Deploy GlobalProtect (Palo Alto) VPN to macOS using Intune

Somesh Pathak -

On the last week’s post for Cisco AnyConnect VPN on macOS, I had a request for publishing a similar guide for deploying Palo Alto’s VPN on corporate macOS devices. So on the request of Mieszko Ślusarczyk, this article will help you as an exhaustive guide for installing and configuring GlobalProtect VPN on your macOS devices.

GlobalProtect VPN

GlobalProtect is Palo Alto Networks’ VPN solution, which delivers the capabilities of their Security Operating Platform to remote workers and mobile devices. It provides excellent protection for network connections and in-depth visibility into who is accessing an organization’s network. GlobalProtect establishes a secure SSL or IPsec VPN connection between users and the network.

The GlobalProtect app software runs on endpoints and enables access to your network resources through the GlobalProtect portals and gateways you have deployed. The GlobalProtect app for Windows and macOS endpoints is deployed from the GlobalProtect portal. You can configure the app’s behaviour—for example, which tabs the users can see—in the client configuration(s) you define on the portal. See Define the GlobalProtect Agent Configurations, Customize the GlobalProtect App, and Deploy the GlobalProtect App Software for details.

Illustration to show how the GlobalProtect portals, gateways, and apps work together to enable secure access for all your users, regardless of what endpoints they are using or where they are located.

Licenses

You don’t require GlobalProtect licenses if you wish to use them to offer a secure remote access or virtual private network (VPN) solution via one or more internal/external gateways. However, you need to buy an annual GlobalProtect Gateway license to access more sophisticated services (such as HIP checks and related content updates, support for the GlobalProtect mobile app, or IPv6 compatibility). This license needs to be set up on each firewall that controls a gateway that:

  • Supports the GlobalProtect app for mobile endpoints
  • Supports the GlobalProtect app for Linux endpoints
  • Provides IPv6 connections
  • Split tunnel traffic based on the destination domain, application process name, or HTTP/HTTPS video streaming application.
  • Supports identification of managed devices using the endpoint’s serial number on gateways
  • Enforces GlobalProtect connections with FQDN exclusions

For GlobalProtect Clientless VPN, you must also install a GlobalProtect Gateway license on the firewall that hosts the Clientless VPN from the GlobalProtect portal. You also need the GlobalProtect Clientless VPN dynamic updates to use this feature.

For detailed info on licenses, you can refer – Palo Alto Licenses

Download and Install the GlobalProtect App

You must download and install the GlobalProtect app on your macOS endpoint before you can join the GlobalProtect network. You should always download the app directly from a GlobalProtect portal within your organization. Because of this, you will not find any direct download link for the GP app on the Palo Alto Networks website.

To download the installer, ask your administrator for the IP address or FQDN of the GlobalProtect site. Your administrator should also confirm the username and password you can use to log into the portal and gateways. You usually connect to your company network using the same username and password.

Follow the steps to download the app:

  • Log in to the GlobalProtect portal
login with your admin credentials
  • Navigate to the app download page and download the latest package for macOS
Download macOS package
  • Save the installer to your disk

Enable System Extensions

Apple has restricted the support for kernel extensions for macOS 10.15.4 and higher versions. This means you now have to use system extensions instead of kernel extensions. In addition to enabling system extensions, you must also enable network extensions to suppress the Network Extensions Configuration pop-up prompts that may occur for the Split Tunnel and enforce GlobalProtect Connections for Network Access features.

Use the following steps to configure a profile to approve the system extensions automatically:

  • Navigate to Devices -> macOS -> Configuration Profiles and select create a profile
  • From the profile type dropdown, select Templates ->Extensions profile
  • In Basics, enter the name & description to match the purpose of the profile.
  • In the System Extensions – Set the Team identification to “PXPZ95SK77” and the Bundle identifier to “com.paloaltonetworks.GlobalProtect.client.extension
  • Under Allowed system extension types, add a line to allow team identifier “PXPZ95SK77” to provide “Network extensions”.
  • Next, review and assign it to the required group.

This is how the configuration profile should look like:

Pre-populates GlobalProtect App Settings

We will use a script that pre-populates GlobalProtect app settings, such as the default portal address and connection method.

  • Select Devices > macOS > Shell scripts > Add.
  • In Basics, enter the name and description and click Next.
  • In Script settings, upload the script and configure the parameters as follows:
    • Run the script as a signed-in user: No
    • Hide script notifications on devices: Not Configured
    • Script frequency: Not Configured
    • Max number of times to retry if the script fails: 3 Times
    • Assign the script to your device group

#!/bin/bash
## Description: Checks for global preferences file and populates
## it with the default portal if needed.
## Body ###########################################################
## Declare Variables ##############################################

# Get current Console user
active_user=$( stat -f “%Su” /dev/console )

# Global Prefs File
gPrefs=/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist

## Logic ##########################################################

# Check to see if the global preference file already exists…
if [[ -e $gPrefs ]]; then
echo “Default global portal already exists. Skipping.”
else
echo “Setting default global portal to: your.portal.here.com”
# If it does not already exist, create it and populate the default portal using the echo command
echo ‘

Palo Alto Networks

GlobalProtect

PanSetup

Portal
your.portal.here.com
Prelogon
0

Settings

connect-method
on-demand



‘ > $gPrefs
echo $?
# Kill the Preference caching daemon to prevent it from overwriting any changes
killall cfprefsd
echo $?
fi
# Check exit code.
exit $?

Enable 2FA for Remote Access VPN

The end user must successfully authenticate through an authentication profile and a certificate profile to access a GlobalProtect portal or gateway configured, which works as a two-factor authentication. This means that certificates must be pre-deployed on the endpoints before their initial portal connection for portal authentication. A user’s client certificate must also match the requirements specified in the certificate profile.

  • If the certificate profile does not specify a username field (Username Field is set to None), the client certificate does not require a username. In this case, the user must provide (manually) the username when authenticating against the authentication profile.
  • If the certificate profile specifies a username field, the certificate the user presents must contain a username in the corresponding field. If you do not want to force users to authenticate with a username from the certificate, do not specify a username field in the certificate profile.

You have the below available options to configure 2FA for remote access VPN:

  • Enable Two-Factor Authentication Using Certificate and Authentication Profiles
  • Enable Two-Factor Authentication Using One-Time Passwords (OTPs)
  • Enable Two-Factor Authentication Using Smart Cards
  • Enable Two-Factor Authentication Using a Software Token Application

You must have a conversation with the team managing VPN solutions in your organization to choose and configure the best option.

However, since you are deploying the GlobalProtect VPN solution to your company’s macOS devices, I would say that the best and easiest method for enabling 2FA will be to use certificates and authentication profiles.

Deploy Global Protect Package

  • Log in to the Intune portal
  • Select Apps > All apps > Add
  • In the Select app type pane, under the Other app types, select macOS LoB.
  • In the App package file pane, select the browse button. Then, select the GlobalProtect VPN installer that you downloaded previously. The app details will be displayed.
  • Once done, deploy the app to your device group

End User Experience

Please note that installing GlobalProtect requires an automated logout and restart of your Mac.

  • Once you have rebooted the Mac and logged in, the GlobalProtect Sign-In window should appear. Enter your corporate domain username and password and click the “Sign In” button to establish the VPN connection. 

If you have multiple profiles/gateways, you might see a list/dropdown to select the profile. Select the correct profile and click connect.

And It’s connected!

Winding Up

I hope you will find this post helpful in configuring and deploying GlobalProtect VPN client to your managed macOS devices with much ease now.

Please leave feedback and comments below if you liked it.