Recently there has been a change in the behavior when a user tries to upgrade the GP client, they are challenged with the uninstall password if configured with one. Working with Palo Alto networks TAC they identified that during the upgrade the GP client package will uninstall the old version first before it will begin to install the new package. In GP client 5.2.4 and older the upgrade would complete even if uninstall with a password or disallow was enabled. This was identified as a software issue so in clients 5.2.5 and newer the ability to upgrade the client with uninstall option set to password or disallow was disabled.
In a nutshell with the new GP clients you will need to set the client setting to allow uninstall, if you want to utilize the Global Protect client upgrade process.
Clients 5.2.4 or older, following is the behavior:
- If you are using GP version older than 5.2.4, the transparent upgrade should work where the user will have no interaction and they can upgrade even if the allow uninstalled is disallowed.
Starting with 5.2.5 or above, following is the behavior:
- Allow User to Uninstall GlobalProtect App is set to Allow
- Allow User to Upgrade GlobalProtect App as Allow with Prompt/Manually/Transparently. (In this case, the users will be able to upgrade transparently without any interaction and the passcode/password will not be allowed)
- Allow User to Uninstall GlobalProtect App is set to Disallow
- Allow User to Upgrade GlobalProtect App as Allow with Prompt/Manually/Transparently (This will be blocked)
- Allow User to Uninstall GlobalProtect App is set to "Allow with password"
- Allow User to Upgrade GlobalProtect App as Allow with Prompt/Manually/Transparently. ( In this case, the users will need to enter the uninstall password to complete the upgrade)
To allow the users to upgrade without providing them a password, you would need to use following.
- Allow User to Uninstall GlobalProtect App is set to Allow
- Allow User to Upgrade GlobalProtect App as Allow with Prompt/Manually/Transparently.”
My personal recommendation is to allow the client uninstall so you can leverage the GP client upgrade process. I feel the ability to upgrade the clients to ensure functionality and security is more important than blocking them from uninstalling the client. In addition we have tested with clients that are not Admins on the local machine and they were unable to uninstall the client from the windows software manager. So that is a win...
Perhaps the client upgrade functionality can also be managed with an mdm solution or with a software management tool like SCCM. But it will take some testing to find the best process that works for your environment.