{"id":2089,"date":"2025-03-04T08:30:00","date_gmt":"2025-03-04T07:30:00","guid":{"rendered":"https:\/\/kasperjohansen.net\/?p=2089"},"modified":"2025-03-02T06:58:22","modified_gmt":"2025-03-02T05:58:22","slug":"quickpost-global-secure-access-client-network-detection-script","status":"publish","type":"post","link":"https:\/\/kasperjohansen.net\/index.php\/2025\/03\/04\/quickpost-global-secure-access-client-network-detection-script\/","title":{"rendered":"Quickpost &#8211; Global Secure Access client network detection script"},"content":{"rendered":"\n<p>I have previously sung my praises about Global Secure Access Private in a <a href=\"https:\/\/kasperjohansen.net\/index.php\/2025\/01\/29\/get-started-with-global-secure-access-private-access\/\">another article<\/a> here on my blog and I do think that Global Secure Access (GSA) is a great product with a lot of potential. However, there are still features that needs additional development one of these features are the automatic network detection feature.<\/p>\n\n\n\n<p>In short, the Global Secure Access client does not detect if your Windows device is connected to the corporate network. This means that Global Secure Access is always active and even though the resources published in Global Secure Access are on the same network as the Windows device, communication to these resources still go through Global Secure Access.<\/p>\n\n\n\n<p>I have written about how to <a href=\"https:\/\/kasperjohansen.net\/index.php\/2025\/02\/18\/deploy-global-secure-access-client-with-microsoft-intune-and-psadt\/\">deploy, configure and lock down the Global Secure Access client<\/a> adding to this article, I have created a script as a workaround to disable GSA Private Access if the Windows device is on a corporate network.<\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_83 counter-hierarchy ez-toc-counter ez-toc-transparent ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/kasperjohansen.net\/index.php\/2025\/03\/04\/quickpost-global-secure-access-client-network-detection-script\/#Global_Secure_Access_client_registry_configuration\" >Global Secure Access client registry configuration<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/kasperjohansen.net\/index.php\/2025\/03\/04\/quickpost-global-secure-access-client-network-detection-script\/#The_scripts\" >The scripts<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/kasperjohansen.net\/index.php\/2025\/03\/04\/quickpost-global-secure-access-client-network-detection-script\/#The_network_detection_script\" >The network detection script<\/a><ul class='ez-toc-list-level-5' ><li class='ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/kasperjohansen.net\/index.php\/2025\/03\/04\/quickpost-global-secure-access-client-network-detection-script\/#NetworkCheck\" >NetworkCheck<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/kasperjohansen.net\/index.php\/2025\/03\/04\/quickpost-global-secure-access-client-network-detection-script\/#DNSSuffix\" >DNSSuffix<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/kasperjohansen.net\/index.php\/2025\/03\/04\/quickpost-global-secure-access-client-network-detection-script\/#HostFQDN\" >HostFQDN<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/kasperjohansen.net\/index.php\/2025\/03\/04\/quickpost-global-secure-access-client-network-detection-script\/#HostIP\" >HostIP<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/kasperjohansen.net\/index.php\/2025\/03\/04\/quickpost-global-secure-access-client-network-detection-script\/#The_scheduled_task_script\" >The scheduled task script<\/a><ul class='ez-toc-list-level-5' ><li class='ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/kasperjohansen.net\/index.php\/2025\/03\/04\/quickpost-global-secure-access-client-network-detection-script\/#ScriptFileName\" >ScriptFileName<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/kasperjohansen.net\/index.php\/2025\/03\/04\/quickpost-global-secure-access-client-network-detection-script\/#ScriptFileLocation\" >ScriptFileLocation<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/kasperjohansen.net\/index.php\/2025\/03\/04\/quickpost-global-secure-access-client-network-detection-script\/#ScheduledTaskName\" >ScheduledTaskName<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/kasperjohansen.net\/index.php\/2025\/03\/04\/quickpost-global-secure-access-client-network-detection-script\/#ScheduledTaskDescription\" >ScheduledTaskDescription<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/kasperjohansen.net\/index.php\/2025\/03\/04\/quickpost-global-secure-access-client-network-detection-script\/#ScheduledTaskPath\" >ScheduledTaskPath<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/kasperjohansen.net\/index.php\/2025\/03\/04\/quickpost-global-secure-access-client-network-detection-script\/#The_network_detection_script_in_action\" >The network detection script in action<\/a><\/li><\/ul><\/nav><\/div>\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Global_Secure_Access_client_registry_configuration\"><\/span>Global Secure Access client registry configuration<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/global-secure-access\/how-to-install-windows-client#disable-or-enable-private-access-on-the-client\">According to this article<\/a>, Microsoft is letting the user decide when to enable or disable GSA Private Access. Even though I put a lot of faith in users, I am pretty sure that most users do not know or remember when to enable or disable GSA Private Access. So, to help the users out let&#8217;s configure a Windows scheduled task and do some Powershell magic.<\/p>\n\n\n\n<p>The article by Microsoft mentions a particular registry value called <em>IsPrivateAccessDisabledByUser<\/em> this value is configured in <em>HKCU:Software\\Microsoft\\Global Secure Access Client<\/em>. This registry value can disable or enable GSA Private Access based on the value data configured.<\/p>\n\n\n\n<p>From the article:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/kasperjohansen.net\/wp-content\/uploads\/2025\/02\/GSA-MSarticle-01.jpg\"><img loading=\"lazy\" decoding=\"async\" width=\"874\" height=\"429\" src=\"https:\/\/kasperjohansen.net\/wp-content\/uploads\/2025\/02\/GSA-MSarticle-01.jpg\" alt=\"\" class=\"wp-image-2094\" srcset=\"https:\/\/kasperjohansen.net\/wp-content\/uploads\/2025\/02\/GSA-MSarticle-01.jpg 874w, https:\/\/kasperjohansen.net\/wp-content\/uploads\/2025\/02\/GSA-MSarticle-01-300x147.jpg 300w, https:\/\/kasperjohansen.net\/wp-content\/uploads\/2025\/02\/GSA-MSarticle-01-768x377.jpg 768w\" sizes=\"auto, (max-width: 874px) 100vw, 874px\" \/><\/a><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"The_scripts\"><\/span>The scripts<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>This solution consists of 2 scripts. 1 script to do the network detection and another script to create a scheduled task which triggers on a specific event ID.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"The_network_detection_script\"><\/span>The network detection script<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>I have created a script that leverages the registry value mentioned above. The script is available in a repository on my Github account here:<br><a href=\"https:\/\/github.com\/kaspersmjohansen\/Global-Secure-Access-Scripts\/tree\/main\/Detect%20Corporate%20network\">Global-Secure-Access-Scripts\/Detect Corporate network at main \u00b7 kaspersmjohansen\/Global-Secure-Access-Scripts<\/a><\/p>\n\n\n\n<p>The script has 4 variables that can be configured:<\/p>\n\n\n\n<h5 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"NetworkCheck\"><\/span>NetworkCheck<span class=\"ez-toc-section-end\"><\/span><\/h5>\n\n\n\n<p>This variable must be configured as it determines what kind of check is being performed to check if the Windows devices is connected to the corporate network. Currently the supported values are, DNS, FQDN and IP.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"DNSSuffix\"><\/span>DNSSuffix<span class=\"ez-toc-section-end\"><\/span><\/h5>\n\n\n\n<p>This variable must be configured if the NetworkCheck variable is configured with the <em>DNS<\/em> value. <br>A DNS suffix value should be configured, like domain.local, the script will do a check to determine if a DNS suffix has been configured on the active NIC. If the DNS suffix on the active NIC matches the DNS Suffix value in this variable, GSA Private Access is disabled.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"HostFQDN\"><\/span>HostFQDN<span class=\"ez-toc-section-end\"><\/span><\/h5>\n\n\n\n<p>This variable must be configured if the NetworkCheck variable is configured with the <em>FQDN<\/em> value. <br>The script will try to resolve the FQDN using the local DNS server\/servers. If the name can be resolved, GSA Private Access is disabled.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"HostIP\"><\/span>HostIP<span class=\"ez-toc-section-end\"><\/span><\/h5>\n\n\n\n<p>This variable must be configured if the NetworkCheck variable is configured with the <em>IP<\/em> value. <br>The script will ping the IP. If the host with the IP return the ping requests, GSA Private Access is disabled.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"The_scheduled_task_script\"><\/span>The scheduled task script<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>This script creates a scheduled task running in user context. The scheduled task triggers when an event ID 4004 occurs in the Microsoft-Windows-NetworkProfile\/Operational event log. Event 4004 occurs everytime there is a network change on the Windows device.<\/p>\n\n\n\n<p>The script has 5 variables that can be configured:<\/p>\n\n\n\n<h5 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"ScriptFileName\"><\/span>ScriptFileName<span class=\"ez-toc-section-end\"><\/span><\/h5>\n\n\n\n<p>Must be configured with the name of the network detection script. Default is <em>Detect-CorpNetwork.ps1<\/em><\/p>\n\n\n\n<h5 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"ScriptFileLocation\"><\/span>ScriptFileLocation<span class=\"ez-toc-section-end\"><\/span><\/h5>\n\n\n\n<p>Must be configured with the scriptfilename location. Default is <em>C:\\ProgramData\\GSAScripts<\/em><\/p>\n\n\n\n<h5 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"ScheduledTaskName\"><\/span>ScheduledTaskName<span class=\"ez-toc-section-end\"><\/span><\/h5>\n\n\n\n<p>Must be configured with the name og the scheduled task. Default is <em>Global Secure Access &#8211; Detect network state<\/em><\/p>\n\n\n\n<h5 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"ScheduledTaskDescription\"><\/span>ScheduledTaskDescription<span class=\"ez-toc-section-end\"><\/span><\/h5>\n\n\n\n<p>Must bu configured with a description og the scheduled task. Default is <em>Powershell script executed on event id 4004, to detect if the device is on the corporate network. GSA Private Access is disabled if the device is on the corporate network<\/em><\/p>\n\n\n\n<h5 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"ScheduledTaskPath\"><\/span>ScheduledTaskPath<span class=\"ez-toc-section-end\"><\/span><\/h5>\n\n\n\n<p>Must be configured with the scheduled task path. Default is <em>\\<\/em><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"The_network_detection_script_in_action\"><\/span>The network detection script in action<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>I have created a small screen recording, to demonstrate the scheduled task in action and how it looks on the user&#8217;s Windows device. <br>As you might notice, the screen recording is performed on a virtual machine where I am changing VLAN IDs to simulate a network change. The script executed via the scheduled task has been modified to check if the DNS suffix <em>johansen.local<\/em> is available and if it is, disable GSA Private Access.<\/p>\n\n\n\n<figure class=\"wp-block-video\"><video height=\"900\" style=\"aspect-ratio: 1440 \/ 900;\" width=\"1440\" controls src=\"https:\/\/kasperjohansen.net\/wp-content\/uploads\/2025\/03\/GSA-Network-Detection-Screen-Recording-01-.mp4\"><\/video><\/figure>\n\n\n\n<p>This concludes the article. Feel free to reach out to me on\u00a0<a href=\"https:\/\/twitter.com\/KasperMJohansen\">X<\/a>\u00a0or on\u00a0<a href=\"https:\/\/www.linkedin.com\/in\/kaspermjohansen\/\">LinkedIn<\/a>\u00a0if you have any comments or questions.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I have previously sung my praises about Global Secure Access Private in a another article here on my blog and I do think that Global Secure Access (GSA) is a &#8230;<\/p>\n","protected":false},"author":2,"featured_media":2008,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32,33],"tags":[],"class_list":["post-2089","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripts","category-secure-remote-access"],"_links":{"self":[{"href":"https:\/\/kasperjohansen.net\/index.php\/wp-json\/wp\/v2\/posts\/2089","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kasperjohansen.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kasperjohansen.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kasperjohansen.net\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/kasperjohansen.net\/index.php\/wp-json\/wp\/v2\/comments?post=2089"}],"version-history":[{"count":13,"href":"https:\/\/kasperjohansen.net\/index.php\/wp-json\/wp\/v2\/posts\/2089\/revisions"}],"predecessor-version":[{"id":2106,"href":"https:\/\/kasperjohansen.net\/index.php\/wp-json\/wp\/v2\/posts\/2089\/revisions\/2106"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kasperjohansen.net\/index.php\/wp-json\/wp\/v2\/media\/2008"}],"wp:attachment":[{"href":"https:\/\/kasperjohansen.net\/index.php\/wp-json\/wp\/v2\/media?parent=2089"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kasperjohansen.net\/index.php\/wp-json\/wp\/v2\/categories?post=2089"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kasperjohansen.net\/index.php\/wp-json\/wp\/v2\/tags?post=2089"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}