Skip to main content

HI Jamf Nation,



I am running into a weird issue in which installing Junos Pulse when installed manually is able to start and add connections just fine. However, when packaging the app in Composer using the normal snapshot method, and packaged as a DMG. Has anyone experienced this or know of a fix? I have attached screenshots below. Thanks!



I get the following error:



Failed to connect to the Pulse Secure service.



This is what it should look like, done with normal install



This is after packaging with composer as a DMG using the snapshot method, Pulse Secure is turned off.



This is the error I receive when trying to add a connection from the DMG that was packaged.

Hi,



In our environment we distinguish between managed and unmanaged macs with device certificates. It can be issued either using SCEP or AD certificate payload.
Pulse is configured to accept devices with certificates issued by our CA.
Not ideal solution but it works for us.

@rastogisagar we used to use the host checker to look for the jamf binary to allow connection.

@rihardsp do you have any reference link please, when you say not ideal solution then what do you mean exactly?

@rastogisagar The certificate can be exported and imported to unmanaged device and it will become "compliant". There is a way to make scep certificates not exportable, as well as you can make the AD certs not exportable in the payload, but I think they will then require local admin rights for the user to use them. Not 100% sure, but I think I had this with AD certificates.
So maybe solution mentioned by @ddcdennisb might be more secure. I'm actually now considering to change it to this method.

@ddcdennisb will it make sure the jamf device is compliant if yes could you please help me walk through with process.

@rastogisagar what do you mean by jamf device is compliant.



We were using the fact that the machine had the jamf binary installed as being "compliant" in order to gain access to our VPN.



I was not the one that actually setup the host checker policy on the VPN Connector so I'm sorry but I won't be able to fully assist there.

@rastogisagar



That is a great idea, I have reached out to Pulse Secure a few times asking for that feature (multiple calls) and they have not followed through ... If you network team has a good relationship with Pulse Secure maybe you could get them to ask Pulse Secure too?



With Jamf's "Jamf and" culture I am 1000% sure Jamf would work with them....



C



PS if you get any movement from Pulse Secure let me know and I will reach out again ...

@gachowski what do you mean by With Jamf's "Jamf and" culture I am 1000% sure Jamf would work with them....

@rastogisagar



It's part of Jamf's DNA that they work with other software vendors to make our job easier ... The have worked with Cisco, Symantec, and Microsoft just to name a few. I am 1000% sure that that the ball in "Pulse Secure" court and we need to try and "force" them to work with Jamf.



Here are some other examples ...
https://marketplace.jamf.com/apps/



C

@rastogisagar Pulse Secure can do quite a few different things to check for device compliance. Things we've used in our compliance matrix have included: jamf process running, boot drive encrypted with FileVault, version of installed McAFee software, and checksum of "fingerprint" file. Your admin for your Pulse Secure server should be able to configure this easily. If that's supposed to be you I suggest you contact Pulse Secure support about configuring compliance checks.

@sdagley



You are right Pulse can do all those checks, however smart group integration with Jamf Pro would allow for more data points to check, faster adoption of Apple supported setting like SIP and real custom checks that are similar to what Pulse provides for windows.



C

@sdagley thanks a lot for your reply, do we need JAMF engagement in this, if this is the case then we need to engaged our JAMF technician. I am not from Pulse Secure , I am trying to collect information for my pulse secure team before jumping to any team , i should be aware if that can be feasible, whatever you have mentioned that sounds perfect for me. Do you have any reference or supporting link or document for the same.

@rastogisagar



It's all configured on the Pulse box..



C

@gachowski Are you thinking along the lines of the Network Integration feature in the JSS to provide compliance verification to Cisco ISE as a means of providing compliance verification for Pulse Secure? That could be useful if my VPN server folks were willing to cede Mac compliance control to Jamf Pro. Network Integration configurations are currently limited to one per Site, so my Support multiple Network Integration instances without requiring separate Sites Feature Request would hopefully come along for the ride.

@rastogisagar The Mac compliance settings for Pulse Secure are completely independent of Jamf Pro, but will likely utilize the presence of the Jamf software on your Mac as a compliance item. Unfortunately I do not have any documentation I can share with you on the subject. You really need to work with your Pulse Secure team, and probably Pulse Secure's technical support, to get the compliance check appropriate for your environment configured.

@sdagley No worries thanks a lot make sense, I need one expert advice fro you. I am going for Classroom 200 certification . Please suggest me how to prepare, any mock test or study material i need to go through

@rastogisagar Other than saying you should complete the online Jamf 100 course before taking the Jamf 200 course I don't have any specific advice on pre-course prep resources. Having completed your Jump Start, and having some hands on time with Jamf Pro would definitely help. I thought there were course specific resource references listed on the course description pages on the Jamf site, but I don't see those now, but they may be provided after you register. Take notes during the course, testing is (or at least used to be) open book, and for the 200 testing will pretty much be specific to material covered in the class. The 300 and 400 courses require deeper Mac knowledge and/or good search foo for Jamf Nation posts and Rich Trouton's blog on the subject in question.

@rastogisagar I found the Jamf course resources page I was thinking of: Course Resources

@sdagley



While I don't know all the details of the Cisco ISE integration, that is the "general" idea I tried to "sell" to Pulse Secure and was trying to get re-started again now. I don't think the server folks have to cede Mac compliance controls to Jamf... I just more controls than the Pulse offers, I am sort of sure that Pulse doesn't even do the checking I think it's a third party app that Pulse Secure runs inside Pulse. A true win would be the current Pulse checks plus Jamf Pro smart groups that way I can use EAs for even more checks.



C

Hi, The above scripts are not working with new Pulse Secure 9.0.3 and we really do not need to copy the config file when we use DUO authentication when you log in to the VPN. I'll appreciate if anybody has a new workflow building the package and post-install script for the new version. Also, we need the kext and Team ID.
The MDM protocol specifies a kernel extension policy:
To approve Pulse Secure kernel extension thru MDM and without user consent, please add the following keys to the MDM kernel extension policy described above:
Team Identifier = 3M2L5SNZL8
Bundle Identifier of kext = net.pulsesecure.PulseSecureFirewall
Thanks in an advance!

@nikjamf



We are still using



/Applications/Pulse Secure.app/Contents/Plugins/JamUI/jamCommand -importfile /temp location



And the same process as my 2016 post in this thread...



I just tested mins ago with yesterdays released Pulse 9.0r3.2-b1667 in our dev environment worked as it should...



C

Hi @nikjamf ,
im new to mac packaging .
Im looking for help packaging pulse secure 9.0.3 with composer .
I'll appreciate if anyone can help me .



Thank you .

@Ram



You don't have to re-package Pulse, you can just upload the app... you just have run



/Applications/Pulse Secure.app/Contents/Plugins/JamUI/jamCommand -importfile /temp location



To preload the connections ...



C



PS there is 9.1 available

@gachowski



Could you help me do this step by step to install pulse secure on mac devices from jamf . I really need help on this .



When i try to install manually on mac , it works without any issues and creates pulse secure folder in /Library/application support .



when uploading the same pkg to jamf, creating policy to make the pkg available in self service .



Trying to install the pkg its installing , but not working 😞



There is only one log file inside Library/application support .



When opening pulse secure its throwing error as 'failed to connect to pulse secure service'



plz help

@Ram



No promises but this is what we do...




  1. Add Pulse.app straight to Jamf Pro

  2. Download from your Pulse Server a custom components.jnprpreconfig file (this is just a .sh changed to .jnprpreconfig) but you have to follow the Pulse directions so you get the correct info in the file.

  3. Use composer to build a .pkg to store the components.jnprpreconfig in a temp location of your choice

  4. Install both the app and the components.jnprpreconfig file on the machine

  5. Using a 3rd script before you launch Pulse run /Applications/Pulse Secure.app/Contents/Plugins/JamUI/jamCommand -importfile / "temp location of your components.jnprpreconfig"


  6. Delete the components.jnprpreconfig file as it's plain text and has all your wifi info..




Old but still current I think..



https://www.juniper.net/documentation/software/pulse/guides/j-pulse-3.0R1-adminguide.pdf



https://community.pulsesecure.net/t5/Pulse-Connect-Secure/Where-to-obtain-jnprpreconfig-for-preconfigured-installation/td-p/5758



C

Reply


Terms & ConditionsCookie settings