ADEM software version downgrades automatically when the GlobalProtect users reboots the endpoint

ADEM software version downgrades automatically when the GlobalProtect users reboots the endpoint

2615
Created On 10/27/22 21:00 PM - Last Modified 01/28/25 20:54 PM


Symptom


  • ADEM version is downgraded upon machine reboot and upgraded to latest version version upon User logon even though user had latest ADEM version installed prior to reboot.
  • For example
    •  A user has GlobalProtect Software Application 6.0.3 installed/running on the endpoint.
    • When GlobalProtect 6.0.3 is installed, ADEM software 3.0.12(default) will be installed and then ADEM will automatically upgrade  to latest version available ex: 3.2.4.
    • However, when user reboots his machine, the ADEM software is seen to be downgraded to 3.0.12 for the first few minutes and then upgraded back to latest version ex. version 3.2.4.
    • This cycle repeats upon every reboot of the GP installed endpoint.

Environment


  • Prisma Access - Mobile Users
  • Supported PAN-OS
  • ADEM (Autonomous Digital Experience Management)
  • GlobalProtect

Cause


  • When using pre-logon connection method, the end user machine will make initial connection upon reboot to portal and gateway to get agent configurations as pre-logon user.
  • If the pre-logon agent config do not have ADEM enabled, the existing ADEM software on users machine will be uninstalled.
  • When the user logs in with credentials, a new connection to portal and gateway and agent config is downloaded.
  • Since this agent config has ADEM enabled, ADEM is then installed on users machine with the GP compatible one and later upgrades automatically.

Resolution


  1. Enable Autonomous DEM endpoint agent for Prisma Access (Windows & Mac Only).
  2. This can be done under GUI: Network > GlobalProtect > GlobalProtect_Portal > Agent > Prelogon configuration > App tab
  3. In the App tab, set "Enable Autonomous DEM and GlobalProtect App Log Collection for Troubleshooting" to Yes 
  4. This enables the GlobalProtect app to use the certificate created to authenticate to the DEM service.
Ref: Enable ADEM in Panorama Managed Prisma Access for Mobile Users

Additional Information


  • ADEM is enabled by default.
  • One can allow users to disable ADEM by selecting Install and user can enable/disable agent from GlobalProtect.
  • Once enabled, End users can use this GlobalProtect configuration to pause/resume monitoring.
  • If users disable the ADEM agent, they will continue to be online, but the agent will pause the monitoring and no synthetic tests will be conducted.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kEoXCAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail