One of the clouds I have access to is protected by a Palo Alto firewall. It has its own VPN client which allows me access to it. It is known as GlobalProtect. As an avid Mac user I have upgraded to Yosemite the moment it came out. Whilst I had run most of my software in a Yosemite VM, I had not tested this client. Before the release of Mavericks, Apple told developers they would increase the stringency of their code signing. There would be tighter checks and increase security as a result. The kext signing would aid in helping protect users.
Herein lies the problem. There are a number of applications which are not following new signing rules and Yosemite will nip them in the bud. What occurs with PAN’s GlobalProtect is that it will fail to establish a VPN. Certain parts are code signed.
There is a fix I’ve come across. There are security implications that will need to be considered. It is possible to enable the OSX kernel into development mode. This relaxes the KEXT code signing requirements and the application will run. Again, do so at your own risk. For me, access to this development cloud is part of my day-to-day job.
nephalem:~ aburke$ sudo nvram boot-args="kext-dev-mode=1"
Being a boot argument you will need to restart. This can be reversed using the same string but with a 0 instead.
Updating software up to date is important though it seems at this stage there is not a release from PAN for this client. Not sure if it will require the FW being upgraded to support a new client or just a new client patch.