https://live.paloaltonetworks.com/t5/globalprotect-discussions/restrict-global-protect-access-to-company-managed-devices/m-p/1227360#M6711 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/59396">@LCMember30141</a>&nbsp;,</P> <P>&nbsp;</P> <P>There are a few ways to go about that in my opinion. I'm sure there are other options as well.</P> <P>&nbsp;</P> <P class="" data-start="331" data-end="530">Use HIP checks.&nbsp; GlobalProtect can collect host information and send it to the firewall. You can create security policies that only allow VPN access if the device meets specific criteria.</P> <P class="" data-start="331" data-end="530">Require a client certificate (issued by your internal CA for example) installed only on managed devices for GlobalProtect authentication.</P> <P class="" data-start="331" data-end="530">Use your MDM to deploy the GlobalProtect app with pre-configured settings and restrict VPN usage only to enrolled devices.</P> <P class="" data-start="331" data-end="530">&nbsp;</P> <P class="" data-start="331" data-end="530">Kind regards,</P> <P class="" data-start="331" data-end="530">-Kim.</P> Thu, 24 Apr 2025 14:28:38 GMT kiwi 2025-04-24T14:28:38Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/restrict-global-protect-access-to-company-managed-devices/m-p/1227269#M6710 <P>What would be the best way to go about restricting Global Protect VPN access to company managed laptops and iPads?</P> Wed, 23 Apr 2025 20:44:50 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/restrict-global-protect-access-to-company-managed-devices/m-p/1227269#M6710 LCMember30141 2025-04-23T20:44:50Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/restrict-global-protect-access-to-company-managed-devices/m-p/1227360#M6711 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/59396">@LCMember30141</a>&nbsp;,</P> <P>&nbsp;</P> <P>There are a few ways to go about that in my opinion. I'm sure there are other options as well.</P> <P>&nbsp;</P> <P class="" data-start="331" data-end="530">Use HIP checks.&nbsp; GlobalProtect can collect host information and send it to the firewall. You can create security policies that only allow VPN access if the device meets specific criteria.</P> <P class="" data-start="331" data-end="530">Require a client certificate (issued by your internal CA for example) installed only on managed devices for GlobalProtect authentication.</P> <P class="" data-start="331" data-end="530">Use your MDM to deploy the GlobalProtect app with pre-configured settings and restrict VPN usage only to enrolled devices.</P> <P class="" data-start="331" data-end="530">&nbsp;</P> <P class="" data-start="331" data-end="530">Kind regards,</P> <P class="" data-start="331" data-end="530">-Kim.</P> Thu, 24 Apr 2025 14:28:38 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/restrict-global-protect-access-to-company-managed-devices/m-p/1227360#M6711 kiwi 2025-04-24T14:28:38Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/restrict-global-protect-access-to-company-managed-devices/m-p/1227557#M6717 <P>Thank you, Kim.&nbsp; I am in the process of setting up the appropriate HIP objects and profiles now.</P> <P>&nbsp;</P> Mon, 28 Apr 2025 13:10:43 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/restrict-global-protect-access-to-company-managed-devices/m-p/1227557#M6717 LCMember30141 2025-04-28T13:10:43Z