GlobalProtect Patch Management with Jamf Pro and Title Editor

04 Mar GlobalProtect Patch Management with Jamf Pro and Title Editor

Overview

This guide is written primarily for the University of Utah environment; however, the overall workflow can be adopted by any organization using Jamf Pro and Title Editor to manage applications distributed through restricted channels, such as GlobalProtect or other internally licensed or access-controlled software. Even when an installer is available only through a private portal, vendor support site, VPN gateway, or other restricted source, the core process remains the same: download the authorized package, upload it to Jamf Pro, define or update the software title in Title Editor with the correct bundle ID and version string, and associate the package with a patch policy targeting the appropriate devices. By standardizing on Jamf Pro Patch Management and Title Editor, organizations establish a consistent, repeatable, and auditable framework for maintaining restricted or enterprise-only applications across their managed macOS fleet.

At its core, Jamf Pro Title Editor is the “choose your own adventure” version of software patch management. While Jamf provides a robust library of built-in software definitions for mainstream apps like Google Chrome or Zoom, many organizations rely on specialized, in-house, or industry-specific tools that aren’t prominent enough for Jamf to track officially. Title Editor serves as a hosted service that allows you to manually define these apps—specifying exactly how the system should identify the version, which processes need to be killed during an update, and what the “latest” version number actually is. This effectively bridges the gap between Jamf’s automated features and the messy reality of niche enterprise software.

Prerequisites

Before beginning, confirm you have the following in place:

• Jamf Pro administrator access with permissions to manage Patch Management, Title Editor, and Packages
• macOS endpoints enrolled in Jamf Pro
• Title Editor already set up and linked to your Jamf Pro instance via Settings > Patch Management > External Patch Sources
• Access to the University of Utah Office of Software Licensing portal or vpn.utah.edu to download the latest GlobalProtect installer
• A Jamf Distribution Point (cloud or file share) is configured and accessible

Download the Latest GlobalProtect Installer

For the University of Utah, navigate to either the University of Utah Office of Software Licensing portal or vpn.utah.edu and log in with your uNID credentials. Locate the Palo Alto Networks GlobalProtect client for macOS and download the latest .pkg installer file. Make note of the exact version number (for example, 6.2.x) as you will need this when updating the software title definition later.

Upload the Package to Jamf Pro

Log in to your Jamf Pro console and go to Settings > Computer Management > Packages. Click New and give the package a clear, descriptive name such as GlobalProtect-6.2.x.pkg. Upload the .pkg file you downloaded and fill in any relevant notes, such as the version number and source. Save the package record once the upload is complete. Jamf Pro will replicate the package to your configured distribution points.

Creating a New Software Title in Jamf Title Editor — GlobalProtect

Create the Software Title

From the Patch Definitions page, click New, then click Create.

Fill in the four required fields:

Click Save.

Add a Requirement

This tells Jamf which computers have GlobalProtect installed.

1. Click the Requirements tab.
2. Click Add.
3. From the Criteria pop-up menu, choose Application Bundle ID.
4. In the Value field, enter com.paloaltonetworks.GlobalProtect.client.
5. Click Done.

Important: The correct bundle ID for GlobalProtect on macOS is com.paloaltonetworks.GlobalProtect.client — note the .client suffix. Using com.paloaltonetworks.GlobalProtect (without .client) will cause Jamf to incorrectly report devices as unpatched or unknown.

You can verify the bundle ID on any managed Mac by running:

mdls -name kMDItemCFBundleIdentifier /Applications/GlobalProtect.app

Create a Patch (Version)

1. Click the Patches tab.
2. Click New, then click Create.

Fill in the fields:

• Version: 6.2.8-263 (exact version string from the pkg)
• Release Date: (date this version was released)
• Minimum Operating System: 11.0
• Standalone: Yes

Create a Patch Component

Click the Components tab, then click New.

Click Save.

Add Patch Component Criteria

From the component, click the Criteria tab, then click Add.

First criterion:

Click Add for a second criterion:

Add Capability Criteria

Click the Capabilities tab, then click Add.

Add Kill App

Click the Kill Apps tab, then click New.

Configure a Patch Policy in Patch Management

Navigate to Computers > Patch Management and locate the GlobalProtect software title you just configured. Click on the title to open it, then select the Patch Policies tab and click Create Patch Policy (or New).

General tab: Give the policy a descriptive name, such as Patch - GlobalProtect - Latest. Set the Target Version to the latest version you defined in Title Editor. Choose whether you want this to be an automatic deployment or require self-service initiation — for a managed campus VPN client, an automatic deployment scoped to all enrolled Macs is typically appropriate.

• Display Name: Patch – GlobalProtect – Latest (or your naming convention)
• Enabled: Yes (checked)
• Target Version: 6.2.8-263
• Distribution Method: Automatic / Self Service (automatic recommended for campus VPN)

Scope tab: Define which computers or groups should receive the patch. You can target all managed Macs, a specific smart group (such as computers that do not have the latest version installed), or a specific building or department group, depending on your rollout strategy. Jamf Pro will automatically detect endpoints where the installed version is older than the target version and include them in scope.

Reminders and Deadlines tab: Configure user-facing notifications if desired. You can set a deferral limit so that users receive a prompt to install the update, but are not immediately forced to do so. Setting a deadline of several days with periodic reminders strikes a good balance between user experience and compliance for a VPN client.

For a campus-managed VPN client, the following settings are recommended:

• Grace Period: 15 minutes — warns users before GlobalProtect quits
• Update Deadline: 7 days — allows reasonable deferral while ensuring compliance
• Notifications: Enable Notification Center display so users are aware of the pending update

GlobalProtect typically does not require a full system restart after installation, but verify this with your specific package. If the installer requires it, configure an appropriate restart action here.

Save the patch policy. Jamf Pro will begin evaluating enrolled endpoints during its next check-in and will deploy the updated GlobalProtect package to any machine running an older version.

Monitor Deployment Progress

Return to Computers > Patch Management, select the GlobalProtect title, and click on the Patch Policies tab. Open your active patch policy and review the Status dashboard. Jamf Pro will display a breakdown of how many computers are Patched, Not Patched, or Unknown for that version. You can drill into each category to see specific device names and take action on any machines that are not reporting as expected.

You can also run a Patch Report by navigating to the Reports section within Patch Management to export a summary for auditing or compliance documentation purposes.

Ongoing Maintenance

At the University of Utah, each time Palo Alto Networks releases a new version of GlobalProtect, repeat this process:

1. Download the new installer from the Office of Software Licensing or vpn.utah.edu
2. Upload the new package to Jamf Pro (Settings > Computer Management > Packages)
3. In Title Editor, open the GlobalProtect software title and add a new patch version (or use Clone on the existing version to copy all criteria, then update the version number)
4. Update the Current Version field on the Software Title tab to reflect the new version
5. Enable the new patch version and update your patch policy’s Target Version
6. Because Patch Management uses the software title definition to evaluate installed versions against the target, simply updating the Title Editor entry and package association is usually sufficient to trigger deployment to out-of-date endpoints on their next check-in without needing to rebuild the full policy from scratch.

Notes and Tips

• Verify that the bundle ID and app name in Title Editor exactly match what is installed on your endpoints. A mismatch will cause Jamf Pro to incorrectly report devices as unpatched or unknown. You can confirm the bundle ID by running mdls -name kMDItemCFBundleIdentifier /Applications/GlobalProtect.app in Terminal on a managed Mac.
• If your campus requires a specific configuration profile or pre-existing system extension approval for GlobalProtect to function after installation, ensure those configuration profiles are already deployed to endpoints before the patch policy runs so that the VPN client activates correctly post-update.
• Testing the patch on a pilot group or a dedicated test smart group before scoping it to your full fleet is strongly recommended, especially for a security-critical application like a VPN client.

Next Step Automation

To reduce manual effort and improve consistency, software definition updates in Title Editor can be automated using the Title Editor API in combination with the Jamf Pro API. Rather than manually entering or cloning patch versions and updating fields through the web interface each time a new GlobalProtect release becomes available, an automation workflow can authenticate to the API, clone the existing patch definition, update the version string and release date, and set the new version as the current version for the software title. In parallel, the automation can upload the new installer package to Jamf Pro and update the associated patch policy’s target version. This ensures that once a new installer is approved and available, the entire definition and deployment process can be completed programmatically and consistently.

One implementation might involve a secure automation runner or CI/CD pipeline that is triggered either manually (after verifying and downloading the restricted installer) or through a scheduled version check. The workflow would securely retrieve API credentials, validate the new version number, create or update the patch version in Title Editor, and then confirm that the patch policy is targeting the newly defined version. Logging, error handling, and optional notifications (such as email or Teams alerts) should be built in so administrators have visibility into each update cycle. For environments managing critical services like a campus VPN client, automation should still include pilot scoping and validation steps to ensure reliability while significantly reducing repetitive administrative overhead.

For more information, see the Jamf Pro documentation on Accessing the Title Editor API.