Merge pull request #205 from janparttimaa/master

CKunze-MSFT · web-flow · commit a6f9bb665588 · 2025-07-24T08:41:31.000-05:00
Policy Enforcers: iManage Work Desktop &amp; GlobalProtect + Fixing ABM DEP check bug
diff --git a/macOS/Apps/Illumio VEN/illumioVENRegistrationInstaller.sh b/macOS/Apps/Illumio VEN/illumioVENRegistrationInstaller.sh
@@ -99,7 +99,7 @@ echo ""
 if [ "$abmcheck" = true ]; then
   echo "$(date) | Checking MDM Profile Type"
   profiles status -type enrollment | grep "Enrolled via DEP: Yes"
-  if [ ! $? == 0 ]; then
+  if [[ ! $? == 0 ]]; then
     echo "$(date) | This device is not ABM managed"
     exit 0;
   else
diff --git a/macOS/Apps/Illumio VEN/installIllumioVEN.sh b/macOS/Apps/Illumio VEN/installIllumioVEN.sh
@@ -955,7 +955,7 @@ echo ""
 if [ "$abmcheck" = true ]; then
   echo "$(date) | Checking MDM Profile Type"
   profiles status -type enrollment | grep "Enrolled via DEP: Yes"
-  if [ ! $? == 0 ]; then
+  if [[ ! $? == 0 ]]; then
     echo "$(date) | This device is not ABM managed"
     exit 0;
   else
diff --git a/macOS/Config/Palo Alto GlobalProtect/PaloAltoGlobalProtectPolicyEnforcerMachineLevel.zsh b/macOS/Config/Palo Alto GlobalProtect/PaloAltoGlobalProtectPolicyEnforcerMachineLevel.zsh
@@ -0,0 +1,148 @@
+#!/bin/zsh
+#set -x
+############################################################################################
+##
+## Script to set and enforce policies to Palo Alto GlobalProtect on macOS (Machine Level)
+##
+############################################################################################
+
+## Copyright (c) 2025 Microsoft Corp. All rights reserved.
+## Scripts are not supported under any Microsoft standard support program or service. The scripts are provided AS IS without warranty of any kind.
+## Microsoft disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a
+## particular purpose. The entire risk arising out of the use or performance of the scripts and documentation remains with you. In no event shall
+## Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever
+## (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary
+## loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility
+## of such damages.
+## Feedback: neiljohn@microsoft.com
+
+# Define variables
+appname="PaloAltoGlobalProtectPolicyEnforcerMachineLevel"                                    # The name of our script
+plist="/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist"               # Location of plist for GlobalProtect
+plistbuddy="/usr/libexec/PlistBuddy"                                                         # Location of plistbuddy, that we will use
+logandmetadir="/Library/Logs/Microsoft/IntuneScripts/$appname"                               # The location of our logs and last updated data
+log="$logandmetadir/$appname.log"                                                            # The location of the script log file
+
+# Create log directory if it doesn't exist
+if [ ! -d "$logandmetadir" ]; then
+    echo "$(/bin/date) | Creating log directory - $logandmetadir"
+    mkdir -p "$logandmetadir"
+else
+    echo "$(/bin/date) | Log directory already exists - $logandmetadir"
+fi
+
+# Ensure PlistBuddy exists
+if [ ! -x "$plistbuddy" ]; then
+    echo "$(/bin/date) | ERROR: PlistBuddy not found at $plistbuddy"
+    exit 1
+fi
+
+# Ensure parent directory exists
+ensure_directory_exists() {
+  local dir_path
+  dir_path="$(dirname "$plist")"
+  if [ ! -d "$dir_path" ]; then
+    echo "$(/bin/date) | Creating directory: $dir_path"
+    mkdir -p "$dir_path"
+  else
+    echo "$(/bin/date) | Directory already exists: $dir_path"
+  fi
+}
+
+# Ensure plist exist
+create_plist() {
+  ensure_directory_exists
+  if [[ ! -f "$plist" ]]; then
+    echo "$(/bin/date) | [CREATE] Creating empty plist at $plist"
+    $plistbuddy -c "Clear" "$plist" > /dev/null 2>&1
+  fi
+}
+
+# Ensure parent dictionaries exist
+ensure_parents_exist() {
+  local path="$1"
+  local plist="$2"
+
+  local -a parts
+  parts=("${(@s/:/)path}")
+  local quoted_parts=()
+
+  for part in "${parts[@]}"; do
+    quoted_parts+=("'$part'")
+  done
+
+  for ((i = 1; i < ${#quoted_parts[@]}; i++)); do
+    local current_path="${(j/:/)quoted_parts[1,i]}"
+    if ! $plistbuddy -c "Print $current_path" "$plist" &>/dev/null; then
+      echo "$(/bin/date) | [ADD] Creating missing dictionary: ${(j/:/)parts[1,i]}"
+      $plistbuddy -c "Add $current_path dict" "$plist"
+    fi
+  done
+}
+
+# Enforce key value
+enforce_value() {
+  local key_path="$1"
+  local type="$2"
+  local expected="$3"
+
+  ensure_parents_exist "$key_path" "$plist"
+
+  if $plistbuddy -c "Print '$key_path'" "$plist" &>/dev/null; then
+    local current="$($plistbuddy -c "Print '$key_path'" "$plist")"
+    if [[ "$current" != "$expected" ]]; then
+      echo "$(/bin/date) | [UPDATE] $key_path: $current -> $expected"
+      $plistbuddy -c "Set '$key_path' $expected" "$plist"
+    else
+      echo "$(/bin/date) | [OK] $key_path is already set to $expected"
+    fi
+  else
+    echo "$(/bin/date) | [ADD] $key_path = $expected"
+    $plistbuddy -c "Add '$key_path' $type $expected" "$plist"
+  fi
+}
+
+# Delete key if it exists
+delete_key() {
+  local key_path="$1"
+  if $plistbuddy -c "Print '$key_path'" "$plist" &>/dev/null; then
+    echo "$(/bin/date) | [DELETE] Removing key: $key_path"
+    $plistbuddy -c "Delete '$key_path'" "$plist"
+  else
+    echo "$(/bin/date) | [INFO] Key not found, nothing to delete: $key_path"
+  fi
+}
+
+# Start logging
+exec &> >(tee -a "$log")
+
+# Begin Script Body
+echo ""
+echo "##############################################################"
+echo "# $(/bin/date) | Starting running of script $appname"
+echo "##############################################################"
+echo ""
+
+# Run functions
+
+# Apply Palo Alto GlobalProtect policies
+echo "$(/bin/date) | Applying Palo Alto GlobalProtect policies..."
+
+# [CREATE] Create plist if not existed
+create_plist
+
+# [ADD/UPDATE] GlobalProtect - PanSetup
+enforce_value "Palo Alto Networks:GlobalProtect:PanSetup:Portal" string "vpn.example.com" "$plist"
+enforce_value "Palo Alto Networks:GlobalProtect:PanSetup:Prelogon" string "1" "$plist"
+
+# [ADD/UPDATE] GlobalProtect - Settings
+enforce_value "Palo Alto Networks:GlobalProtect:Settings:connect-method" string "pre-logon" "$plist"
+enforce_value "Palo Alto Networks:GlobalProtect:Settings:default-browser" string "no" "$plist"
+
+# [DELETE] GlobalProtect - PanSetup (Example commented)
+# delete_key "Palo Alto Networks:GlobalProtect:PanSetup:Portal"
+
+# End of script
+echo ""
+echo "$(/bin/date) | Script $appname completed."
+echo "##############################################################"
diff --git a/macOS/Config/Palo Alto GlobalProtect/README.md b/macOS/Config/Palo Alto GlobalProtect/README.md
@@ -0,0 +1,115 @@
+# Palo Alto GlobalProtect Policy Enforcer
+
+In generally, Mobile Device Management systems like Microsoft Intune [support the distribution of standardized plist files to managed users](https://learn.microsoft.com/en-us/intune/intune-service/configuration/preference-file-settings-macos). This makes it easy to distribute updated plist files to users when specific settings need to be changed, removed, or added. These plist files are typically deployed to the `/Library/Managed Preferences` location.
+
+Unfortunately, some applications, such as GlobalProtect for macOS, do not support reading plist files from this location. Instead, they read directly from `/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist`. These policy enforcer scripts are specifically developed for such applications that do not support reading deployed plist files from `/Library/Managed Preferences`. The goal is to provide an easy way to distribute configuration values to these applications — whether it's for deploying new settings, modifying existing ones, or removing deprecated entries.
+
+In this example, we provide a policy enforcer script for GlobalProtect on macOS.
+
+## Palo Alto GlobalProtect Policy Enforcer (Machine Level)
+
+> [!NOTE]  
+> This script can be deployed as a separate script deployment or with a post-install script during GlobalProtect installation via Intune. We recommend using both options to ensure proper configuration.
+
+This custom script is designed to **automate the configuration of GlobalProtect VPN policies** on macOS devices. It is especially useful in **MDM deployment scenarios** such as Microsoft Intune, where consistent and secure configuration across devices is critical.
+
+### Purpose
+
+This script ensures that key GlobalProtect settings are **created, updated, or removed** at the machine level using `PlistBuddy`. It helps enforce security, compliance, and user experience standards by:
+
+- Disabling unnecessary or insecure features.
+- Enabling enterprise-grade protections.
+- Pre-configuring baseline settings of GlobalProtect to corporate environment.
+- Preventing users from changing critical settings. If user change those settings, they will be enforced back to defined values.
+
+### Benefits
+
+- ✅ Ensures **consistent policy enforcement** across all managed Macs
+- ✅ Reduces **manual configuration errors**
+- ✅ Supports **CIS/NIST-aligned hardening**
+- ✅ Fully **automated and silent** when deployed via Intune
+- ✅ Logs all actions for **auditability and troubleshooting**
+
+---
+### What the Script Does
+
+The script uses `PlistBuddy` to:
+
+- **Create** missing `.plist` files and directories
+- **Add or update** specific keys and values
+- **Delete** obsolete or undesired keys (optional)
+
+#### Policies (`com.paloaltonetworks.GlobalProtect.settings.plist`)
+
+> [!NOTE]  
+> - These are example settings and values. Modify as needed before deploying this script to managed devices.  
+> - Please refer to [GlobalProtect Documentation](https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-apps/deploy-app-settings-transparently/customizable-app-settings#idd39ecf6d-6771-4ee3-a4d1-2ba5bbbad1bc) from Palo Alto Networks to validate which key/value pairs are supported and required.  
+> - The script includes a commented-out example of how to delete values.  
+> - This script enforces **machine-level** policies and does not target individual users.
+
+| Key Path | Type | Value | Notes |
+|----------|------|-------|-------|
+| `Palo Alto Networks:GlobalProtect:PanSetup:Portal` | string | `vpn.example.com` | Set your GlobalProtect portal address. [More information](https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-apps/deploy-app-settings-transparently/customizable-app-settings/app-behavior-options). |
+| `Palo Alto Networks:GlobalProtect:PanSetup:Prelogon` | string | `1` | Enables pre-logon feature. [More information](https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-apps/deploy-app-settings-transparently/customizable-app-settings/app-behavior-options). |
+| `Palo Alto Networks:GlobalProtect:Settings:connect-method` | string | `pre-logon` | Connection method setting. [More information](https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-apps/deploy-app-settings-transparently/customizable-app-settings/app-behavior-options). |
+| `Palo Alto Networks:GlobalProtect:Settings:default-browser` | string | `no` | Prevents launching default browser. [More information](https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-apps/deploy-app-settings-transparently/customizable-app-settings/app-behavior-options). |
+
+---
+
+### Customization
+
+To **modify or extend** the script:
+
+- To **add a new key or update existing key**, use the `enforce_value` function.
+- To **delete a key**, use the `delete_key` or function.
+
+---
+
+### Script Settings
+
+| Setting | Value |
+|--------|-------|
+| Run script as signed-in user | ❌ No |
+| Hide script notifications on devices | ✅ Yes |
+| Script frequency | Every 1 day |
+| Number of times to retry if script fails | 3 |
+
+---
+
+### Log File
+
+The log file will output to ***/Library/Logs/Microsoft/IntuneScripts/PaloAltoGlobalProtectPolicyEnforcerMachineLevel/PaloAltoGlobalProtectPolicyEnforcerMachineLevel.log*** by default. Exit status is either 0 or 1. To gather this log with Intune remotely take a look at  [Troubleshoot macOS shell script policies using log collection](https://docs.microsoft.com/en-us/mem/intune/apps/macos-shell-scripts#troubleshoot-macos-shell-script-policies-using-log-collection)
+
+```
+##############################################################
+# Fri Jul  4 17:12:51 EEST 2025 | Starting running of script PaloAltoGlobalProtectPolicyEnforcerMachineLevel
+##############################################################
+
+Fri Jul  4 17:12:51 EEST 2025 | Applying Palo Alto GlobalProtect policies...
+Fri Jul  4 17:12:51 EEST 2025 | Directory already exists: /Library/Preferences
+Fri Jul  4 17:12:51 EEST 2025 | [CREATE] Creating empty plist at /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist
+Fri Jul  4 17:12:51 EEST 2025 | [ADD] Creating missing dictionary: Palo Alto Networks
+Fri Jul  4 17:12:51 EEST 2025 | [ADD] Creating missing dictionary: Palo Alto Networks:GlobalProtect
+Fri Jul  4 17:12:51 EEST 2025 | [ADD] Creating missing dictionary: Palo Alto Networks:GlobalProtect:PanSetup
+Fri Jul  4 17:12:51 EEST 2025 | [ADD] Palo Alto Networks:GlobalProtect:PanSetup:Portal = vpn.example.com
+Fri Jul  4 17:12:51 EEST 2025 | [ADD] Palo Alto Networks:GlobalProtect:PanSetup:Prelogon = 1
+Fri Jul  4 17:12:51 EEST 2025 | [ADD] Creating missing dictionary: Palo Alto Networks:GlobalProtect:Settings
+Fri Jul  4 17:12:51 EEST 2025 | [ADD] Palo Alto Networks:GlobalProtect:Settings:connect-method = pre-logon
+Fri Jul  4 17:12:51 EEST 2025 | [ADD] Palo Alto Networks:GlobalProtect:Settings:default-browser = no
+
+Fri Jul  4 17:12:51 EEST 2025 | Script PaloAltoGlobalProtectPolicyEnforcerMachineLevel completed.
+
+##############################################################
+# Fri Jul  4 18:12:40 EEST 2025 | Starting running of script PaloAltoGlobalProtectPolicyEnforcerMachineLevel
+##############################################################
+
+Fri Jul  4 18:12:40 EEST 2025 | Applying Palo Alto GlobalProtect policies...
+Fri Jul  4 18:12:40 EEST 2025 | Directory already exists: /Library/Preferences
+Fri Jul  4 18:12:40 EEST 2025 | [OK] Palo Alto Networks:GlobalProtect:PanSetup:Portal is already set to vpn.example.com
+Fri Jul  4 18:12:40 EEST 2025 | [UPDATE] Palo Alto Networks:GlobalProtect:PanSetup:Prelogon: 1 -> 0
+Fri Jul  4 18:12:40 EEST 2025 | [OK] Palo Alto Networks:GlobalProtect:Settings:connect-method is already set to pre-logon
+Fri Jul  4 18:12:40 EEST 2025 | [OK] Palo Alto Networks:GlobalProtect:Settings:default-browser is already set to no
+
+Fri Jul  4 18:12:40 EEST 2025 | Script PaloAltoGlobalProtectPolicyEnforcerMachineLevel completed.
+##############################################################
+```
diff --git a/macOS/Config/iManage Work Desktop/README.md b/macOS/Config/iManage Work Desktop/README.md
diff --git a/macOS/Config/iManage Work Desktop/iManageWorkDesktopPolicyEnforcerMachineLevel.zsh b/macOS/Config/iManage Work Desktop/iManageWorkDesktopPolicyEnforcerMachineLevel.zsh
