GP 6.1 for Mac not prompting for domain login unless GP 5.10 was previously installed

Showing results for 
Show  only  | Search instead for 
Did you mean: 

GP 6.1 for Mac not prompting for domain login unless GP 5.10 was previously installed

L0 Member

To start with a little history.  Our fleet was all Monterey and running GP 5.10.  As we prepared for Ventura, we first pushed out GP 6.1 to the Monterey systems.  Then they upgrade to Ventura and everything has been fine.  That is for pre-existing machines.  Here is where we are struggling.


On new devices with Ventura installed, we are trying to deliver GP 6.1.  It installs fine but the user is never prompted to authenticate with our identity provider (Azure).  The GP menu will display an error and then state "Retrieving portal configuration..." indefinitely.  The user is never prompted for cloud identity credentials.


However, if I uninstall GP 6.1 and install GP 5.10, then the identity provider prompt is displayed, the user is able to authenticate, and the VPN connection is made.  Once the initial connection with 5.10 is complete, I can immediately upgrade to 6.1 and the connection will establish.  


On initial installation (before signing in), both com.paloaltonetworks.GlobalProtect.settings.plist and com.paloaltonetworks.GlobalProtect.client.plist show then same default values regardless of installed version.  However, I did notice that only when installing version 5.10 do I get a ServerCert.pan file in /Users/<the_user>/Library/Application\ Support/PaloAltoNetworks/GlobalProtect.  


Any hints on how to make version 6.1 work without first installing version 5.10?  I see that 6.2 is available and I've requested it from the GP team (don't have it yet).  We've been getting around this by delivering 5.10 to the machines, letting the users establish their first connection, and then upgrading them to 6.1.  Ideally, I would like to simplify the deployment.


The Macs are managed by an MDM and we have one profile that contains the Content Filter, PPPC, and System Extension payloads.  A second profile delivers the URL in a custom application payload.  The settings are:











Anyone else experiencing the same issue?  Any suggestions on what to try to allow version 6.1 to work without first installing version 5.10?



  • 0 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!