Issues with GlobalProtect Pre-logon on Mac

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Issues with GlobalProtect Pre-logon on Mac

L2 Linker

I'm having problems getting pre-logon to work on MacOS. There are a number of issues.

- To start with, I can't seem to get the GlobalProtect icon from the login screen after several tries.

- Then, even when I log in to the device and try to connect to GlobalProtect, I get prompted for keychain access so that GlobalProtect can access the machine certificate. I've seen the document that explains how to give GlobalProtect access to keychain so that I don't get this prompt. Even after making those changes, GlobalProtect doesn't attempt to connect from the login screen. It only attempts to connect when I've logged in to the device.

- Another thing I've noticed is, when I look at the GlobalProtect logs for the Mac, I actually see the 'Auth Method' as 'Certificate'. BUT, the source user is the device name (which is defined in the certificate) rather than the 'pre-logon' user which I would expect for pre-logon, before the actual source user.

- GlobalProtect version is 5.2.10. Mac OS version is Monterey 12.4

 

Config settings used:

GlobalProtect Portal

- GlobalProtect portal > Authentication

   - Allow authentication with user credentials or client certificate: Yes

   - Certificate profile: None

- GlobalProtect portal > Agent

Config 1

   - Save User credentials: Yes

   - Generate cookie for authentication override: Yes

   - Allow cookie for authentication override: Yes

   - User: pre-logon

   - Connect method: Pre-logon (Always-On)

 

Config 2

   - Save User credentials: Yes

   - Generate cookie for authentication override: Yes

   - Allow cookie for authentication override: Yes

   - User: any

   - Connect method: Pre-logon (Always-On)

 

GlobalProtect Gateway

- GlobalProtect gateway > Authentication

   - Allow authentication with user credentials or client certificate: Yes

   - Certificate profile: <root certificate>

 

Any ideas on what I'm missing?

3 REPLIES 3

L1 Bithead

We are about to embark on this path. Have you found answers to your problems?

L3 Networker

Came here to say this as we are having the same experience on MAC devices. 

 

L0 Member

This is due to a MacOS limitation. Check out this Apple Support link to confirm.

VPN deployments supported

iOS, iPadOS, and macOS support the following:

  • VPN On Demand: For networks that use certificate-based authentication. IT policies specify which domains require a VPN connection by using a VPN configuration profile.

  • Per App VPN: For facilitating VPN connections on a much more granular basis. Mobile device management (MDM) solutions can specify a connection for each managed app and specific domains in Safari. This helps ensure that secure data always goes to and from the corporate network—and that a user’s personal data doesn’t.

iOS and iPadOS support the following:

  • Always On VPN: For devices managed through an MDM solution and supervised using Apple Configurator for Mac, Apple School Manager, or Apple Business Manager. Always On VPN eliminates the need for users to turn on VPN to enable protection when connecting to cellular and Wi-Fi networks. It also gives an organization full control over device traffic by tunneling all IP traffic back to the organization. The default exchange of parameters and keys for the subsequent encryption, IKEv2, secures traffic transmission with data encryption. The organization can monitor and filter traffic to and from its devices, secure data within its network, and restrict device access to the internet.

Virtual private network (VPN) security (External Link)

  • 4431 Views
  • 3 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!