New GSA client on macOS slow connecting can take up to 15 minutes

Client Preview Status The macOS client was in private preview until July 2025 and only recently entered general availability (GA). Just my thought, could be that improvements are still rolling out.

Platform Limitations

• IPv6 not supported: Only IPv4 traffic is tunnelled.
• DNS over HTTPS conflicts: If enabled, the client may fail to acquire traffic. Intune mitigations are in place to disable this.
• QUIC protocol issues: UDP/QUIC traffic is not captured, which may affect apps like Outlook

Authentication Changes Mutual TLS (mTLS) authentication was recently introduced for some users. This may affect how quickly trust is established between client and edge.

Recommended Actions

• Reset User Defaults Hold the Option or Alt key while clicking the GSA tray icon → select Reset User Defaults. This forces re-authentication and may resolve tunnel issues.
• Verify Device Registration Ensure the macOS device is properly registered in Entra ID via the Company Portal
• Check Logs Navigate to: ~/Library/Containers/com.microsoft.naas.globalsecure-df/Data/Library/Logs Review logs for tunnel status and errors
• Update Client Version Confirm you're using the latest GA version. Older builds may not support recent authentication or traffic acquisition features.
• Disable IPv6 & Secure DNS Use Intune or manual settings to prefer IPv4 and disable DNS over HTTPS.