Posted on 08-24-2018 03:17 PM
Hi,
I've been facing some issues installing GlobalProtect VPN client. I created a package that simply drops Global Protect in /tmp and then I added a post-install scrip that installs and configures VPN. This is the script:
#!/bin/sh
#variables
loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`
portalAddress1="vpnportal.address.com"
service='GlobalProtect'
#remove already running GP client if it is running
if ps ax | grep -v grep | grep "${service}" &> /dev/null;
then
sh /Applications/GlobalProtect.app/Contents/Resources/uninstall_gp.sh
echo "removed GP client"
else
echo "Global Protect is not present"
fi
#Add GP Gateway URL in GP plist
sudo echo '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>Palo Alto Networks</key><dict><key>GlobalProtect</key><dict><key>PanSetup</key><dict><key>Portal</key><string>'$portalAddress1'</string><key>Prelogon</key><integer>0</integer></dict></dict></dict></dict></plist>' >> /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist
#Install downloaded version of Global Protect
sudo /usr/sbin/installer -pkg /tmp/GlobalProtect-4.1.3.pkg -target /
echo "installed latest GP version"
#change ownership of GP client
chown -R $loggedInUser:staff /Applications/GlobalProtect.app
#running recon
sudo jamf recon
When JAMF pushes policy, client is unable to start. According to logs I am seeing that client is unable to connect to GP port.
89356-T38423 Aug 24 11:44:45:999502 Error( 76): Failed to connect to server at port:4767
P89356-T38423 Aug 24 11:44:45:999513 Error( 215): Cannot connect to service, error: 61
However, when I ran sudo jamf policy -id <id> on the client device, Global Protect starts working.
Has anyone faced similar issues?
Posted on 08-26-2018 12:00 AM
It looks like you are trying to add the portal after removing the old Global Protect and before installing the new one. Does the plist exist in that window? Would it work if you added the plist change after installing the new version. Ideally delete and rebuild the plist.
Posted on 08-26-2018 04:08 PM
@rrs thanks for looking into this! When I look at it now; logically you are 100% correct. However, when I call policy manually though sudo jamf policy -id <id>
from the device, everything works as expected.
Posted on 10-07-2019 01:34 PM
@pleegor Did you ever find a solution to this?
Posted on 11-07-2019 08:40 AM
@pleegor @leeskade I've finally figured it out. The launchagents are not loading during the current session due to a key in the plists.
In /Library/LaunchAgents, the plists:
com.paloaltonetworks.gp.pangps.plist
com.paloaltonetworks.gp.pangpa.plist
I ommited the 'LimitLoadToSessionType' key along with the string 'Aqua' and then I was able to load these launchagents using launchctl.