topic Issues with GlobalProtect Pre-logon on Mac in GlobalProtect Discussions

Issues with GlobalProtect Pre-logon on Mac

MartinE — Thu, 23 Jun 2022 14:28:43 GMT

I'm having problems getting pre-logon to work on MacOS. There are a number of issues.

- To start with, I can't seem to get the GlobalProtect icon from the login screen after several tries.

- Then, even when I log in to the device and try to connect to GlobalProtect, I get prompted for keychain access so that GlobalProtect can access the machine certificate. I've seen the document that explains how to give GlobalProtect access to keychain so that I don't get this prompt. Even after making those changes, GlobalProtect doesn't attempt to connect from the login screen. It only attempts to connect when I've logged in to the device.

- Another thing I've noticed is, when I look at the GlobalProtect logs for the Mac, I actually see the 'Auth Method' as 'Certificate'. BUT, the source user is the device name (which is defined in the certificate) rather than the 'pre-logon' user which I would expect for pre-logon, before the actual source user.

- GlobalProtect version is 5.2.10. Mac OS version is Monterey 12.4

Config settings used:

GlobalProtect Portal

- GlobalProtect portal > Authentication

- Allow authentication with user credentials or client certificate: Yes

- Certificate profile: None

- GlobalProtect portal > Agent

Config 1

- Save User credentials: Yes

- Generate cookie for authentication override: Yes

- Allow cookie for authentication override: Yes

- User: pre-logon

- Connect method: Pre-logon (Always-On)

Config 2

- Save User credentials: Yes

- Generate cookie for authentication override: Yes

- Allow cookie for authentication override: Yes

- User: any

- Connect method: Pre-logon (Always-On)

GlobalProtect Gateway

- GlobalProtect gateway > Authentication

- Allow authentication with user credentials or client certificate: Yes

- Certificate profile: <root certificate>

Any ideas on what I'm missing?

Re: Issues with GlobalProtect Pre-logon on Mac

giapperreault — Wed, 19 Apr 2023 17:14:11 GMT

We are about to embark on this path. Have you found answers to your problems?

Re: Issues with GlobalProtect Pre-logon on Mac

eumbach — Thu, 01 Jun 2023 19:42:19 GMT

Came here to say this as we are having the same experience on MAC devices.

Re: Issues with GlobalProtect Pre-logon on Mac

mishelton — Mon, 05 Jun 2023 17:45:03 GMT

This is due to a MacOS limitation. Check out this Apple Support link to confirm.

VPN deployments supported

iOS, iPadOS, and macOS support the following:

VPN On Demand: For networks that use certificate-based authentication. IT policies specify which domains require a VPN connection by using a VPN configuration profile.
Per App VPN: For facilitating VPN connections on a much more granular basis. Mobile device management (MDM) solutions can specify a connection for each managed app and specific domains in Safari. This helps ensure that secure data always goes to and from the corporate network—and that a user’s personal data doesn’t.

iOS and iPadOS support the following:

Always On VPN: For devices managed through an MDM solution and supervised using Apple Configurator for Mac, Apple School Manager, or Apple Business Manager. Always On VPN eliminates the need for users to turn on VPN to enable protection when connecting to cellular and Wi-Fi networks. It also gives an organization full control over device traffic by tunneling all IP traffic back to the organization. The default exchange of parameters and keys for the subsequent encryption, IKEv2, secures traffic transmission with data encryption. The organization can monitor and filter traffic to and from its devices, secure data within its network, and restrict device access to the internet.

Virtual private network (VPN) security (External Link)