Which part do you think is conflicting? The Always On on the Google Admin Console and the JSON entry? I opened a TAC case and they are saying that when using SAML there is no way to launch GlobalProtect automatically. I don't get why the limitation is there with SAML. I have tested the Always On setting in the Google Admin console with SAML and it doesn't work because that setting does not allow any internet access until the VPN is connected. I also have tested the Always On Google Admin Console setting via a LDAP service account. I supply the service account's username and password in the JSON values of the app in Google Admin Console. This works but it takes about 30 seconds to a minute for the VPN to connect on the Chromebook and during that 30 seconds to a minute the user has no internet. This is a work around but it is still not a complete solution if you ask me. I wish there was some way via JSON values to tell GlobalProtect to start as soon as it is installed and be Always On without the need to set the Always On setting in the Google Admin console. This is the way it works on Windows via msi package parameters. Wish Palo can get this working on Chrome OS.
... View more