Starting to test GP on Sonoma and Ventura Mac laptops. I followed the guide for installing/configuring with Jamf (extensions, filters, approvals, notifications, TCC/PPPC, Login Items, etc) and I am connected to the VPN fine. My team still has final decisions to make before production, but at least I can play around with the product a bit while we make final tweaks.
I’m seeing a few odd things that I cant figure out:
1 Is a VPN payload even required? The GP docs imply a VPN payload is only required when using split-tunnels. Is this correct? The URL and basic settings live in /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist anyway, right?
2 I can connect via GP fine with no issues, but anytime I disconnect I am prompted to authenticate with my local account. Heres the weird part: Even if I don’t authenticate it still disconnects anyway. Thoughts on why am I prompted to disconnect?
3 What exactly is “Transparent Proxy” that I see in the macOS Network pane? Is it part of the main GP DNS Proxy payload, or some other component? I already see “DNS proxy” listed in the macOS Network pane. Are there 2 proxies?
4 When I look at the macOS Network pane, All of my extensions are locked from end-user tampering (as expected) - except for ONE extension - the “Transparent Proxy” mentioned in #3 above: For some reason I am able to toggle this one manually (see screenshot)
5 Why are the core settings in /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist not managed in a MDM profile?
6 I’ll be migrating from Ivanti to GP. Can both VPNs live side-by-side temporarily? I’d prefer to remove Ivanti before deploying GP but my team doesn’t want to do this (they want to make sure users have a VPN available in case the migration is problematic)
Any help is appreciated.
