Deploy App Settings Transparently
Focus
Focus
GlobalProtect

Deploy App Settings Transparently

Table of Contents
End-of-Life (EoL)

Deploy App Settings Transparently

As an alternative to deploying app settings from the portal configuration, you can define them directly from the Windows Registry, global macOS plist, or—on Windows endpoints only—using the Windows Installer (Msiexec). The benefit is that it enables deployment of GlobalProtect app settings to endpoints prior to their first connection to the GlobalProtect portal.
Some settings do not have a corresponding portal configuration setting on the web interface and must be configured using the Windows Registry, Msiexec, or macOS plist. These settings are listed in the Customizable App Settings as “Not in portal.”
Settings defined in the portal configuration always override settings defined in the Windows Registry or macOS plist. If you define settings in the registry or plist, but the portal configuration specifies different settings, the settings that the app receives from the portal overrides the settings defined on the endpoint. This override also applies to login-related settings, such as whether to connect on-demand, whether to use single sign-on (SSO), and whether the app can connect if the portal certificate is invalid. Therefore, you should avoid conflicting settings. In addition, the portal configuration is cached on the endpoint, and that cached configuration is used anytime the GlobalProtect app restarts or the endpoint reboots.
The following sections describe what customizable app settings are available and how to deploy these settings transparently to Windows and macOS endpoints:
In addition to using the Windows Registry and macOS plist to deploy GlobalProtect app settings, you can enable the GlobalProtect app to collect specific Windows Registry or macOS plist information from the endpoints, including data on applications installed on the endpoints, processes running on the endpoints, and attributes or properties of those applications and processes. You can then monitor the data and add it to a security rule to use as matching criteria. Endpoint traffic that matches the registry settings you define can be enforced according to the security rule. Additionally, you can set up custom checks to Collect Application and Process Data From Endpoints.