In the modern enterprise ecosystem, the traditional perimeter has dissolved. As organizations transition toward hybrid environments, the primary objective remains the same: securely brokering access to sensitive internal resources. However, the rise of BYOD and third-party collaboration has introduced a significant security debt: the unmanaged device.
Our current agentless portfolio for unmanaged devices includes Prisma Browser. Prisma Browser focuses on securing public and private web-based apps, as well as RDP/SSH connections, while enforcing Data Loss Prevention (DLP), zero-trust policies, and full device separation. While it requires installing a browser on the unmanaged device, some customers might see that as an obstacle or additional overhead, asking us to expand our portfolio to also support a pure agentless solution.
Recently, we reached a major milestone in solving this challenge. We are excited to announce that Privileged Remote Access (PRA) in Prisma Access has officially evolved and rebranded to Secure Agentless Access (SAA). This launch marks a game-changing shift for our customers, providing a streamlined, robust, and seamless way to connect any user on any device to critical internal applications - without installing anything on the device. SAA expands your toolkit by allowing secure access to core internal infrastructure from any HTML5 compliant browser.
With both Prisma Browser and Secure Agentless Access, these complementary solutions provide organizations with a comprehensive, flexible framework to eliminate security debt and confidently support BYOD and third-party collaboration.
Unmanaged Devices: The Dilemma of Overly Restrictive Access Control and Excessive Trust
While managed assets are typically hardened with Mobile Device Management (MDM) and Extended Detection and Response (XDR) products, these solutions are often technically and logistically unfeasible for unmanaged devices or certain internal or external users. This issue is most noticeable in scenarios such as:
- Vulnerable Public/Shared Infrastructure: Remote workers using hotel business centers or kiosks.
- Complex Third-Party Access Integrations: Partners and contractors who cannot enroll their hardware in your enterprise’s management tenant and are unwilling to install any agent or use a mandated browser.
- Policy Restrictions: Specialized vendors or federal contractors restricted from installing software of any kind.
Historically, this created a binary choice: Over-Restriction (denying access and killing productivity) or Excessive Trust (risking credential theft and data exfiltration). Neither is sustainable for a modern Zero Trust posture.
Now Live: Support for Private Web Apps
The launch of SAA brings more than just a new name. For use cases where devices are not able to install a browser, we can now support private web applications through SAA! While SAA continues to provide industry-leading support for RDP, SSH, and VNC, users can now access internal web-based applications (HTTP/HTTPS) seamlessly through any HTML5 compatible browser. This expansion means your extended workforce can interact with virtually any internal resource - from legacy terminals to modern web dashboards, all with zero software footprint on the endpoint.
Secure Agentless Access (SAA) Extends Zero Trust Access to Unmanaged Devices Seamlessly
SAA addresses these challenges by providing a solution that bridges the gap between security and accessibility. By leveraging standard HTML5 compliant browsers, SAA creates a secure tunnel to internal resources. This all happens without requiring any software installation or device management. This approach allows IT teams to extend Zero Trust policies to the entire workforce, ensuring that even unmanaged or third-party devices remain isolated from the core network while maintaining high-performance access to the tools they need.
For administrators, setup is simple: configure your portal configurations, define your applications, and apply access policies to achieve immediate secure connectivity.
Key Real World Use Cases
- Enable Secure App Access on Unmanaged & BYOD Devices: Users can securely use personal devices or shared workstations for work without privacy concerns or the complexity of installing agents.
- Enhance Third-Party & Vendor Collaboration: Implement a robust authentication framework with Cloud Identity Engine (CIE) to verify all users and ensure secure, controlled access to sensitive data.
- Improve Contractors & Full Time Employees Access Management: IT contractors, developers and employees managing internal systems or accessing code repositories or internal apps.
SAA Brings Numerous Benefits to Customers and End-Users
SAA offers a streamlined approach to security that empowers your workforce while ensuring robust protection:
- Reduced Operational Overhead: SAA removes the need for agent installations or any on-premise components. Instead, it utilizes your existing Prisma Access infrastructure to deliver seamless, secure connectivity to any user, on any device, with minimal configuration required.
- Universal Browser Compatibility: SAA is compatible with any HTML5 compliant browser, ensuring broad accessibility with all organizations.
- Secure Access for All Workforces: Whether they are employees, contractors, or partners, SAA delivers consistent, secure access across locations, browsers, and device types - without compromising productivity.
- Scale with Global Infrastructure and Hyperscale: SAA leverages a globally distributed, cloud architecture to deliver optimized performance, high availability, and scalability for all users.
Coming Soon: Secure Agentless Access and Remote Browser Isolation Integration
Looking ahead, we are expanding our agentless capabilities with an upcoming integration between Secure Agentless Access (SAA) and Remote Browser Isolation (RBI). By pairing these technologies, we are extending security controls from internal private applications to cloud-based SaaS workflows.
With the upcoming SAA + RBI integration, customers will be able to achieve three primary outcomes:
-
Clientless Zero Trust Access for SaaS Apps
You can extend your Zero Trust architecture to unmanaged third-party vendors, contractors, and BYOD employees. Users can securely access critical corporate SaaS applications (such as Microsoft 365, Salesforce, or Workday) through a completely clientless architecture, ensuring the same security guardrails apply to unmanaged endpoints as they do to managed devices.
-
Granular Data Exfiltration Prevention and Data Controls for Private Web Apps and SaaS Apps
To Prevent corporate data leakage on unmanaged devices, the integration enforces strict data controls directly within the isolated session:
Clipboard and Input Control: Restrict actions like cut, copy, paste and printing.
File Transfer Restrictions: Block or limit file uploads and downloads. For secure workflows, files can be safely rendered and viewed with the cloud container without ever touching local storage.
-
Advanced Zero-Day Threat Protection
Because web content executes entirely within an air-gapped cloud environment, malicious scripts, malware, and credential-harvesting threats are neutralized before they ever reach the user's local browser. All isolated traffic undergoes full analysis backed by Cloud-Delivered Security Services (CDSS)—delivering robust threat prevention without taxing the user's local hardware or slowing down their experience.
Elevate Your ZTNA Posture Today
By eliminating the complexities of traditional access methods, SAA reduces costs, increases efficiency, and closes the security gaps from unmanaged devices.
Secure Agentless Access is now live. We invite you to explore how this solution can transform your secure access strategy and provide your extended workforce with the tools they need, exactly when they need them. For details on how to configure SAA, please visit our technical documentation linked here.
Forward-Looking Statements (unreleased feature only)
This blog contains forward-looking statements that involve risks, uncertainties and assumptions, including, without limitation, statements regarding the benefits, impact, or performance or potential benefits, impact or performance of our products and technologies or future products and technologies. Any unreleased services or features (and any services or features not generally available to customers) referenced in this or other press releases or public statements are not currently available (or are not yet generally available to customers) and may not be delivered when expected or at all. Customers who purchase Palo Alto Networks applications should make their purchase decisions based on services and features currently generally available.