**Disclamer: This is only a guide please work with Microsoft and or Palo Alto Networks if you have any concerns. **
GlobalProtect VPN can be deployed in different connection configurations. One of the most secure is the always-connected model. When 'always on' is configured, the GlobalProtect agent will force all traffic over the VPN tunnel, even when a user is not logged in. This ensures that all traffic from the device is inspected by a firewall and allows desktop support staff to manage the device. One downfall is that it complicates communications with MDM solutions.
MDM software runs all the time, even when users are not logged in. What this means is the software needs to be allowed to access MDM resources 24x7. In GlobalProtect, this is accomplished with a mechanism called pre-login security policies. Pre-login policies are security policies that allow devices authenticated with a machine certificate to connect to generally a more restricted set of resources. Once a user authenticates the VPN connection, it is promoted to a known-user state and corporate firewall policies are applied to the traffic.
What I want to focus on in this write-up is the pre-login security policies that allow Intune software to communicate with its required Microsoft cloud resources.
1. The first thing that needs to happen is to determine which endpoints the Intune client will need to communicate with. This can be accomplished by running a PowerShell command on an endpoint, which will output the endpoints you will need to configure in your firewall. Here is a link to the Microsoft documentation for running the PowerShell commands. https://tinyurl.com/MS-Intune-Doc
2. Once you receive the endpoints, you will need to create a custom URL category and two address object groups.
a. The URL category you need to create is for the *.manage.microsoft.com
domain. Because this is a wildcard URL, you cannot create an FQDN object
and will need to create a second security policy just for this.
b. You will need to create an Intune-FQDN address object group and add the FQDNs that were part of the above PowerShell output.
c. Lastly, you will need to create an Intune-Network address object group and add the network address objects that where generated in the above PowerShell output.
3. Configure security policies to utilize the address and URL categories you created above.
a. The first security policy you need to configure is one that leverages
your custom URL category. You will also want to leverage the applicable
App-IDs.
b. The second policy will use the same App-IDs but will restrict the destination to the two address objects you created earlier.
c. One thing I want to highlight is that in the user category, you see
pre-login defined as the user. This is important as it ensures that
certificate-authenticated devices can leverage these policies even
though the users are not logged in.
Once these policies are configured, you will see Intune devices connect
to your Intune console, and you will be able to utilize the core Intune
services.