Warning, this is a first post from a newbie user! We are using cloud-managed Prisma Access and have GlobalProtect configured to use machine certificate and Azure SAML authentication for our users. We configured the GlobalProtect App to use pre-logon, always-on access. For most of our users this has worked with no issues. There is one Windows laptop in a weird situation. This client shows two different connections active at the same time in the Insights > Mobile Users - GlobalProtect > Devices of Connected Users list. One of the logged-on users is the actual user's account, the other is pre-logon. We think the way this happened is that last week the user established a GP session with his normal account and then, to test what happens when a new user logs in for the first time, did a switch-user logon on the laptop and logged on with a different account. After doing so the user discovered that when he switched back to his normal account session on the laptop, he wasn't able to connect to connect to any internet resources. Neither logging the test user account out of the laptop, refreshing the GP connection from his normal user account, signing out of GP from his normal user account, nor rebooting the laptop fixed his connection problem or removed the duplicate GP connections from the list on Prisma. He left his laptop powered off over the weekend and tried again this morning. After his first logon using his normal account he experienced the same issue, but then tried a reboot and after that was able to login and access resources as expected. Prisma still shows two different connections for this laptop.
All of that leads to my question. I figured there has to be a way to force a specific client to disconnect/logout of GlobalProtect from cloud-managed Prisma, but I can't find it. There are documents describing how to do that from Panorama-managed Prisma, but when I look at the equivalent location in the cloud-managed UI there is no logout option. Is it hidden somewhere else, am I (a superuser) lacking some permission, or is forcing GP logouts not possible in cloud-managed Prisma at this time?