How to Deploy the Global Secure Access Client with Intune

The Global Secure Access client is an SSE (or Security Service Edge) solution that enables organisations to manage the network traffic of a client from the client’s devices. This means that by applying different traffic profiles in the Global Secure Access admin portal, different types of traffic can be routed over the Global Secure Access network, instead of being routed over the internet.

The GSA client is a light-weight client that needs to be installed on the end-user device, providing similar functionality to a traditional VPN client. In this post, I am going to demonstrate how to install the Global Secure Access Client using Microsoft Intune for larger deployments.

Steps summary

  1. Download the Global Secure Access client from the Microsoft Entra Admin Center.
  2. Package the application to a win32 package.
  3. Upload the package to Intune and assign it to your target users.
  4. Wait for the application to install and log in for the first time when prompted.

Download the Global Secure Access client

To complete these steps, you must have the Global Secure Access administrator role in Microsoft Entra.

1. Log in to the Microsoft Entra Admin Center.

2. Expand Connect then click Client download.

3. Select Download client to download the application.

Download the Global Secure Access client
Download the Global Secure Access client

Prepare the Global Secure Access client for deployment

To prepare the application for deployment, it must be packaged into a Win32App using the Win32ContentPrepTool available on GitHub. 

1. Download the Win32 Content Prep tool directly from the official GitHub page.

2. Store both the Global Secure Access client and Win32 Content Prep tool in a folder and sub folder on your system.

Prep installation files for the GSA client
Prep installation files for the GSA client

3. Open PowerShell and navigate to this folder location containing the IntuneWinAppUtil.exe file. You can do this by typing CD and then the folder path. For example:

CD C:\win32

4. Run the Win32 Content Prep tool by running the following command in your PowerShell session:

.\IntuneWinAppUtil.exe

5. Enter the requested information to build your install package. Ensure you use the correct paths where the GlobalSecureAccessClient.exe file is saved.

GSA Client package settings
GSA Client package settings

6. Once complete, the GlobalSecureAccessClient.intunewin file should be available at the same location.

GlobalSecureAccessClient.intunewin
GlobalSecureAccessClient.intunewin

Deploy the Global Secure Access Client with Intune

Now the application has been prepared, you can deploy it to your end user workstations through Intune, using the below steps.

1. Log in to intune.microsoft.com

2. Launch the new application wizard by selecting Apps > All apps > Add.

Apps > All Apps > Add
Apps > All Apps > Add

3. From the drop-down list of app types, select Windows App (Win32) and click Select.

4. Click Select file and upload the newly created GlobalSecureAccessClient.intunewin file.

5. Complete the remaining settings on the app information page and click Next. I have also uploaded the Global Secure Access client logo, which you can save below.

GlobalSecureAccessClient logo
App information page
App information page

6. On the Program page, specify the following information, then click Next:

  • Install command: .\GlobalSecureAccessClient.exe /q
  • Uninstall command: MsiExec.exe /X{4DB0A026-1C26-4A8C-8378-DCB94900B604} /q
  • Allow available uninstall: No
  • Install behaviour: System
Global Secure Access client installed commands
Global Secure Access client installed commands

7. On the Requirements page choose a 64-bit operating system architecture and select the version of Windows which corresponded best with your environment. Then click Next.

8. For the detection rules settings, I have simply chosen to identify if the GlobalSecureAccessTunnelingService.exe file is present in the installation folder in C:\ProgramFiles.

  • Rule type: File
  • Path: C:\Program Files\Global Secure Access Client
  • File or folder: GlobalSecureAccessTunnelingService.exe
  • Detection method: File or folder exists
  • Associated with a 32-bit app on 64-bit clients: No
Global Secure Access client detection rule
Global Secure Access client detection rule

9. Skip the dependencies page as there are no dependencies for this application. You can also skip the supersedence page too.

10. On the Assignments page, assign this app to your target group of Users and click Next.

11. On the final page, review the configuration and click Create. The Global Secure Access client will now be deployed.

Confirm the Global Secure Access client has been installed

Once the targetted device synchronises with Intune the application will be deployed. There is no need for the end device to be rebooted, it will just silently appear on the user’s device. But bear in mind, on the first start it will prompt the user to authenticate to the app, which may confuse if not properly communicated prior. 

Users will first receive a popup in the notification area on their desktop.

downloading and installing GlobalSecureAccessClient
downloading and installing GlobalSecureAccessClient

Once successfully installed, the user will be prompted to pick an account to sign-in with. As their device will likely be joined to Microsoft Entra, they will just need to select their account from the list and it will login.

Global Secure Access Sign In prompt
Global Secure Access Sign In prompt

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply