GSA macOS Client -

Question

GSA macOS Client -

Alex 5

GSA macOS Client — Support Ticket

Two issues: DNS resolution failures + tunnel provider crashes

Environment

GSA Client1.1.25111702PlatformmacOS 26.3.1 (Sequoia) — Intune-managed MacBook fleetEdgeAustralia EastProfilesPrivate Access + Microsoft 365 (Internet Access not licensed)ScopeMultiple users, multiple networks, random sites---

Issue 1: Intermittent DNS Resolution Failures

Users randomly get ERR_NAME_NOT_RESOLVED in the browser. Affects multiple users, networks, and unrelated domains. Restarting GSA temporarily fixes it.

Cause

GSA's DNS resolver uses a single thread (dns_config ThreadsToUse: 1). When the resolver is under any load, legitimate DNS queries for bypass-destined domains fail instantly with error -65554 in under 30ms — far too fast for a real timeout. GSA returns 0.0.0.0 to the OS and the browser shows ERR_NAME_NOT_RESOLVED.

Evidence

Example domain — query to failure in 29ms:

[11:49:39.128] DNS_FILTER using dns service for qname

Ravi Varma Mudduluru 9,285 Reputation points Microsoft External Staff Moderator

2026-03-19T13:03:04.29+00:00
Hello @Alex,

Thank you for reaching out to Microsoft Q&A.

The single-threaded DNS issue and the SettingsNotModified error are helpful for narrowing down the problem. These are common issues on macOS.

Disable Secure DNS everywhere

On the Mac: System Settings → Network → [your Wi-Fi/Ethernet] → Details → DNS → turn off “Use encrypted DNS” (or set it to Off).

In Chrome/Edge/Safari: Go to settings and disable Secure DNS / DoH.

Microsoft docs explain why: Known limitations for Global Secure Access – Secure DNS section

Clear the cache & pull fresh policy (fixes the deserialization crash)

Click the GSA icon in the menu bar → Settings → Troubleshooting.

Click Clear cached data, then Get Latest Policy.

Quit and reopen the client.

This forces a clean policy fetch instead of hitting the empty “SettingsNotModified” response that’s breaking the gRPC streams.

Reference: Install & troubleshoot the macOS client – Settings section

Quick validation Run the built-in health check: GSA icon → Settings → Troubleshooting → Advanced Diagnostics → Health Check tab. Look for green checks on “Is DNS encrypted” (should be No) and “Forwarding profile cached in a file.”

Details here: Troubleshoot the macOS Global Secure Access client – Health check

After these steps, restart the client once and test. The DNS resolver should stop dropping queries under normal load, and the tunnel stays stable.

If you’re still seeing the crash after this, just attach the latest crash report from /Library/Logs/DiagnosticReports/ in the private message.

Kindly let us know if the above helps or you need further assistance on this issue.

Please "upvote" if the information helped you. This will help us and others in the community as well.

1 answer

Your answer

Ravi Varma Mudduluru 9,285 Reputation points Microsoft External Staff Moderator

2026-03-19T13:03:04.29+00:00

Hello @Alex,

Thank you for reaching out to Microsoft Q&A.

The single-threaded DNS issue and the SettingsNotModified error are helpful for narrowing down the problem. These are common issues on macOS.

Disable Secure DNS everywhere

On the Mac: System Settings → Network → [your Wi-Fi/Ethernet] → Details → DNS → turn off “Use encrypted DNS” (or set it to Off).

In Chrome/Edge/Safari: Go to settings and disable Secure DNS / DoH.

Microsoft docs explain why: Known limitations for Global Secure Access – Secure DNS section

Clear the cache & pull fresh policy (fixes the deserialization crash)

Click the GSA icon in the menu bar → Settings → Troubleshooting.

Click Clear cached data, then Get Latest Policy.

Quit and reopen the client.

This forces a clean policy fetch instead of hitting the empty “SettingsNotModified” response that’s breaking the gRPC streams.

Reference: Install & troubleshoot the macOS client – Settings section

Quick validation Run the built-in health check: GSA icon → Settings → Troubleshooting → Advanced Diagnostics → Health Check tab. Look for green checks on “Is DNS encrypted” (should be No) and “Forwarding profile cached in a file.”

Details here: Troubleshoot the macOS Global Secure Access client – Health check

After these steps, restart the client once and test. The DNS resolver should stop dropping queries under normal load, and the tunnel stays stable.

If you’re still seeing the crash after this, just attach the latest crash report from /Library/Logs/DiagnosticReports/ in the private message.

Kindly let us know if the above helps or you need further assistance on this issue.

Please "upvote" if the information helped you. This will help us and others in the community as well.

Answer 1

I ended up resolving the issue with the affected user by doing the following:

Uninstalling GSA
Running the following commands:

sudo rm -rf "/var/root/Library/Application Support/com.microsoft.globalsecureaccess.tunnel/" sudo rm -f /etc/resolver/private.edgediagnostic.globalsecureaccess.microsoft.com sudo rm -f /etc/resolver/auth.edgediagnostic.globalsecureaccess.microsoft.com sudo rm -rf "/Library/Logs/Microsoft/globalsecureaccessclient/" sudo systemextensionsctl reset

Re-installed GSA
I then had to get a naas_policy from a working pc using:

sudo cat "/var/root/Library/Application Support/com.microsoft.globalsecureaccess.tunnel/naas_policy"

I then sent to the affected user and they copied it from their downloads to the following location:

sudo mkdir -p "/var/root/Library/Application Support/com.microsoft.globalsecureaccess.tunnel/" sudo cp ~/Downloads/naas_policy "/var/root/Library/Application Support/com.microsoft.globalsecureaccess.tunnel/naas_policy" sudo chmod 600 "/var/root/Library/Application Support/com.microsoft.globalsecureaccess.tunnel/naas_policy"

After restarting GSA/getting latest policy on user machine it worked.

I suspect there was some stale config in one of these files that was causing the issue even after re-installing GSA. Clearing all this seemed to fix it.

Share via

GSA macOS Client -

GSA macOS Client — Support Ticket

Environment

Issue 1: Intermittent DNS Resolution Failures

Cause

Evidence

1 answer

Your answer