Silent deployment of GlobalProtect without auto launch?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Silent deployment of GlobalProtect without auto launch?

L1 Bithead

I am deploying Global Protect agent 4.0.0-90, but it auto launches after installation.

I'd like it to be entirely silent. No auto launch.

 

Is there a flag I've not seen for this?

1 accepted solution

Accepted Solutions

Do you need to do this on corporate computers or for external BYOD computers?
I assume this autostart is to get all the additional configurations from the portal right at the beginning ... but I understand your problem. We now simply live with this login window after installation. Because we use SSO this login is not that big an issue.

I have now read again the documentation and found something what's may be worth a try (requires the use of GP SSO on computers where you/your comany controlls the software installations):
With the msiexec insallation method try to set SSO to enabled and in addition set the option for prompting for credentials when SSO fails to false.
https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/globalprot...

View solution in original post

12 REPLIES 12

L1 Bithead

Under macOS, I have two options. Either remove the KeepAlive and RunAtLoad keys from the ...pangpa.plist LaunchAgent (essentially disabling the auto launch, but leaving the enabled plist in place), or removing that LaunchAgent entirely.

 

Since it does not auto launch until login, then deployment scripting can handle that fairly easily.

Issuing two defaults commands to remove the keys, or replace the keys, is quick and seemingly painless. 

As the prepopulation of the server address is actually working under macOS, this is acceptable

 

Not so easy on the Windows side though, as it both fails to prepopulate the server address from the registry on first launch, but it also auto launches upon successful install. 😛

Short of input from fellow Global Protect deployment techs, I've found one way to pre-populate the portal field, though quite a bit more involved and resource intensive, it "looks" fairly straight forward:

 

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-predefine-Global-Protect-portal-addr...

 

Anyone have any experience otherwise?

Do you need to do this on corporate computers or for external BYOD computers?
I assume this autostart is to get all the additional configurations from the portal right at the beginning ... but I understand your problem. We now simply live with this login window after installation. Because we use SSO this login is not that big an issue.

I have now read again the documentation and found something what's may be worth a try (requires the use of GP SSO on computers where you/your comany controlls the software installations):
With the msiexec insallation method try to set SSO to enabled and in addition set the option for prompting for credentials when SSO fails to false.
https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/globalprot...

Nope. My found solution didn't work. Still comes up blank after push install. 😛

 

Will give it a try. Thanks vsys_remo. 🙂

Still no luck. Came up blank.

<Edit: Bah! I set the use-sso to yes in the msi. I did not try using the msiexec command. Will try...> 

 

This is for enterprise deployment to the organization owned and managed endpoints. 

Our end users don't want to be notified of anything that doesn't specifically pertain to them, and they also freak out when something unusual happens (like an unknown software product demands their attention). 

 

Typically, our deployments are entirely silent. Nothing pops up on their screens unexpectedly telling them something is going to happen, or has happened. An unknown (to them) software product popping up asking for an unknown portal address, to connect to who knows what for an unknown purpose is likely to generate many Help Desk calls.

 

Ideally, the software is deployed silently, and it's there waiting for them to either use it, or not. We're actually fine with the portal address not being populated, but the autolaunch is more problematic. 

Okay. I was able to pre-populate the Portal address (using the MSI editor Orca instructions I posted previously), and in combination with CANCHANGEPORTAL="no", it now pops up with the login window (which has a "Cancel" button. Yay!).

 

The autolaunch is still undesirable, but at least it's not asking for a portal address the user would not necessarily know, with only a "Connect" button.

 

Progress!

 

I did try pushing a reg delete for the auto launch, but that does not appear to work. 

Did you try with the options I mentionned?

Yep. Still auto launches after install.

It does work! I had a typo in the "prompting for credentials" bit. Whew! Thanks, vsys_remo!

 

 

L0 Member

Turning off prompting for credentials when SSO fails seems really problematic to me.  It is not uncommon for the default credential provider to get switched from GP back to Windows, in which case GP will just fail to bring up the VPN if prompting is turned off.  I guess I can kludge a way to turn it off for installation, then turn it back on again afterward, but it would really be better if there were just an MSI property that would stop the Agent from launching on installation.

L1 Bithead

Combination of PORTAL and CONNECTMETHOD public properties worked for me with a GlobalProtect 4.1 install.

 

msiexec.exe /i GlobalProtect-4.1.4.msi /quiet PORTAL="vpn.acme.com" CONNECTMETHOD="on-demand"

Installs silently, does not auto-launch/auto-connect to the defined portal after silent install. Tested against GlobalProtect 4.1.4.

  • 1 accepted solution
  • 8466 Views
  • 12 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!