We have deployed Pulse Secure 9.1.9 into production and my macOS 10.15.x Catalina Macs are now prompting users to...
1 Approve the System Extension in System Prefs Security & Privacy Pane (this pop-up is similar to older Kernel Extensions).
2 Approve "Filter Network Content" (this is a new pop-up warning).
These warnings tend to scare my users and the users usually click the wrong buttons (or ignore the messages).
To proactively mitigate this issue, I have created a Jamf MDM profile with a System Extension Approval payload. However, my Catalina users are still getting the pop-up warnings when Pulse Secure 9.1.9 is launched for the first time. I assume the same issue will apply for Big Sur too (Which I don't have in production yet but I see similar behavior in my test environment).
In some cases, the System Extension appears to be approved, but the second "Filter Network Content" warning is not approved.
I have read all the applicable Pulse Secure support KBs on this matter. I think I'm doing this correctly.
Is anyone else wrestling with this issue in Catalina (or Big Sur)?
(See attached screenshots).
BTW: These Pulse Secure docs outline the behavior and expectations of 9.1.9 and system extensions.
"...Pulse uses the 'Content-filter-provider' entitlement to filter the traffic. The 'Content Filtering' notification will only show once. Pulse cannot avoid / bypass the 'Content Filtering' prompt. However, customers can whitelist the Pulse Secure system extension. To whitelist the Pulse Secure extension, see the Pulse Secure TeamID and bundle ID using systemextensionsctl list. This can be done on any MDM provider; Jamf being one of them."
My biggest question is: What if an end-user clicks "Don't Allow" - How does IT troubleshoot and revert this setting? Where does it live? Are there CLI tools to remediate this setting?
Apples docs dont mention any local CLI/GUI tools to manually revert via script etc (see https://support.apple.com/guide/mdm/web-content-filter-payload-settings-mdmc77c9609/web)
Can a content filter profile be built manually outside of Jamf (i.e.; Apple Configurator etc)?
admin1@test ~ % systemextensionsctl list 1 extension(s) --- com.apple.system_extension.network_extension enabled active teamID bundleID (version) name [state] * * 3M2L5SNZL8 net.pulsesecure.firewall.systemextension (1.0/1) PulseSecureFirewallSysExt [activated enabled]
(I forgot to add this to my original post sorry)
I've been encountering similar issues with Pulse Secure 9.1.8r2 and 9.1.9 on Catalina with the additional popups even if the system extension profile is on place. Even the attempts to make the web content filter suppressed has caused issues.
I had two mobileconfig files via #Pulsesecure discussion to try out (Without signing and signed) but ended up having more issues with the application i.e. not being able to connect to the VPN points at all. The issue appeared both on Catalina and Big Sur.
I have open case with Pulse Case to follow this at the moment.
Anyone else on Catalina or Big Sur seeing multiple Pulse Secure 9.1.9 objects in the macOS Network Pref Pane? We are seeing...
A network interface that can be manually removed via minus button. It returns on certain Macs, but not on others. Macs can still connect to VPN without it.
A (Network Content Filter) System Extension that can NOT be removed. Always active. Some Macs see this, others do not. Macs can still connect to VPN without it.
Is there any reason why you can't just use "Allowed Team Identifiers" instead of specifying individual extensions? Just curious if that's been tried at all, or if users would still get the approval prompts regardless.
I figured out why I was seeing (2) objects in the Network preference pane:
The 'PulseSecureFilewallSystExt' only appears if I enable a Network Content Filter profile in Jamf Pro 10.26.0 (I got the profile settings from the payload via Slack that were originally designed by a Pulse Secure support engineer). As soon as I removed the profile the 'PulseSecureFilewallSystExt' disappears.
These new extension types will appear in /Library/Preferences/com.apple.networkextension.plist.
Guess I need to wrap my head around exactly what the new Network Content Filter profiles are doing - I was simply trying to suppress the purple Network Content Filter notification pop-up ...
@timlarsen I have tried both a TeamID and an explicit extension names, too. I will do more testing soon. For now I'm waiting for Pulse Secure to release 9.1R10 because we are seeing crashing and other issues with 9.1R9. Thus wrangling the new annoying pop-ups has slipped in priority.
BTW: Pulse Secure Secure was recently acquired by another company (Ivanti) and my sales and support reps were both 'let go' last week (See https://www.pulsesecure.net/press-releases/pulse-secure-to-be-acquired-by-ivanti/).
Starting with Pulse Secure 9.1.8+ macOS 10.15 Catalina and macOS 11 Big Sur will not use legacy KETXs, but rather the new SEXTs (System Extensions). And they are more dynamic and load only under certain circumstances - depending on server-side configs like HostChecker, IPv4 Enforcement, and other factors (according to PS support call). So your mileage may vary in terms of what you are seeing (or not seeing) on your Macs in terms of the Network Pref Pane, the purple Network Content Filter pop-up, etc (and what type of profiles you are pushing from Jamf of course).
IM able to block (approve) the main System Extension pop-up (behaves just like the KEXT in terms of how Jamf profiles work). But I still cant suppress the Network Content Filter pop-up.
BTW: I was told PS 9.1R10 will drop this week.
Did you have any luck on this one. Still trying to get this to install without getting the Filter Network Content pop-up. Also running into this with Carbon Black. I have followed the instructions and even though everything seems to be approved via Configuration Profile, I am still getting a pop-up asking me for permission to Filter Network Content.
@mherbster Im still in the same boat regarding the Filter Network Content pop-up on both 9.1R9 and 9.1R10 (R10 is worse actually - I have a HostChecker timeout issue on Big Sur Macs on 9.1R10 (see https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44643). We have an ongoing case with Pulse Secure support. They claim that 9.1R11 will be out Jan 25ish.
I have 9.1.r9 working on Big Sur, unfortunately not via deployment but manual install, I guess a permission issue
to make use of 9.1.r10 the concentrator should be updated as well in order to make use of it
I'm still using 9.16 in BS (beta version) and with ho Host Checker, it's working fine thus far.
SImple setup, but luckily still functional. I've read that a new BS version is possibly coming end of Jan ¯_(ツ)_/¯
I'm in the same boat as everyone. At least it is good to know we can bypass the first prompt to Allow Pulse Secure extension. What I found is that a user must have admin to approve system extension for Pulse Secure extension. It may be a problem if you do not allow admin in general. Additionally, has anyone tested whether you will need admin to allow the Content Filter prompt?
System Extensions can be approved automatically via Jamf MDM profile (same as older KEXTs). However, the Network Content Filter pop-up does not appear to be avoided. However, if you disable IPv4 Traffic Enforcement on your Pulse Secure appliance, then macOS Big Sur will not display the Network Content Filter pop-up.
Running macOS Catalina (10.15.7) with Pulse Secure 9.1.10 (5655), I have been able to get Pulse working without any prompts for the end user utilizing these settings:
Found a KB posted by Pulse which is what my config is based on: https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44783
@mrinaldi Based on your attached screenshots, it looks like you didn't apply ALL of the recommended settings/values t hat are listed in the Pulse Secure support KB article.
Are those setting simply missing in this screenshot due to cropping, or did you customize your profile differently than what Pulse Secure recommends? Example of some options that appear to be missing in your profile:
Here is an example of my prototype Content Filter profile (not in production yet)
@dstranathan From what I can tell, those additional settings you mentioned are configured via the built-in fields within the Content Filter and System Extensions profile pages:
What I've laid out above is somewhat of a theory, but looking at an export of the Configuration Profile, it all does seem to match up based on what I could find.
Thanks for the detailed answer - much appreciated!
Because the Pulse Secure Team ID in the System Extension's payload doesn't mean that the Content Filter's payload can see and reference the Team ID, correct?
I have my System Extension Approval payload (which contains the Team Identifier of '3M2L5SNZL8') and my Content Filter payload for Pulse Secure in (2) separate MDM profiles.
I'm wondering if I need to explicitly add the Pulse Secure Team Identifier (3M2L5SNZL8) to my Content Filter profile or not...?