How to configure Certificate only authentication for GlobalProtect client on Cloud managed Prisma Access or Strata Cloud Manager

• GlobalProtect Client connecting to Prisma Access gateway is configured for Always on mode with Certificate based authentication. This is achieved with authentication profile with "Local Users OR Client Certificate" option.
• When the device is rebooted, users always have to open the app and tap on the 'connect' button to initiate GP instead of GP app connecting automatically. 
• When this is done, "Enter Login credentials" for portal is displayed.
• The logs indicate initial client cert access failure
• This indicates means portal is not configured as "cert only" auth before user unlocks the phone. 
• When an iOS device is locked, access to the certificate store is blocked thereby causing the failure.
• To overcome this issue, configure portal as client cert only authentication. 
• This article provides the guidance on configuring the certificate-based authentication for iOS devices for Cloud Managed Prisma Access or Prisma access managed through SCM (Strata Cloud Manager).

• Cloud Managed Prisma Access
• Strata Cloud Manager
• GlobalProtect app version 5.2 and above
• Always-On connect method
• iOS version 15 and above

1. Configure Authentication profiles for all other devices than iOS devices or Change the user authentication so that no auth profile matches iOS device.

2. Add Certificate authentication profile for iOS users by clicking "Add Authentication" (This will be catch all profile) but not listed under user authentications list. This acts as cert only authentication allowing iOS GP client to connect post reboot automatically.

How to configure seamless authentication for iOS devices using Always-On connect method?