We purchased GlobalProtect recently. Getting our final configs tested on Mac and eventually it will replace Ivanti Secure Access. One deal-breaker for us has been this specific pop-up that I cant track down.
2 “VPN is trying to modify your system settings….”
I have a PPPC profile payload deployed for com.paloaltonetworks.GlobalProtect.client
Cant figure this out. What “System Settings” is “VPN” trying to access?
I’ve been using global protect on MacOS for over 6 years, and I wish I could give you advice but I’ve not seen that one before Anything approval wise always states that it’s GlobalProtect and never the generic “VPN” Which MDM is this and what method are you using to deploy? (App, script, installer, ect)
Probably the network filter itself
See this screenshot, it’s the same icon
good luck. they have pretty bad macos support and documentation. best bet is to use/filter log stream/show and hunt down whats being trigger. also that looks like the built in macOS network or VPN icon, typically GP uses its own app…?
You can install a .plist file with client config for settings. I packaged a .plist file to be installed along side the GP client install.
Worst of all GlobalProtect is that if your company is in europe or global, can’t be used with IPV6 only network (if the ISP only supply public IPV6 addresses and no IPV4) then it won’t work 
In my case I have to install a PPC & network filter. So this is likely for the network filter
I’m fairly certain this is the information you are looking for, despite its age:
How to permanently allow GlobalProtect access to the login keychain on MAC?.
Im deploying a Content Filter per their docs (see below), as well as the usual profiles for the System Extension, Notifications, Managed login items, and TCC/PPPC. I dont have a traditional “VPN” payload anywhere.
I have 2 entries in the Content Filter payload and looks like this:
Socket Filter
Socket Filter Bundle Identifier: com.paloaltonetworks.GlobalProtect.client.extension
Requirement: anchor apple generic and identifier “com.paloaltonetworks.GlobalProtect.client.extension” and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PXPZ95SK77)
Network Filter
Network Filter Bundle Identifier com.paloaltonetworks.GlobalProtect.client.extension
Requirement: anchor apple generic and identifier “com.paloaltonetworks.GlobalProtect.client.extension” and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PXPZ95SK77)
Mind comparing notes?
Link says access denied.
That’s what I was thinking, too. But I dont have any standard macOS VPN payloads/profiles installed. And the VPN icon doesn’t appear in the System Settings app > Network pane as a valid interface etc like I would expect.
Thanks. I have read that doc several times.
Besides a Filter profile and the usual PPPC, SEXT profiles, I also have a config file that I regenerate via script at deployment time (/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist"). It basically just contains the VPN appliance entry (FQDN hostname) Example:
<?xml version="1.0" encoding="UTF-8"?>Palo Alto Networks
GlobalProtect
PanSetup
Portal
vpn.MY-ORG.org
Prelogon
0
Settings
connect-method
on-demand
default-browser
yes
I have a a PPC profile and a Network Filter too. Mind comparing notes? Maybe I have the wrong entries?
Here are my 2 entries in the Content Filter payload:
Socket Filter
Socket Filter Bundle Identifier: com.paloaltonetworks.GlobalProtect.client.extension
Requirement: anchor apple generic and identifier “com.paloaltonetworks.GlobalProtect.client.extension” and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PXPZ95SK77)
Network Filter
Network Filter Bundle Identifier com.paloaltonetworks.GlobalProtect.client.extension
Requirement: anchor apple generic and identifier “com.paloaltonetworks.GlobalProtect.client.extension” and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PXPZ95SK77)
at least in sonoma and below, it will be very clear if its a network filter prompt
As someone who maintained GP for 2 different orgs, and 3 different configurations over the last 6 years, and as someone who lost their mother to brain cancer, I respectfully disagree with your perspective.
Woah - I haven’t needed to approve system keychain with admin rights thus far. This would be a nightmare in production because users ignore this stuff and they aren’t local admins either.
This issue is intermittent and I can determine when it’s happening. It only occurs when disconnecting which is odd. Connecting and establishing a tunnel doesn’t prompt.
Sorry, looks like they block hotlinking. Just edited with a new link.
so you are ONLY sending out PPPC and SysX profiles to endpoints, using the built in jamf UI payloads? (e.g. nothing custom)?
are your VPN guys sending down any additional stuff like ADEM? that requires additional profiles, i believe.
have you tried using log stream/show and filtering / grepping while triggering the prompt to see whats being logged? usually that will point you in the right direction.
Thanks. My test Mac’s have 3 filters that appear in the Settings Pane. According to the PA docs, I think the filter is required for split tunnel configurations. Not sure how to tweak it.
I discovered that Umbrella may not play nice with GP. So I’m doing more testing without Umbrella in the mix. We know Umbrella is deprecated but it’s taken my colleagues 6+ months to make a decision on a replacement. Finally decided on DNSFilter but we haven’t deployed it yet. So we might have to pivot to prioritizing DNSFilter before we deploy GP (assuming this is the culprit). And then you throw Sequoia into the mix (we are deferring it for 90 days but time is ticking). Are we having fun yet?
GP configs nothing extraneous. No Apple VPN payloads. Using Jamf Pro. Pretty much followed directions from the PA (outdated and admittedly craptastic) docs. Using a bearer minimum of payloads as possible. Built them in Jamf GUI.
I am waiting on response from PA admin on our configs
I can’t figure out the log syntax to get the info that I need.
One fun caveat (probably unrelated): we are still using Cisco Umbrella. We know it’s deprecated but had issues choosing a replacement this summer. Finally decided on DNSFilter but until today we were planning on deploying GP before DNSFilter, but now we decided to push GP last since Umbrella can’t co-exist with GP. So our priority has changed. So I’ll start testing GP again on Macs without Umbrella to see if it’s related or not. The timeline was not my decision. Running Umbrella in October 2024 is ugly and I want to get rid of it. We just found out today that they are not compatible. I haven’t verified if DNSFilter has the same incompatibility with GP or not. Fingers crossed…
