VPN Client and Extension Issue

I'm running into a strange issue that I can't figure out... I'm a bit new to macOS so I'm trying to figure out what I'm doing wrong. I'm using an MDM (Microsoft Intune) to install the GlobalProtect VPN 6.2 client to connect to a corporate network. Here's the situation:

  • macOS 12.6.7 Monterey
  • Managed w/ Intune and supervised through ABM
  • GlobalProtect 6.2 VPN client
  • System Extension installs successfully
  • Team ID + SysEx Type are permitted via MDM and appear to be OK

When I go to perform the installation, it appears to succeed, and the GP system extension appears to install successfully. When issuing the "systemextensionsctl list" command, the GP system extension shows [activated enabled]. When I try to connect to the VPN gateway, in the VPN client logs I see: "Error (604): failed to send ipc data: system ext not connected."

During the installation of the VPN client, I see the following in the Console log when streaming the console logs from taskgated-helper: com.paloaltonetworks.GlobalProtect.client: Unsatisfied entitlements: com.apple.security.application-groups Disallowing: com.paloaltonetworks.GlobalProtect.client The subsystem for both is "com.apple.ManagedClient"

Any ideas? I'm pretty stuck.

Up vote post of seanvowens Down vote post of seanvowens
730 views
Posted by
seanvowens
Reply
Add a Comment

Replies

Im not sure if you're doing the development here on the product or if you are setting up the MDM environment and testing out the installation of the product? However, regarding this error:

When I try to connect to the VPN gateway, in the VPN client logs I see: "Error (604): failed to send ipc data: system ext not connected."

Console log when streaming the console logs from taskgated-helper: com.paloaltonetworks.GlobalProtect.client: Unsatisfied entitlements: com.apple.security.application-groups Disallowing: com.paloaltonetworks.GlobalProtect.client

A couple of things could be happening here:

  1. There could be a configuration issue here possibly with how the Network System Extension is setup and that's what this log is describing that the Security Group for com.paloaltonetworks.GlobalProtect.client is not setup correctly. Now, this is something that is your control and you can test out if you are the Developer.

  2. If you are not the Developer of this product and you are just testing out the MDM environment then there may be a Notarization problem taking place. Did you Notarize your App before testing this out with MDM? If not, you'll want to check that our here.

  3. Lastly, I always like to ask about this in these situations; if you are the Developer of this app, are you installing the Network System Extension with an actual UI container app? If you are not and you are installing this through MDM that has a daemon install the Network System Extension then that could cause issue too. If you are installing via MDM make sure that you install the container app and the container app walks the user through installing the Network System Extension. That way the System Extension is in a good state for activation and uninstallation. I have seen issues when a Network System Extension is uninstalled or updated due to it being installed from a Daemon.

Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment