>
    Strata Copilot
    Install the Prisma Access Agent
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access Agent
    3. Prisma Access Agent User Guide
    4. Prisma Access Agent for Desktop Devices
    5. Install the Prisma Access Agent
    Download PDF
    Prisma Access Agent

    Install the Prisma Access Agent

    Table of Contents

    Install the Prisma Access Agent

    Learn how to manually install the Prisma Access Agent on your device.
    Where Can I Use This?What Do I Need?
    • Prisma Access Agent
    • Minimum Prisma Access Agent version:
      • 25.1 (macOS and Windows)
      • 25.7 (Linux)
    • macOS, Windows, or Linux desktop devices
    • Check the prerequisites for the supported OS versions
    • Internet access
    If your administrator did not push the Prisma Access Agent to your device using supported mobile device management (MDM) software or an alternative distribution method, you can manually install the Prisma Access Agent on your macOS or Windows devicemacOS, Windows, or Linux device.
    (Prisma Access Agent 25.3.1) (macOS and Windows agents only) To enable Endpoint DLP capabilities with Prisma Access Agent, your administrator must deploy the agent to your device using supported MDM software.
    The Prisma Access Agent and GlobalProtect app can coexist on the same device, but only one of them can connect to Prisma Access. If you need to use the GlobalProtect app after installing the Prisma Access Agent, you will need to switch to the GlobalProtect app.

    Install the Prisma Access Agent (macOS)

    Learn how to manually install, upgrade, and uninstall the Prisma Access Agent on a macOS device.
    To manually install the Prisma Access Agent on your macOS device:
    1. Obtain the Prisma Access Agent package that your administrator provided to you. The package name is in the following format:
      PrismaAccessAgentInstaller_<version>.pkg
    2. In your Downloads folder (or wherever you placed the installation package), open the installation package and follow the prompts to install the Prisma Access Agent.
      1. From the installer, click Continue.
      2. Select the folder for the installation of the Prisma Access Agent and click Continue.
      3. Review the information in the Installation Type page and click Install.
      4. When prompted, enter your User Name and Password, and then click Install Software to begin the installation.
        Alternatively, you can use Touch ID (if it's enabled) to complete this step.
      5. When prompted to allow the installer to access files in the folder where you downloaded the installation package, click OK.
      6. By default, macOS blocks the Prisma Access Agent system extensions. The system or network extensions appear if your administrator configured the Prisma Access Agent with traffic forwarding rules to:
        • Direct network traffic through or outside of the Prisma Access connection.
        • Direct DNS queries for applications and resources through Prisma Access or outside of Prisma Access in addition to network traffic.
        For the Prisma Access Agent to work, you need to enable the system extensions.
        1. Click Open System Settings.
        2. In the Privacy & Security window, click Details for Some system software requires your attention before it can be used.
        3. Enable both PASrv.app apps and click OK.
      7. If your administrator enabled the feature to enforce Prisma Access connections for network access, you will be prompted to add a configuration to filter network content. To proceed, click Allow.
        After you allow this, the Prisma Access Agent will filter and monitor your network connections for security purposes.
      8. When the installation is complete, Close the installer.
      9. If your administrator configured the agent to install the Access Experience app along with the Prisma Access Agent, click OK so that you won't be prompted again.
      10. Click the Prisma Access Agent notifications pop-up to open the Notifications preferences window.
    3. If prompted, enable Prisma Access Agent notifications.
      When the Prisma Access Agent notifications pop-up appears on your desktop, move your cursor over the pop-up and select OptionsAllow.
    4. For the Prisma Access Agent to access data in the Safari browser, you must grant full disk access to the Security Extension and the Prisma Access Agent.
      1. From macOS, select System SettingsPrivacy & SecurityFull Disk Access. Enable Prisma Access Agent and securityExtension from the list of apps.
      2. When prompted, Quit & Reopen the Prisma Access Agent for the changes to take effect.

    Uninstall the Prisma Access Agent (macOS)

    You can uninstall the Prisma Access Agent manually if you no longer need to use it. Keep in mind that by uninstalling the agent, you will no longer have access to your corporate network, and your endpoint won't be protected by your organization's security policies.
    Before you begin, if the administrator enabled anti-tamper protection for the Prisma Access Agent, you must obtain an uninstall one-time password (OTP) from the administrator. If your administrator allowed agent disablement with an OTP, you must obtain the disable agent OTP from them. To uninstall the agent, you must have elevated administrative rights.
    Complete the following steps to uninstall the Prisma Access Agent from the command-line interface.
    1. Disable the Prisma Access Agent by running the following command:
      /Applications/Prisma\ Access\ Agent.app/Contents/Helpers/pacli protect disable
      1. If prompted for a password, enter the Disable Agent OTP.
    2. Run the following command to uninstall the agent:
      /Applications/Prisma\ Access\ Agent.app/Contents/Helpers/uninstaller
    3. If prompted for the password, enter the Uninstall OTP and press Enter to begin the uninstallation of the agent and its extensions.

    Install the Prisma Access Agent (Windows)

    Learn how to manually install, upgrade, and uninstall the Prisma Access Agent on your Windows device.
    To manually install the Prisma Access Agent on your Windows device.
    1. Obtain the Prisma Access Agent package that your administrator provided to you. The package name is in the following format:
      PrismaAccessAgent_x64_<version>.msi
    2. In your Downloads folder (or wherever you placed the installation package), double-click the installation package icon and follow the prompts to install the Prisma Access Agent.
      1. When the setup wizard appears, click Next to continue.
      2. Review the end-user license agreement, select I accept the terms in the License Agreement, and click Next.
      3. Click Install to begin the installation.
      4. When prompted to allow this app to make changes to your device, click Yes.
      5. When the installation is complete, click Finish.
      6. If your administrator configured the agent to install the Access Experience app along with the Prisma Access Agent, click OK so that you won't be prompted again.

    Uninstall the Prisma Access Agent (Windows)

    You can uninstall the Prisma Access Agent manually if you no longer need to use it. Keep in mind that by uninstalling the agent, you will no longer have access to your corporate network, and your endpoint won't be protected by your organization's security policies.
    Before you begin, if the administrator enabled anti-tamper protection for the Prisma Access Agent, you must obtain an uninstall one-time password (OTP) from the administrator. If your administrator allowed agent disablement with an OTP, you must obtain the disable agent OTP from them. To uninstall the agent, you must have elevated administrative rights.
    Complete the following steps to uninstall the Prisma Access Agent:
    1. Disable the Prisma Access Agent.
      1. Run the following command in a Command Prompt window:
        C:/Program Files/Palo Alto\ Networks/Prisma Access Agent/PACli.exe" protect disable
      2. If prompted for a token or OTP, enter the Disable Agent OTP.
    2. Uninstall the Prisma Access Agent.
      • On Windows 11:
        1. Open the Start menu.
        2. Select SettingsAppsInstalled Apps.
        3. Scroll to Prisma Access Agent.
        4. Select More OptionsUninstall.
        5. When prompted to continue with the uninstall, click Yes.
        6. If prompted for a token or OTP, enter the Uninstall OTP.
      • On Windows 10:
        1. Open the Start menu.
        2. Select SettingsAppsApps & Features.
        3. Scroll to Prisma Access Agent.
        4. Select MoreUninstall.
        5. When prompted to continue with the uninstall, click Yes.
        6. If prompted for a token or OTP, enter the Uninstall OTP.

    Install, Manage, and Uninstall the Prisma Access Agent (Linux)

    Learn how to manually install and uninstall the Prisma Access Agent on a Linux device.
    If your administrator did not deploy the Prisma Access Agent to your Linux device, you can install it manually. The Prisma Access Agent installation package uses the portable AppImage format that eliminates dependency conflicts and works across different Linux configurations without requiring package manager modifications. The Prisma Access Agent Linux AppImage encapsulates all agent components and their dependencies as a read-only squashfs file system image that mounts upon execution, ensuring consistent deployment.
    This procedure outlines how to install, verify, upgrade, and uninstall the Prisma Access Agent on a supported Linux distribution.

    Install the Prisma Access Agent on Linux

    Complete the following steps to manually install the Prisma Access Agent on your Linux device.
    Before you begin, complete the relevant preinstall tasks for Prisma Access Agents on Linux.
    1. (All supported Linux distributions except NixOS) Download and install the Prisma Access Agent:
      1. Download the Prisma Access Agent package from your designated download location (provided by your administrator). The package name is in the following format:
        PrismaAccessAgent_<architecture>_<version>.AppImage
        Where:
        • <architecture> identifies the platform architecture (x86_64 or arm64)
        • <version> identifies the current version number of the Prisma Access Agent AppImage
      2. Set the appropriate execute permissions to the Prisma Access Agent package. For example, for Prisma Access Agent version 25.7.0.10 on x86_64, enter the following command:
        sudo chmod 755 ./PrismaAccessAgent_x86_64_25.7.0.10.AppImage
      3. When running any AppImage, it mounts itself to a temporary directory under /tmp/<directory_name>. Therefore, ensure that:
        • The /tmp directory has executable permissions for both user and root accounts
        • Users have read and executable permissions for all files within the /opt/paloaltonetworks/prismaaccessagent directory tree
      4. Install the Prisma Access Agent from the command line.
        sudo -E ./PrismaAccessAgent_<architecture>_<version>.AppImage -i
        The following sample image shows the terminal output showing the successful completion of the agent installation on Ubuntu:
        (Prisma Access Agent 26.2) During installation, the agent detects your desktop environment and installs only the system tray dependencies your environment requires:
        • Gnome — The installer checks for the gnome-shell-extension-appindicator extension and installs it if it is not already present.
        • KDE — The agent uses the native KStatusNotifierItem protocol to render the system tray icon. No additional packages are installed.
        • Other desktop environments — The installer proceeds without installing any UI dependencies and displays the following warning: 
          [WARNING] Unsupported Desktop Environment Detected: <desktop_environment_name>
The Prisma Access Agent is optimized for Gnome and KDE.
On your current environment, the system tray icon and UI pop-ups may not render correctly.
The background agent services will still function as expected.
Do you wish to proceed with the installation? [y/N]:
    2. (NixOS) (Prisma Access Agent 26.2) Download and install the Prisma Access Agent package for NixOS. In addition to the Prisma Access Agent AppImage, NixOS requires a separate installer archive (.tar.gz), which contains the NixOS-specific configuration and installer script.
      Prisma Access Agent integrates with NixOS by defining the AppImage as a custom app package. This process uses the paa_nixos_configuration.nix file and paa_nixos_installer.sh script for system management. The paa_nixos_configuration.nix file declares how NixOS imports the AppImage into its store, defines the PASrv executable as a Systemd service, and integrates the PAGui UI application.
      1. Download the Prisma Access Agent AppImage and NixOS installer archive to the same folder on your computer:
        • PrismaAccessAgent_<architecture>_<version>.AppImage
        • paa_nixos_installer_<version>.tar.gz
      2. Go to the folder containing the installer archive and AppImage and extract the installer archive:
        tar -zxvf paa_nixos_installer_<version>.tar.gz
        After extraction, your folder should contain the following files:
        • PrismaAccessAgent_<architecture>_<version>.AppImage
        • paa_nixos_installer.sh
        • paa_nixos_configuration.nix
      3. Install the Prisma Access Agent using the dedicated NixOS installer script, which integrates the agent declaratively into your system, treating it as a custom package.
        1. Run the NixOS installer script with the install option as a user.
          ./paa_nixos_installer.sh --install
          The script displays installation messages, including steps such as "creating config directories," "copying app image," and "adding PA configuration to the NixOS configuration."
          The installer script will show the following message and prompt the user to enter their sudo user password:
          PrismaAccessAgent for NixOS
[sudo] password for <username>
          The following sample image shows the terminal output showing the successful completion of the NixOS installer script:
        2. Log out and log back into your desktop session. After login, the Prisma Access Agent system tray icon will be visible on your desktop.
    3. (Ubuntu 22 on ARM64) For Prisma Access Agent to function properly on a VM, complete the following steps:
      1. Edit the 50-cloud.init.yaml file:
        sudo nano /etc/netplan/50-cloud-init.yaml
      2. In the YAML file, insert the renderer: NetworkManager statement in the network field and save your changes. For example:
        network:
     ethernets:
          ens160:
               dhcp4: true
     version: 2
     renderer: NetworkManager
      3. To have the YAML changes persist across an instance reboot, create the /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg file with the following content:
        network: {config: disabled}
      4. Apply the change:
        sudo netplan apply
      5. Restart the network manager service:
        sudo systemctl restart NetworkManager.service
    4. (Ubuntu 22.04) Perform a system reboot.

    Verify the Prisma Access Agent Installation and Connectivity

    After installation, confirm that the agent is running, connected, and enforcing security policies as expected.
    1. Check the Prisma Access Agent user interface (UI).
      1. After logging in to your desktop session, the Prisma Access Agent UI should automatically launch.
      2. Log in to Prisma Access using your credentials within the UI.
      3. Confirm that the agent displays a Connected status.
    2. Use the command-line interface (pacli) to check the agent status.
      1. Run the following command to show the status of the agent:
        pacli status
      2. Run the following command to show the status of the tunnel:
        pacli tunnel
      3. Run the following command to view traffic logs and policy enforcement.
        pacli traffic show
      4. Check the Host Information Profile (HIP) status.
        pacli hip status
      5. View HIP notifications.
        pacli hip notification
      6. Test network connectivity and policy enforcement.
        1. Run the following command to verify direct access to a common website, such as google.com.
          curl google.com
        2. Ping a common website such as google.com to verify tunnel connectivity.
          ping google.com
        3. Attempt to access a known blocked site (for example, amazon.com) to confirm policy enforcement.

    Upgrade the Prisma Access Agent on Linux

    Upgrade the Prisma Access Agent to ensure you have the latest features and security updates.
    1. (All supported Linux distributions except NixOS) Upgrade the agent as follows:
      1. Download the new Prisma Access Agent package from your designated download location. The package name is in the following format:
        PrismaAccessAgent_<architecture>_<new-version>.AppImage
      2. Set the appropriate execute permissions to the Prisma Access Agent package. For example:
        sudo chmod 755 ./PrismaAccessAgent_<architecture>_<new-version>.AppImage
      3. Run the following command to upgrade the agent:
        sudo -E ./PrismaAccessAgent_<architecture>_<new-version>.AppImage -u
    2. (NixOS) Upgrade the agent as follows:
      1. Download the new Prisma Access Agent AppImage and NixOS installer archive to the same folder on your computer:
        • PrismaAccessAgent_<architecture>_<new-version>.AppImage
        • paa_nixos_installer_<new-version>.tar.gz
      2. Extract the new installer archive to the same directory as the new Prisma Acess Agent AppImage.
        tar -zxvf paa_nixos_installer_<new-version>.tar.gz
      3. Run the NixOS installer script with the upgrade option as a user.
        ./paa_nixos_installer.sh --upgrade
        The script performs a version check, uninstalls the old agent (without removing your user configurations), and then installs the new agent.
      4. Log out and log back into your desktop session.

    Uninstall the Prisma Access Agent on Linux

    You can uninstall the Prisma Access Agent manually if you no longer need to use it. Keep in mind that by uninstalling the agent, you will no longer have access to your corporate network, and your endpoint won't be protected by your organization's security policies.
    Complete the following steps to uninstall the agent from the Prisma Access Agent command-line interface (pacli).
    1. (All supported Linux distributions except NixOS) Uninstall Prisma Access Agent by completing the following steps.
      1. Run the following command:
        sudo -E ./PrismaAccessAgent_<architecture>_<version>.AppImage -r
      2. Enter your sudo password (user account password) when prompted.
    2. (NixOS) Complete the following steps to remove all Prisma Access Agent components and configurations from your NixOS system, reverting the changes made during installation.
      1. Execute the NixOS installer script with the remove option as a user.
        ./paa_nixos_installer.sh --remove
        The script stops the Prisma Access Agent UI and service, disables and removes the Systemd service configuration, removes soft links, and deletes the AppImage from the installation directory.
      2. Log out and log back into your desktop session.

    © 2026 Palo Alto Networks, Inc. All rights reserved.