltonetworks.GlobalProtect.client.extension
- Socket Filter Designated Requirement = anchor apple generic and identifier "com.paloaltonetworks.GlobalProtect.client.extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PXPZ95SK77)
- Network Filter Bundle Identifier = com.paloaltonetworks.GlobalProtect.client.extension
- Network Filter Designated Requirement = anchor apple generic and identifier "com.paloaltonetworks.GlobalProtect.client.extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PXPZ95SK77)
Verify Configuration Profiles:
- Successfully deployed GlobalProtect configuration profiles on macOS will create one or more of following network interfaces under System Preferences >> Network as shown below:
- GloblaProtectDo: Network interface for GlobalProtect Domain
- GloblaProtectAp: Network interface for GlobalProtect Application
- GloblaProtectEn: Network interface for GlobalProtect Enforcer
- GloblaProtectDn: Network interface for GlobalProtect DNS
- Once GlobalProtect VPN tunnel is established network interfaces become active, connected or running, as shown below:
Steps for Adding a Configuration Profile to remove System Extensions on macOS Monterey 12 Endpoints:
- Apple introduced a new feature available from macOS Monterey 12 where system extensions can be removed through a configuration profile pushed from Jamf Pro. The system will not pop up a dialog box to enter Admin password while uninstalling GlobalProtect application via terminal command
- Due to several bugs present in the initial versions, this works with macOS Monterey 12.2.1 endpoints
- Additional information: https://developer.apple.com/documentation/devicemanagement/systemextensions