Deploy the GlobalProtect VPN on macOS using Microsoft Intune: Updated Guide

It’s been over two years since I last wrote about deploying the Palo Alto Networks GlobalProtect app on macOS via Microsoft Intune. In the world of MDM and Apple security, two years is an eternity.

Deploy GlobalProtect (Palo Alto) VPN to macOS using Intune

Back in 2022, we relied heavily on Kernel Extensions (KEXTs) and the “Extensions” profile template in Intune. However, as of August 2024, Microsoft officially deprecated the legacy macOS System Extension template. Apple has also shifted its stance, pushing developers and admins toward System Extensions and Network Extensions via the Settings Catalog.

f you are seeing “System Extension Blocked” alerts on your macOS 26 or Sequoia endpoints, or if your old Intune profiles are failing to apply to new enrollments, this guide is for you.

What Has Changed?

The core shift is technical but impactful for admins:

1. Deprecation of Templates: You can no longer create new policies using the old “Extensions” template in the Intune UI.
2. The Settings Catalog Era: All new configuration payloads (System Extensions, Network Extensions, and Web Content Filtering) must now be configured via the Settings Catalog.
3. App Gatekeeper & Full Disk Access: Modern macOS versions are stricter about background processes. We now need to explicitly grant “Full Disk Access” and “Service Management” permissions to prevent users from being prompted for admin credentials.

Follow the below steps to configure & deploy the GlobalProtect app on your macOS devices:

Preparing the GlobalProtect PKG

• Before touching Intune, ensure you have the GlobalProtect.pkg from your support representative.
• Navigate to the Microsoft Intune Admin Center at https://intune.microsoft.com and log in with the administrator credentials for Intune.
• Select Apps -> macOS and then click Create.

• From the Select app type dropdown menu, select macOS app (PKG) and click Select.

• Click “Select app package file“, upload the GlobalProtect package file from your computer, and click OK.

• Fill-in the App Information tab-
  • Publisher as Palo Alto Networks,
  • Enter additional information as required,
  • Click Next.

• In the Program tab screen, enter the pre-install script to be run before the GlobalProtect app is installed.
  • Please ensure that you update this script to modify the portal, connect method and if default browser is to be used for authentication as required.

#!/bin/bash
## Description: Checks for global preferences file and populates  
## it with the default portal if needed.
## Body ###########################################################
## Declare Variables ##############################################
 
# Get current Console user
active_user=$( stat -f "%Su" /dev/console )
 
# Global Prefs File
gPrefs=/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist
 
## Logic ##########################################################
 
# Check to see if the global preference file already exists...
if [[ -e $gPrefs ]]; then
	echo "Default global portal already exists. Skipping."
else
	echo "Setting default GP portal to: {
Portal FQDN here
}"
     # If it does not already exist, create it and populate the default portal using the echo command
       echo '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Palo Alto Networks</key>
    <dict>
        <key>GlobalProtect</key>
        <dict> 
            <key>PanSetup</key>
            <dict>
                <key>Portal</key>
                <string>{
Portal FQDN here
}</string>
            </dict>
            <key>Settings</key>
            <dict>
                <key>connect-method</key>
                <string>
on-demand | always-on
</string>
                <key>default-browser</key>
                <string>{Value}</string> [
yes | no
]
            </dict>
        </dict>
    </dict>
</dict>
</plist>
' > $gPrefs
echo $?
	# Kill the Preference caching daemon to prevent it from overwriting any changes
	killall cfprefsd
	echo $?
fi
# Check exit code.
exit $?

• On the next screen, select the minimum operating system required to install the GlobalProtect app and click Next.

• In the Detection rules tab, set Ignore app version to NO and click Next.

• Assign the app to required user groups and click Next.

• Review the app summary and click Create.

• Wait for the .pkg file to be uploaded before proceeding.

Configure the System Extension:

To ensure GlobalProtect operates correctly on macOS, you need to:

1. Enable system extensions – This gives GlobalProtect the OS-level permissions it needs
2. Approve network connection filters – Allows the app to manage network traffic
3. Provide full disk access rights – Ensures complete functionality

These configurations allow GlobalProtect to integrate directly with macOS, enabling it to deliver comprehensive network security and access control features. Without these permissions, the application cannot perform its core protective functions.

This is the most critical change. Instead of the old template, follow these steps:

• Sign in to the Microsoft Intune admin center.
• Go to Devices > macOS > Configuration profiles > Create > New Policy.

• Platform: macOS | Profile type: Settings catalog > Create

• Enter a name & description for the profile & click Next.

• In the Configuration settings tab, click Add settings and search for System Extensions.

• Add the following settings:
  • Allowed System Extensions:
    • Team Identifier: PXPZ95SK77 (Palo Alto Networks ID)
  • Allowed System Extension Types: com.paloaltonetworks.GlobalProtect.client.extension

• Repeat the same step for the Removable System Extensions:

–

• Click “Next“
• Assign the profile to the required “device group” and click create.

Configure Web Content Filtering:

Now we need to create the profile for enforcing network access to GlobalProtect. Repeat the first thee steps same as in previous steps to create a new profile using Settings Catalog.

• Create new profile for web content filtering:

• In the Configuration settings tab, click Add settings and search for Web Content Filtering:

• Add the following settings:
  • Filter Data Provider Bundle Identifier
  • Filter Data Provider Designated Requirement
  • Filter Grade
  • Filter Packet Provider Bundle Identifier
  • Filter Packet Provider Designated Requirement
  • Filter Packets
  • Filter Sockets
  • Filter Type
  • Plugin Bundle ID

• Close the settings panel and configure the selected settings with below data:
  • Filter Data Provider Bundle Identifier:
    • com.paloaltonetworks.GlobalProtect.client.extension
  • Filter Data Provider Designated Requirement:
    • com.paloaltonetworks.GlobalProtect.client.extension” and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = PXPZ95SK77)
    • Filter Grade:
      • firewall
    • Filter Packet Provider Bundle Identifier:
      • com.paloaltonetworks.GlobalProtect.client.extension
    • Filter Packet Provider Designated Requirement:
      • anchor apple generic and identifier “com.paloaltonetworks.GlobalProtect.client.extension” and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PXPZ95SK77)
    • Filter Packets:
      • True
    • Filter Sockets:
      • True
    • Filter Type:
      • Plug-In
    • Plugin Bundle ID:
      • com.paloaltonetworks.GlobalProtect.client

• Click Next and assign the profile to same device group that you used in previous step.

Configure Full Disk Access:

Follow the steps below to grant full disk access to the GlobalProtect app.

• Create new profile for full disk access

• In the Configuration settings tab, click Add settings and search for Privacy

• Select the “System Policy with All Files checkbox” and then close the settings panel.

• Click Edit instance and enter the following values in the Privacy Preferences Policy Control panel
  • Allowed: True
  • Authorization: not required, click (-) to remove (this sets it to “not configured”)
  • Code Requirement: anchor apple generic and identifier: “com.paloaltonetworks.GlobalProtect.client.extension” and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = PXPZ95SK77)
  • Identifier: PXPZ95SK77
  • Identifier Type: bundle ID
  • Static Code: False

• Click Next & then Create to create the profile.

• Assign the profile to the same device group as used in previous steps.

Verifying the Deployment at the End-User Level

Once you have assigned your profiles to your Device Groups, you need to verify that the macOS endpoint has actually “swallowed” the configurations.

• Web Content Filter Profile–

• System Extensions Profile–

Conclusion

The deployment of the GlobalProtect VPN on macOS devices through Microsoft Intune has been streamlined to enhance user experience and security. By utilizing the Settings Catalog, administrators can efficiently create a profile that consolidates necessary System and Network Extension payloads. This approach not only simplifies the configuration process but also ensures that the PaloAlto GlobalProtect application operates seamlessly without causing disruptions to end-users. Ultimately, this updated guide facilitates a more effective management of macOS devices within enterprise environments.