https://live.paloaltonetworks.com/t5/globalprotect-discussions/default-browser-setting-lost-after-auto-update/m-p/1002823#M6340 <P>Hi everyone,<BR /><BR />I recently migrated our implementation over to using SAML for our on-demand VPN users, and due to issues with our IDP/auth method and the embedded browser on Windows (namely that we use many smart cards for auth, and the embedded browser/edge view seems to constantly "remember" the wrong cert, which users cannot easily clear), I have the portal configured to use the system default browser for SAML authentication, as well as deploying clients with the the msi flag/plist value to set this on-install. This has been working as-expected so far.<BR /><BR />Last night I initiated the first minimum-version update (from 6.2.3 to 6.2.6) since the SAML transition, then came in this morning to a pile of tickets due to many users getting the auto-update and getting reverted back to using the embedded browser and failing to authenticate with their smart cards (issue I mentioned above). Is there any way to have this setting be preserved when the client is updated by the VPN head-end firewall automatically?</P> Fri, 10 Jan 2025 19:17:05 GMT brandonellis 2025-01-10T19:17:05Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/default-browser-setting-lost-after-auto-update/m-p/1002823#M6340 <P>Hi everyone,<BR /><BR />I recently migrated our implementation over to using SAML for our on-demand VPN users, and due to issues with our IDP/auth method and the embedded browser on Windows (namely that we use many smart cards for auth, and the embedded browser/edge view seems to constantly "remember" the wrong cert, which users cannot easily clear), I have the portal configured to use the system default browser for SAML authentication, as well as deploying clients with the the msi flag/plist value to set this on-install. This has been working as-expected so far.<BR /><BR />Last night I initiated the first minimum-version update (from 6.2.3 to 6.2.6) since the SAML transition, then came in this morning to a pile of tickets due to many users getting the auto-update and getting reverted back to using the embedded browser and failing to authenticate with their smart cards (issue I mentioned above). Is there any way to have this setting be preserved when the client is updated by the VPN head-end firewall automatically?</P> Fri, 10 Jan 2025 19:17:05 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/default-browser-setting-lost-after-auto-update/m-p/1002823#M6340 brandonellis 2025-01-10T19:17:05Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/default-browser-setting-lost-after-auto-update/m-p/1002835#M6341 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/77216">@brandonellis</a>,</P> <P>Two things to check:</P> <P>1) Do you have the use-default-browser option enabled for client-auth in your Portal/Gateway configuration?</P> <P>2) Do you have the 'Use Default Browser for SAML Authentication' enabled in your agent app configuration?</P> <P>&nbsp;</P> <P>It <EM>sounds </EM>like you don't have the actual app config set to utilize the default browser as part of your client configuration. That would explain why it worked until you pushed out an update where what you set during the install will be overwritten by what's defined in the app configuration. </P> Fri, 10 Jan 2025 19:38:48 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/default-browser-setting-lost-after-auto-update/m-p/1002835#M6341 BPry 2025-01-10T19:38:48Z