MacOS Pre-Logon VPN

ThisIsSam_1 · March 6, 2025, 7:47am

We have pre-logon working with our windows clients and we are now looking into trying this on our MacOS clients. There seems to be limited documentation for pre-logon on MacOS

I have been playing around with the plists and am unable to get it to work, we have filevault disabled.

If anyone has any pointers or could share a working pre-logon plist that would be of great help.

Thanks!

Anonymous · March 6, 2025, 7:47am

We’ve also got it working.

Same re the config having nothing special, only used the plist to prime the portal address and set ‘pre-logon’.

Other stuff to check from memory;

Need to ensure the GP app/service can access the private key for the machine certificate (keychain).
If you’ve got multiple machine certs from the same CA chain on the host, I believe GP random ally selects one at login (as it can’t prompt the user). So only have one cert or ensure all can be accessed by GP (see point above).
From my understanding, having file vault on will never work as GP can’t access the cert.

Anonymous · March 6, 2025, 7:47am

We have it working, and the MacOS guy told me he didn’t have to do any special config on the machine. Are your Macs already getting certs from your CA?

Anonymous · March 6, 2025, 7:47am

Pre-logon vpn can be used to compromise your network if the laptop is stolen

bgarlock · March 6, 2025, 7:47am

We had to do this: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkECAS for it to work reliably. We do this via the CLI when we onboard new Mac’s . Don’t forget, what ever network you have for Pre-Logon will change for Mac clients. The entire tunnel is torn down and a new one created. With Windows, it reuses the same tunnel. https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-quick-configs/remote-access-vpn-with-pre-logon.html

spydog_bg · March 6, 2025, 7:47am

, I believe GP random ally selects one at login (as it can’t prompt the user)

GP Portal/Gateway will send a list with expected CAs (based on the certificate profile configured) and GP client will narrow down the choise. Yes if you have multiple certifcates with signed with same CA it is not clear again which cert it will select

bgarlock · March 6, 2025, 7:47am

MDM wipe to the laptop will prevent that. Also, for pre-logon, we only allow a few apps. Just enough to manage the endpoint.

v1ct0r1us · March 6, 2025, 7:47am

sure, if they have the user info and you arent running mfa on the login screen

Selcouthit · March 6, 2025, 7:47am

We do this via the CLI when we onboard new Mac’s

Two year thread necro here, but I was hoping you could share some info on how you’re adjusting the private key security via CLI. I know that you can add an app to the list on cert import, but I’m not sure how to adjust an existing cert without the GUI.

Anonymous · March 6, 2025, 7:47am

No it won’t lol, there are videos on YouTube of people hijacking TPM to get access to the domain. “Enough to manage the endpoint” gives complete domain access

jacobt777 · March 6, 2025, 7:47am

Plus you can revoke the certificate if a laptop is stolen.

Anonymous · March 6, 2025, 7:47am

It’s pre logon connection to your network and should be considered the same as if someone plugs a random device into your network