Silent deployment of GlobalProtect without auto launch?

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
mwineke
L1 Bithead

Silent deployment of GlobalProtect without auto launch?

I am deploying Global Protect agent 4.0.0-90, but it auto launches after installation.

I'd like it to be entirely silent. No auto launch.

 

Is there a flag I've not seen for this?


Accepted Solutions
vsys_remo
Cyber Elite

Do you need to do this on corporate computers or for external BYOD computers?
I assume this autostart is to get all the additional configurations from the portal right at the beginning ... but I understand your problem. We now simply live with this login window after installation. Because we use SSO this login is not that big an issue.

I have now read again the documentation and found something what's may be worth a try (requires the use of GP SSO on computers where you/your comany controlls the software installations):
With the msiexec insallation method try to set SSO to enabled and in addition set the option for prompting for credentials when SSO fails to false.
https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/globalprot...

View solution in original post


All Replies
mwineke
L1 Bithead

Under macOS, I have two options. Either remove the KeepAlive and RunAtLoad keys from the ...pangpa.plist LaunchAgent (essentially disabling the auto launch, but leaving the enabled plist in place), or removing that LaunchAgent entirely.

 

Since it does not auto launch until login, then deployment scripting can handle that fairly easily.

Issuing two defaults commands to remove the keys, or replace the keys, is quick and seemingly painless. 

As the prepopulation of the server address is actually working under macOS, this is acceptable

 

Not so easy on the Windows side though, as it both fails to prepopulate the server address from the registry on first launch, but it also auto launches upon successful install. :P

mwineke
L1 Bithead

Short of input from fellow Global Protect deployment techs, I've found one way to pre-populate the portal field, though quite a bit more involved and resource intensive, it "looks" fairly straight forward:

 

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-predefine-Global-Protect-portal-addr...

 

Anyone have any experience otherwise?

vsys_remo
Cyber Elite

Do you need to do this on corporate computers or for external BYOD computers?
I assume this autostart is to get all the additional configurations from the portal right at the beginning ... but I understand your problem. We now simply live with this login window after installation. Because we use SSO this login is not that big an issue.

I have now read again the documentation and found something what's may be worth a try (requires the use of GP SSO on computers where you/your comany controlls the software installations):
With the msiexec insallation method try to set SSO to enabled and in addition set the option for prompting for credentials when SSO fails to false.
https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/globalprot...

View solution in original post

mwineke
L1 Bithead

Nope. My found solution didn't work. Still comes up blank after push install. :P

 

mwineke
L1 Bithead

Will give it a try. Thanks vsys_remo. :)

mwineke
L1 Bithead

Still no luck. Came up blank.

<Edit: Bah! I set the use-sso to yes in the msi. I did not try using the msiexec command. Will try...> 

 

This is for enterprise deployment to the organization owned and managed endpoints. 

Our end users don't want to be notified of anything that doesn't specifically pertain to them, and they also freak out when something unusual happens (like an unknown software product demands their attention). 

 

Typically, our deployments are entirely silent. Nothing pops up on their screens unexpectedly telling them something is going to happen, or has happened. An unknown (to them) software product popping up asking for an unknown portal address, to connect to who knows what for an unknown purpose is likely to generate many Help Desk calls.

 

Ideally, the software is deployed silently, and it's there waiting for them to either use it, or not. We're actually fine with the portal address not being populated, but the autolaunch is more problematic. 

mwineke
L1 Bithead

Okay. I was able to pre-populate the Portal address (using the MSI editor Orca instructions I posted previously), and in combination with CANCHANGEPORTAL="no", it now pops up with the login window (which has a "Cancel" button. Yay!).

 

The autolaunch is still undesirable, but at least it's not asking for a portal address the user would not necessarily know, with only a "Connect" button.

 

Progress!

 

I did try pushing a reg delete for the auto launch, but that does not appear to work. 

vsys_remo
Cyber Elite

Did you try with the options I mentionned?

mwineke
L1 Bithead

Yep. Still auto launches after install.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!