HI Jamf Nation,
I am running into a weird issue in which installing Junos Pulse when installed manually is able to start and add connections just fine. However, when packaging the app in Composer using the normal snapshot method, and packaged as a DMG. Has anyone experienced this or know of a fix? I have attached screenshots below. Thanks!
I get the following error:
Failed to connect to the Pulse Secure service.
This is what it should look like, done with normal install
This is after packaging with composer as a DMG using the snapshot method, Pulse Secure is turned off.
This is the error I receive when trying to add a connection from the DMG that was packaged.
We use Pulse and there is an install script that is required to run in order to get it installed. My install policy copies the actual installer pkg and a configuration file to /users/shared/ and then a script runs that calls upon the installer to reference the files. I was given the installer script by our Network team. I presume it's a script that was provided to them by Junos. You may want to look down that avenue. I would seriously doubt a snapshot is enough to get things working because it's a service that is basically always running and something (maybe a LaunchDaemon?) needs to get it going.
I have a snapshot package that I use to install Junos during imaging and stand alone if needed. I have baked in our configures. After the install we need to run a script to make sure each computer is getting a unique GUID so that when connecting machines don't kick each other off.
We used to see that error as well and after updating my package to the latest version it hasn't seemed to be an issue. Pulse 5.1.5 (60701)
Below is the script I created to do so.
#!/bin/bash # stop pulse access service # remove local guid from connstore.dat # restart service sudo launchctl unload /Library/LaunchDaemons/net.juniper.AccessService.plist sudo rm -rf /Library/Application Support/Juniper Networks/Junos Pulse/DeviceID sudo sed -i .bak "/guid/d" /Library/Application Support/Juniper Networks/Junos Pulse/connstore.dat sudo launchctl load /Library/LaunchDaemons/net.juniper.AccessService.plist
In the past few years I have just copied the Pulse Secure app straight to casper admin, with "install on boot drive after imaging" selected.
We have a second .pkg with the custom .jnprpreconfig file install in a temp location, and in our 1st log in script we just have a line....
/Applications/Pulse Secure.app/Contents/Plugins/JamUI/jamCommand -importfile /temp location
( I think that is straight from the manual/deployment guide many years ago) : )
I haven't ever had to do this on an "in use computer" but once in testing possible BYOC ( years ago) with self service or pushed in a policy but I kinda remember that it need a reboot...
If you are using script I think the one of the most recent versions changed the internal names to Pulse Secure instead of Junos Pulse... too so watch out for that ...
I ran into the exact same issue when using Composer. I was able to get the install working by copying the .pkg (the one you use to manually install) to the computer then installing it using the command:
/usr/sbin/installer -pkg <location of the .pkg> -target /
So far this method is working for me through Self Service
Odd part is that the Composer version works when used with Capser Imaging but not through Self Service
I never could get the profiles to just 'work' but with some digging I found that you can use Pulse's little advertised command line tool to import them.
So I have a package that I run separate from the app. It puts a file I received from our netsec group (it's just a text file so I was able to rename the connections as we pleased) in /tmp, then runs the ocmmandline tool to import that, and finally removes the original file.
#!/bin/bash open /Applications/Junos Pulse.app/Contents/Plugins/JamUI/PulseTray.app /Applications/Junos Pulse.app/Contents/Plugins/JamUI/jamCommand -importfile /var/tmp/ConfigDeploy.jnprpreconfig rm -rf /tmp/ConfigDeploy.jnprpreconfig
I have just been tasked with trying to get this to work. I have followed @rtrouton guide, and it does not work for me.
Being a new person to Mac, I am taking the unlikely road of "hey just take what he did and rename a few things and hope it sticks"
I know i am doing something wrong, as I am kinda flying blind with this.
The new version of Pulse Secure 5.2R4 is obviously named different than the Junos name, so in the script i renamed what I believe is correct.
I am leveraging Casper so I was not sure if there was something that needs to be done differently to the created package in order for it to work, but just running the .pkg on a machine does not install.
I see things like this is the install.log
./postinstall: installer: Error the package path specified was invalid: ''.
./postinstall: hdiutil: detached failed - no such file or directory
So without a doubt it is not working as intended.
If i am deploying it using Casper, do I need to check off "Require Admin password for installation"? I asume so as it is touching the Application folder.
My .pulsepreconfig file has a space in it, so not sure if that also has something to do with it.
This is just a snippet, but you get the idea that is is just a rename of the client and location names...
#!/bin/sh # Specify location of the Pulse Secure disk image TOOLS=$install_dir/“PulseSecure.dmg" # Specify location of the Pulse Secure configuration file VPN_CONFIG_FILE=$install_dir/"My Company.pulsepreconfig” # Specify a /tmp/pulsesecure.XXXX mountpoint for the disk image TMPMOUNT=`/usr/bin/mktemp -d /tmp/pulsesecure.XXXX` # Applying VPN configuration file # if [[ -d "$3/Applications/PulseSecure.app" ]]; then echo "Pulse Secure VPN Client Installed" "$3/Applications/PulseSecure.app/Contents/Plugins/JamUI/./jamCommand" -importFile "$VPN_CONFIG_FILE" echo "VPN Configuration Installed" else echo "Pulse Client Not Installed"
I think the script is being messed up thanks to smart quotes. I've marked in the script where I see them.
Smart quotes are not recognized as legal quote marks when the script is run, which may be why you're having issues. For more information, please see the link below:
@rtrouton Well i learn somethign new everyday. I will look into that and see if that is indeed the case.
@cwaldrip I was actually using textwrangler, but i did not change any of the default settings. I will look into Text Edit and see if i can make those changes to fix it and try again.
Well that looks to have helped. It now installs, but the configuration file does not appear to import (postinstall).
If i understand the install.log, it is saying that it can't find the configuration file.
I am just running the package manually on a machine to test.
So i am definetly in the right direction now..
Here's what I'm currently using for my Pulse Secure
#!/bin/bash # Determine working directory install_dir=`dirname $0` # # Installing Pulse Secure # # Specify location of the Pulse Secure disk image TOOLS=$install_dir/"PulseSecure.dmg" # Specify location of the Pulse Secure configuration file VPN_CONFIG_FILE=$install_dir/"Filename_here.jnprpreconfig" # Specify a /tmp/PulseSecure.XXXX mountpoint for the disk image TMPMOUNT=`/usr/bin/mktemp -d /tmp/PulseSecure.XXXX` # Mount the latest Pulse Secure disk image to the /tmp/PulseSecure.XXXX mountpoint hdiutil attach "$TOOLS" -mountpoint "$TMPMOUNT" -nobrowse -noverify -noautoopen # Install Pulse Secure /usr/sbin/installer -dumplog -verbose -pkg "$(/usr/bin/find $TMPMOUNT -maxdepth 1 ( -iname *.pkg -o -iname *.mpkg ))" -target "$3" # # Applying VPN configuration file # if [[ -d "$3/Applications/Pulse Secure.app" ]]; then echo "Pulse Secure VPN Client Installed" "$3/Applications/Pulse Secure.app/Contents/Plugins/JamUI/jamCommand" -importFile "$VPN_CONFIG_FILE" echo "VPN Configuration Installed" else echo "Pulse Client Not Installed" fi # # Clean-up # # Unmount the Pulse Secure disk image /usr/bin/hdiutil detach "$TMPMOUNT" # Remove the /tmp/PulseSecure.XXXX mountpoint /bin/rm -rf "$TMPMOUNT" exit 0
I just tested it today with Pulse Secure 126.96.36.1999, as that's the newly-released Sierra-compatible Pulse Secure VPN client:
I've run into a strange issue with jamCommand.
Setting this up, both the above mentioned way, and an alternative way mentioned below, and running it from Self Service I get an error.
To see where it was going wrong, I manually ran the commands in terminal and found that the Pulse client opens and prompts for a username and password on the jamCommand step. I cant figure out why its doing this, I have tired different versions of PulseSecure, compared my jnprpreconfig config with others that use this, and I don't see anything different. Wiped the machine and started again, you name it! Its a real mystery at the moment.
I also discovered perhaps an easier way to do this too, rather than create a package with the script and config file inside it, install the regular PulseSecure pkg/dmg, then add a simple script to JSS and run it to to echo out the jnprpreconfig and run jamCommand:
#!/bin/sh # VPN Config Scirpt # Write out config file to /tmp cat <<EOF >/tmp/tpus.jnprpreconfig ## paste the contents of your jnprpreconfig file here EOF # Import Config into VPN Client "$3/Applications/Pulse Secure.app/Contents/Plugins/JamUI/jamCommand" -importfile /tmp/tpus.jnprpreconfig rm /tmp/tpus.jnprpreconfig
I figure this way, you don't have to create a custom package, and the script is easily editable via JSS.
Issue that I have is that deploying Pulse Secure with the jnprpreconfig import still requires a full restart to display the list of connections in the Connections window. The install packages works. Not great UX.
I would like to avoid having to restart the Mac.
I am looking into how to unload and load the correct Daemon / Agent to get the connections to show up in the Connections window. Suggestions?
This command does work to unload the PulseTray or menu bar item:
sudo -u <user> launchctl unload /Library/LaunchAgents/net.juniper.pulsetray.plist
However, unloading and loading the PulseTray does not refresh the list in the Connections window.
This command does not work, resulting in "Could not find specified service": sudo /bin/launchctl unload /Library/LaunchDaemons/net.juniper.AccessService.plist
My guess is that the syntax is wrong. Ideas? Thank you!
I package the installer I get from Junos and the jnprpreconfig file and put them in /Users/Shared/Pulse/ but you could put them in /tmp/Pulse if you wanted. This is the script I use and it works fine. NEW in 5.2.5: The name of the installed app is now just "Pulse Secure.app" The installer leaves behind an invisible "Junos Pulse Secure.app" If you're upgrading from the old version. I have a subsequent script to delete that too after the installation is complete.
#!/bin/sh # Change working directory cd "/Users/Shared/Pulse/" # Install Pulse Secure software /usr/sbin/installer -pkg PulseSecure 5.2.5.pkg -target / sleep 1 /bin/chmod +x /Applications/Pulse Secure.app/Contents/Plugins/JamUI/PulseTray.app/Contents/MacOS/PulseTray /bin/chmod +x /Applications/Pulse Secure.app/Contents/MacOS/Pulse Secure /bin/chmod +x /Applications/Pulse Secure.app/Contents/Plugins/JamUI/jamCommand # Launch the Pulse Tray /usr/bin/open -a '/Applications/Pulse Secure.app/Contents/Plugins/JamUI/PulseTray.app/Contents/MacOS/PulseTray' sleep 1 # Open Pulse Secure in the background and then hide the app /usr/bin/open --background -a '/Applications/Pulse Secure.app/Contents/MacOS/Pulse Secure' /usr/bin/osascript -e 'tell application "System Events" to set visible of application process "Pulse Secure" to false' sleep 1 # Import the company VPN settings. Specify your file here /Applications/Pulse Secure.app/Contents/Plugins/JamUI/jamCommand -importFile MyCompany.jnprpreconfig sleep 1 # Quit the Pulse Secure app /usr/bin/osascript -e 'tell application "Pulse Secure" to quit' sleep 2 # Open Junos Pulse in the background a second time and then hide the app /usr/bin/open --background -a '/Applications/Pulse Secure.app/Contents/MacOS/Pulse Secure' /usr/bin/osascript -e 'tell application "System Events" to set visible of application process "Pulse Secure" to false' sleep 5 # Quit the Junos Pulse app /usr/bin/osascript -e 'tell application "Pulse Secure" to quit' # cleanup after installation rm -Rf /Users/Shared/Pulse exit 0
You may want to speak with your network engineers or whoever built the Pulse configuration file for you. I've learned that they can lock down or open up and control certain aspects of how the Pulse program works via that config file. It sounds to me like maybe there's a setting within it that forces the computer to automatically reconnect. Whether that's by design or by accident would be for your network team to address and possibly give you a new config file. If they do that, then you'll have to run through the installer all over again to import the new config file.
I am new to Jamf and Macs. I have packaged the pulse secure with all the company connections using Composer. I was also verified that the connstore.dat file is stored in /library/application support/pulse secure/pulse/connstore.dat has the connections listed. When installing the package on a new Mac, i do not see any connections listed, yet i can see it listed in the path above. I assume I need to use one of the scripts above to get the connections listed? If so, which one and how do i create the *.jnprpreconfig file? Can you also explain how to import this script to JSS so it runs after the pulse install?
@rastogisagar The certificate can be exported and imported to unmanaged device and it will become "compliant". There is a way to make scep certificates not exportable, as well as you can make the AD certs not exportable in the payload, but I think they will then require local admin rights for the user to use them. Not 100% sure, but I think I had this with AD certificates.
So maybe solution mentioned by @ddcdennisb might be more secure. I'm actually now considering to change it to this method.
@rastogisagar what do you mean by jamf device is compliant.
We were using the fact that the machine had the jamf binary installed as being "compliant" in order to gain access to our VPN.
I was not the one that actually setup the host checker policy on the VPN Connector so I'm sorry but I won't be able to fully assist there.
That is a great idea, I have reached out to Pulse Secure a few times asking for that feature (multiple calls) and they have not followed through ... If you network team has a good relationship with Pulse Secure maybe you could get them to ask Pulse Secure too?
With Jamf's "Jamf and" culture I am 1000% sure Jamf would work with them....
PS if you get any movement from Pulse Secure let me know and I will reach out again ...
It's part of Jamf's DNA that they work with other software vendors to make our job easier ... The have worked with Cisco, Symantec, and Microsoft just to name a few. I am 1000% sure that that the ball in "Pulse Secure" court and we need to try and "force" them to work with Jamf.
Here are some other examples ...
@rastogisagar Pulse Secure can do quite a few different things to check for device compliance. Things we've used in our compliance matrix have included: jamf process running, boot drive encrypted with FileVault, version of installed McAFee software, and checksum of "fingerprint" file. Your admin for your Pulse Secure server should be able to configure this easily. If that's supposed to be you I suggest you contact Pulse Secure support about configuring compliance checks.
@sdagley thanks a lot for your reply, do we need JAMF engagement in this, if this is the case then we need to engaged our JAMF technician. I am not from Pulse Secure , I am trying to collect information for my pulse secure team before jumping to any team , i should be aware if that can be feasible, whatever you have mentioned that sounds perfect for me. Do you have any reference or supporting link or document for the same.
@gachowski Are you thinking along the lines of the Network Integration feature in the JSS to provide compliance verification to Cisco ISE as a means of providing compliance verification for Pulse Secure? That could be useful if my VPN server folks were willing to cede Mac compliance control to Jamf Pro. Network Integration configurations are currently limited to one per Site, so my Support multiple Network Integration instances without requiring separate Sites Feature Request would hopefully come along for the ride.