On a managed Mac with a machine certificate, when the certificate is renewed, Palo Alto GlobalProtect will prompt for administrative credentials before connecting. This is because the executable isn’t allowed to directly read from the System keychain.
There’s a nice explanation and fix described on Palo Alto’s site, but in case that one goes missing, here’s the workaround:
Panagent
Open the Keychain Access application and locate the Machine Certificate issued to Mac OS X Client in the System keychain.
Right-click on the private key associated with Certificate and click Get Info, then go to the Access Control tab
Click ‘+’ to select an Application to allow
Press key combination + + G to open Go to Folder
Enter ‘/Applications/GlobalProtect.app/Contents/Resources’ and click Go
Find PanGPS and click it, and then press Add
Save Changes to private key