Skip to main content

We have deployed Pulse Secure 9.1.9 into production and my macOS 10.15.x Catalina Macs are now prompting users to...

1 Approve the System Extension in System Prefs Security & Privacy Pane (this pop-up is similar to older Kernel Extensions).
2 Approve "Filter Network Content" (this is a new pop-up warning).

These warnings tend to scare my users and the users usually click the wrong buttons (or ignore the messages).

To proactively mitigate this issue, I have created a Jamf MDM profile with a System Extension Approval payload. However, my Catalina users are still getting the pop-up warnings when Pulse Secure 9.1.9 is launched for the first time. I assume the same issue will apply for Big Sur too (Which I don't have in production yet but I see similar behavior in my test environment).

In some cases, the System Extension appears to be approved, but the second "Filter Network Content" warning is not approved.

I have read all the applicable Pulse Secure support KBs on this matter. I think I'm doing this correctly.

Is anyone else wrestling with this issue in Catalina (or Big Sur)?

(See attached screenshots).

 

@mrinaldi Based on your attached screenshots, it looks like you didn't apply ALL of the recommended settings/values t hat are listed in the Pulse Secure support KB article.

Are those setting simply missing in this screenshot due to cropping, or did you customize your profile differently than what Pulse Secure recommends? Example of some options that appear to be missing in your profile:

    • payloadtype: com.apple.webbcontent-filter
    • team-identifier: 3M2L5SNZL8
    • FilterType: Plugin
    • FilterGrade: firewall
    • PluginBundleID: net.pulsesecure.Pulse-Secure
    • FilterSockets: true
    • FilterPackets: true
    • FilterBrowsers: false 


Here is an example of my prototype Content Filter profile (not in production yet)



@dstranathan From what I can tell, those additional settings you mentioned are configured via the built-in fields within the Content Filter and System Extensions profile pages:

  • payloadtype = automatically configured via Jamf. When configuring the "Content Filter" settings, it sets the payloadtype as "com.apple.webcontent-filter" automatically. Confirmed when looking at an export of the .mobileconfig of the Configuration Profile
  • team-identifier = "Team Identifer" field within the "System Extensions" settings
  • FilterType = automatically configured via Jamf. When configuring the "Content Filter" settings, it sets the Filter Type as "Plugin" automatically. Confirmed when looking at an export of the .mobileconfig of the Configuration Profile
  • FilterGrade = "Filter Order" field within the "Content Filter" settings
  • PluginBundleID = "Identifier" field within the "Content Filter" settings
  • FilterSockets = automatically configured via Jamf. When configuring the "Socket Filter" settings, it sets the Filter Sockets to "true" automatically. Confirmed when looking at an export of the .mobileconfig of the Configuration Profile
  • FilterPackets = automatically configured via Jamf. When configuring the "Network Filter" settings, it sets the Filter Packets to "true" automatically. Confirmed when looking at an export of the .mobileconfig of the Configuration Profile
  • FilterBrowsers = since the Pulse article says to set this to "true" on the 2nd iteration, I saw in the Apple developer documentation that this is set to "true" by default, so I did omit this setting.

What I've laid out above is somewhat of a theory, but looking at an export of the Configuration Profile, it all does seem to match up based on what I could find. 

@dstranathan From what I can tell, those additional settings you mentioned are configured via the built-in fields within the Content Filter and System Extensions profile pages:

  • payloadtype = automatically configured via Jamf. When configuring the "Content Filter" settings, it sets the payloadtype as "com.apple.webcontent-filter" automatically. Confirmed when looking at an export of the .mobileconfig of the Configuration Profile
  • team-identifier = "Team Identifer" field within the "System Extensions" settings
  • FilterType = automatically configured via Jamf. When configuring the "Content Filter" settings, it sets the Filter Type as "Plugin" automatically. Confirmed when looking at an export of the .mobileconfig of the Configuration Profile
  • FilterGrade = "Filter Order" field within the "Content Filter" settings
  • PluginBundleID = "Identifier" field within the "Content Filter" settings
  • FilterSockets = automatically configured via Jamf. When configuring the "Socket Filter" settings, it sets the Filter Sockets to "true" automatically. Confirmed when looking at an export of the .mobileconfig of the Configuration Profile
  • FilterPackets = automatically configured via Jamf. When configuring the "Network Filter" settings, it sets the Filter Packets to "true" automatically. Confirmed when looking at an export of the .mobileconfig of the Configuration Profile
  • FilterBrowsers = since the Pulse article says to set this to "true" on the 2nd iteration, I saw in the Apple developer documentation that this is set to "true" by default, so I did omit this setting.

What I've laid out above is somewhat of a theory, but looking at an export of the Configuration Profile, it all does seem to match up based on what I could find. 


Thanks for the detailed answer - much appreciated!

Spitballing here:

Because the Pulse Secure Team ID in the System Extension's payload doesn't mean that the Content Filter's payload can see and reference the Team ID, correct?

I have my System Extension Approval payload (which contains the Team Identifier of '3M2L5SNZL8') and my Content Filter payload for Pulse Secure in (2) separate MDM profiles.

I'm wondering if I need to explicitly add the Pulse Secure Team Identifier (3M2L5SNZL8) to my Content Filter profile or not...?


 

Terms & ConditionsCookie settingsAccessibility statement