06-23-2022 07:28 AM
I'm having problems getting pre-logon to work on MacOS. There are a number of issues.
- To start with, I can't seem to get the GlobalProtect icon from the login screen after several tries.
- Then, even when I log in to the device and try to connect to GlobalProtect, I get prompted for keychain access so that GlobalProtect can access the machine certificate. I've seen the document that explains how to give GlobalProtect access to keychain so that I don't get this prompt. Even after making those changes, GlobalProtect doesn't attempt to connect from the login screen. It only attempts to connect when I've logged in to the device.
- Another thing I've noticed is, when I look at the GlobalProtect logs for the Mac, I actually see the 'Auth Method' as 'Certificate'. BUT, the source user is the device name (which is defined in the certificate) rather than the 'pre-logon' user which I would expect for pre-logon, before the actual source user.
- GlobalProtect version is 5.2.10. Mac OS version is Monterey 12.4
Config settings used:
GlobalProtect Portal
- GlobalProtect portal > Authentication
- Allow authentication with user credentials or client certificate: Yes
- Certificate profile: None
- GlobalProtect portal > Agent
Config 1
- Save User credentials: Yes
- Generate cookie for authentication override: Yes
- Allow cookie for authentication override: Yes
- User: pre-logon
- Connect method: Pre-logon (Always-On)
Config 2
- Save User credentials: Yes
- Generate cookie for authentication override: Yes
- Allow cookie for authentication override: Yes
- User: any
- Connect method: Pre-logon (Always-On)
GlobalProtect Gateway
- GlobalProtect gateway > Authentication
- Allow authentication with user credentials or client certificate: Yes
- Certificate profile: <root certificate>
Any ideas on what I'm missing?
04-19-2023 10:14 AM
We are about to embark on this path. Have you found answers to your problems?
06-05-2023 10:45 AM
This is due to a MacOS limitation. Check out this Apple Support link to confirm.
iOS, iPadOS, and macOS support the following:
VPN On Demand: For networks that use certificate-based authentication. IT policies specify which domains require a VPN connection by using a VPN configuration profile.
Per App VPN: For facilitating VPN connections on a much more granular basis. Mobile device management (MDM) solutions can specify a connection for each managed app and specific domains in Safari. This helps ensure that secure data always goes to and from the corporate network—and that a user’s personal data doesn’t.
iOS and iPadOS support the following:
Always On VPN: For devices managed through an MDM solution and supervised using Apple Configurator for Mac, Apple School Manager, or Apple Business Manager. Always On VPN eliminates the need for users to turn on VPN to enable protection when connecting to cellular and Wi-Fi networks. It also gives an organization full control over device traffic by tunneling all IP traffic back to the organization. The default exchange of parameters and keys for the subsequent encryption, IKEv2, secures traffic transmission with data encryption. The organization can monitor and filter traffic to and from its devices, secure data within its network, and restrict device access to the internet.
Virtual private network (VPN) security (External Link)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
