Providing GlobalProtect portal address via macOS configuration profile on macOS Sonoma
2024-7-29 03:35:47 Author: derflounder.wordpress.com(查看原文) 阅读量:5 收藏

Home > macOS, Management Profiles, Scripting > Providing GlobalProtect portal address via macOS configuration profile on macOS Sonoma

Providing GlobalProtect portal address via macOS configuration profile on macOS Sonoma

One of the limitations of Palo Alto’s GlobalProtect VPN client on macOS is that it’s not currently possible to natively provide the GlobalProtect VPN portal address using a macOS configuration profile. Instead, the GlobalProtect VPN client is looking for the portal address in a com.paloaltonetworks.GlobalProtect.settings.plist file, which is stored in the /Library/Preferences directory. However, with some work, it is possible to use a profile to provide the portal address information to the GlobalProtect VPN client. For more details, please see below the jump.

This method relies on the capability of a macOS configuration profile to create files in the following location:

/Library/Managed Preferences

With this capability, it’s possible to set up a profile which provides the GlobalProtect portal address to a plist file within the /Library/Managed Preferences directory. In turn, this allows a script to read from that plist file and provide the correct information for the GlobalProtect portal to the /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist file which GlobalProtect uses for its settings.

As an example, if the GlobalProtect portal address is globalprotect.portal.address.goes.here, you can set up and install a profile like the one shown below:


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt;
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>B0CBB3F2-D092-4B3D-A261-81F19050C56B</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Company Name</string>
<key>PayloadIdentifier</key>
<string>B0CBB3F2-D092-4B3D-A261-81F19050C56B</string>
<key>PayloadDisplayName</key>
<string>Palo Alto GlobalProtect Portal Address</string>
<key>PayloadDescription</key>
<string />
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true />
<key>PayloadRemovalDisallowed</key>
<true />
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>Custom Settings</string>
<key>PayloadIdentifier</key>
<string>DA29D66E-134E-4A03-BAA0-1DD42B555C1E</string>
<key>PayloadOrganization</key>
<string>Company Name</string>
<key>PayloadType</key>
<string>com.apple.ManagedClient.preferences</string>
<key>PayloadUUID</key>
<string>DA29D66E-134E-4A03-BAA0-1DD42B555C1E</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadContent</key>
<dict>
<key>com.paloalto.globalprotect.portal.address</key>
<dict>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>PortalAddress</key>
<string>globalprotect.portal.address.goes.here</string>
</dict>
</dict>
</array>
</dict>
</dict>
</dict>
</array>
</dict>
</plist>

Once the profile is installed, a com.paloalto.globalprotect.portal.address.plist file will be created in the /Library/Managed Preferences directory which looks like this:

From there, a script like the one shown below can read the GlobalProtect portal address information stored in the /Library/Managed Preferences/com.paloalto.globalprotect.portal.address.plist file:


#!/bin/bash
# This script uses PlistBuddy to create a configuration plist for Palo Alto GlobalProtect
# using information provided by a macOS configuration profile, as Global Protect does not
# appear to be able to natively use a profile for management.
# Original script by Chad Brewer:
# https://www.jamf.com/jamf-nation/discussions/10198/anyone-deployed-palo-alto-globalprotect#responseChild196652
exitCode=0
plistBuddy="/usr/libexec/PlistBuddy"
GPplistFile="/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist"
PortalAddressFile="/Library/Managed Preferences/com.paloalto.globalprotect.portal.address.plist"
if [[ -f "$PortalAddressFile" ]]; then
# Get GlobalProtect portal address from /Library/Managed Preferences/com.paloalto.globalprotect.portal.address.plist,
# which is created by a properly configured macOS configuration profile being installed.
PortalAddress=$(/usr/bin/defaults read "$PortalAddressFile" PortalAddress)
# Remove existing Global Protect preferences file
if [[ -f ${GPplistFile} ]]; then
echo "Removing existing GlobalProtect prefs file"
/usr/bin/defaults delete ${GPplistFile}
/bin/rm -f ${GPplistFile}
fi
# Create new Global Protect preferences file
${plistBuddy} -c "print : 'Palo Alto Networks':'GlobalProtect':'PanSetup':'Portal'" ${GPplistFile}
# Write GlobalProtect portal address information to Global Protect preferences file
${plistBuddy} -c "add :'Palo Alto Networks' dict" ${GPplistFile}
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect' dict" ${GPplistFile}
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup' dict" ${GPplistFile}
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup':'Portal' string '${PortalAddress}'" ${GPplistFile}
${plistBuddy} -c "add :'Palo Alto Networks':'GlobalProtect':'PanSetup':'Prelogon' integer 1" ${GPplistFile}
else
echo "ERROR: $PortalAddressFile not found. Unable to set GlobalProtect portal address in $GPplistFile."
exitCode=1
fi
exit "$exitCode"

That script in turn will set up GlobalProtect’s /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist file with the portal address as shown below:


文章来源: https://derflounder.wordpress.com/2024/07/28/providing-globalprotect-portal-address-via-macos-configuration-profile-on-macos-sonoma/
如有侵权请联系:admin#unsafe.sh