Junos Pulse Secure

Mark_Ballestero
New Contributor

HI Jamf Nation,

I am running into a weird issue in which installing Junos Pulse when installed manually is able to start and add connections just fine. However, when packaging the app in Composer using the normal snapshot method, and packaged as a DMG. Has anyone experienced this or know of a fix? I have attached screenshots below. Thanks!

I get the following error:

Failed to connect to the Pulse Secure service.

This is what it should look like, done with normal install
055b563158c54e42ab8e22977c80650d

This is after packaging with composer as a DMG using the snapshot method, Pulse Secure is turned off.
379a2673d4244b9f93a252075c0feacd

This is the error I receive when trying to add a connection from the DMG that was packaged.
598ecc7d055547aca916477a1c4abd02

59 REPLIES 59

AVmcclint
Valued Contributor III

We use Pulse and there is an install script that is required to run in order to get it installed. My install policy copies the actual installer pkg and a configuration file to /users/shared/ and then a script runs that calls upon the installer to reference the files. I was given the installer script by our Network team. I presume it's a script that was provided to them by Junos. You may want to look down that avenue. I would seriously doubt a snapshot is enough to get things working because it's a service that is basically always running and something (maybe a LaunchDaemon?) needs to get it going.

DBrowning
Valued Contributor

I have a snapshot package that I use to install Junos during imaging and stand alone if needed. I have baked in our configures. After the install we need to run a script to make sure each computer is getting a unique GUID so that when connecting machines don't kick each other off.

We used to see that error as well and after updating my package to the latest version it hasn't seemed to be an issue. Pulse 5.1.5 (60701)

Below is the script I created to do so.

#!/bin/bash
# stop pulse access service
# remove local guid from connstore.dat
# restart service
sudo launchctl unload /Library/LaunchDaemons/net.juniper.AccessService.plist
sudo rm -rf /Library/Application Support/Juniper Networks/Junos Pulse/DeviceID
sudo sed -i .bak "/guid/d" /Library/Application Support/Juniper Networks/Junos Pulse/connstore.dat
sudo launchctl load /Library/LaunchDaemons/net.juniper.AccessService.plist

emily
Valued Contributor III

gachowski
Valued Contributor II

In the past few years I have just copied the Pulse Secure app straight to casper admin, with "install on boot drive after imaging" selected.

We have a second .pkg with the custom .jnprpreconfig file install in a temp location, and in our 1st log in script we just have a line....

/Applications/Pulse Secure.app/Contents/Plugins/JamUI/jamCommand -importfile /temp location

( I think that is straight from the manual/deployment guide many years ago) : )

I haven't ever had to do this on an "in use computer" but once in testing possible BYOC ( years ago) with self service or pushed in a policy but I kinda remember that it need a reboot...

If you are using script I think the one of the most recent versions changed the internal names to Pulse Secure instead of Junos Pulse... too so watch out for that ...

C

franton
Valued Contributor II

+1 to @emily 's suggestion of @rtrouton 's blog post above. That is the most reliable method of deploying and auto configuring Junos Pulse / Pulse Secure.

shawnis43
New Contributor III

I ran into the exact same issue when using Composer. I was able to get the install working by copying the .pkg (the one you use to manually install) to the computer then installing it using the command:

/usr/sbin/installer -pkg <location of the .pkg> -target /

So far this method is working for me through Self Service
Odd part is that the Composer version works when used with Capser Imaging but not through Self Service

m/

cwaldrip
Valued Contributor

I never could get the profiles to just 'work' but with some digging I found that you can use Pulse's little advertised command line tool to import them.

So I have a package that I run separate from the app. It puts a file I received from our netsec group (it's just a text file so I was able to rename the connections as we pleased) in /tmp, then runs the ocmmandline tool to import that, and finally removes the original file.

#!/bin/bash

open /Applications/Junos Pulse.app/Contents/Plugins/JamUI/PulseTray.app

/Applications/Junos Pulse.app/Contents/Plugins/JamUI/jamCommand -importfile /var/tmp/ConfigDeploy.jnprpreconfig

rm -rf /tmp/ConfigDeploy.jnprpreconfig

Mark_Ballestero
New Contributor

Thank you all for your responses. Once I get the VPN configuration from my admin I will let you know the results of @rtrouton 's guide.

kjohnston
New Contributor

I have just been tasked with trying to get this to work. I have followed @rtrouton guide, and it does not work for me.
Being a new person to Mac, I am taking the unlikely road of "hey just take what he did and rename a few things and hope it sticks"
I know i am doing something wrong, as I am kinda flying blind with this.
The new version of Pulse Secure 5.2R4 is obviously named different than the Junos name, so in the script i renamed what I believe is correct.
I am leveraging Casper so I was not sure if there was something that needs to be done differently to the created package in order for it to work, but just running the .pkg on a machine does not install.

I see things like this is the install.log

./postinstall: installer: Error the package path specified was invalid: ''.
./postinstall: hdiutil: detached failed - no such file or directory

So without a doubt it is not working as intended.

If i am deploying it using Casper, do I need to check off "Require Admin password for installation"? I asume so as it is touching the Application folder.

My .pulsepreconfig file has a space in it, so not sure if that also has something to do with it.

This is just a snippet, but you get the idea that is is just a rename of the client and location names...

#!/bin/sh

# Specify location of the Pulse Secure disk image

  TOOLS=$install_dir/“PulseSecure.dmg"

# Specify location of the Pulse Secure configuration file

  VPN_CONFIG_FILE=$install_dir/"My Company.pulsepreconfig”

# Specify a /tmp/pulsesecure.XXXX mountpoint for the disk image

  TMPMOUNT=`/usr/bin/mktemp -d /tmp/pulsesecure.XXXX`

# Applying VPN configuration file
#

if [[ -d "$3/Applications/PulseSecure.app" ]]; then

    echo "Pulse Secure VPN Client Installed"
    "$3/Applications/PulseSecure.app/Contents/Plugins/JamUI/./jamCommand" -importFile "$VPN_CONFIG_FILE"
    echo "VPN Configuration Installed"
else 
    echo "Pulse Client Not Installed"

Kevin

rtrouton
Valued Contributor III

@kjohnson,

I think the script is being messed up thanks to smart quotes. I've marked in the script where I see them.

Smart quotes are not recognized as legal quote marks when the script is run, which may be why you're having issues. For more information, please see the link below:

https://derflounder.wordpress.com/2014/02/01/disabling-smart-quotes-in-mavericks/

579bff0df374410bb8b5885fb99bf5e9

cwaldrip
Valued Contributor

@kjohnson If you're using Text Edit then the defaults are for it to replace things like straight quotes with curly quotes, three dots with an ellipse, etc. You can turn all that off by going to Edit > Substitutions. You can turn on/off specific ones, or edit them.

kjohnston
New Contributor

@rtrouton Well i learn somethign new everyday. I will look into that and see if that is indeed the case.

@cwaldrip I was actually using textwrangler, but i did not change any of the default settings. I will look into Text Edit and see if i can make those changes to fix it and try again.

thanks guys!

kjohnston
New Contributor

Well that looks to have helped. It now installs, but the configuration file does not appear to import (postinstall).

If i understand the install.log, it is saying that it can't find the configuration file.

I am just running the package manually on a machine to test.

So i am definetly in the right direction now..

rtrouton
Valued Contributor III

Here's what I'm currently using for my Pulse Secure postinstall script:

#!/bin/bash

# Determine working directory

install_dir=`dirname $0`

#
# Installing Pulse Secure
#

# Specify location of the Pulse Secure disk image

  TOOLS=$install_dir/"PulseSecure.dmg"

# Specify location of the Pulse Secure configuration file

  VPN_CONFIG_FILE=$install_dir/"Filename_here.jnprpreconfig"

# Specify a /tmp/PulseSecure.XXXX mountpoint for the disk image

  TMPMOUNT=`/usr/bin/mktemp -d /tmp/PulseSecure.XXXX`

# Mount the latest Pulse Secure disk image to the /tmp/PulseSecure.XXXX mountpoint

  hdiutil attach "$TOOLS" -mountpoint "$TMPMOUNT" -nobrowse -noverify -noautoopen

# Install Pulse Secure

  /usr/sbin/installer -dumplog -verbose -pkg "$(/usr/bin/find $TMPMOUNT -maxdepth 1 ( -iname *.pkg -o -iname *.mpkg ))" -target "$3"

#
# Applying VPN configuration file
#

if [[ -d "$3/Applications/Pulse Secure.app" ]]; then

    echo "Pulse Secure VPN Client Installed"
    "$3/Applications/Pulse Secure.app/Contents/Plugins/JamUI/jamCommand" -importFile "$VPN_CONFIG_FILE"
    echo "VPN Configuration Installed"
else 
    echo "Pulse Client Not Installed" 
fi

#
# Clean-up
#

# Unmount the Pulse Secure disk image

  /usr/bin/hdiutil detach "$TMPMOUNT"

# Remove the /tmp/PulseSecure.XXXX mountpoint

  /bin/rm -rf "$TMPMOUNT"

exit 0

I just tested it today with Pulse Secure 5.2.5.869, as that's the newly-released Sierra-compatible Pulse Secure VPN client:

https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40245

kjohnston
New Contributor

@rtrouton Thank you. I copied what you had and everything worked perfectly. I think it may have been how i did the sudo part.
Either case things are working.

lonney_harper
New Contributor

I've run into a strange issue with jamCommand.

Setting this up, both the above mentioned way, and an alternative way mentioned below, and running it from Self Service I get an error.

To see where it was going wrong, I manually ran the commands in terminal and found that the Pulse client opens and prompts for a username and password on the jamCommand step. I cant figure out why its doing this, I have tired different versions of PulseSecure, compared my jnprpreconfig config with others that use this, and I don't see anything different. Wiped the machine and started again, you name it! Its a real mystery at the moment.

I also discovered perhaps an easier way to do this too, rather than create a package with the script and config file inside it, install the regular PulseSecure pkg/dmg, then add a simple script to JSS and run it to to echo out the jnprpreconfig and run jamCommand:

#!/bin/sh
# VPN Config Scirpt
# Write out config file to /tmp
cat <<EOF >/tmp/tpus.jnprpreconfig
## paste the contents of your jnprpreconfig file here
EOF
# Import Config into VPN Client
"$3/Applications/Pulse Secure.app/Contents/Plugins/JamUI/jamCommand" -importfile /tmp/tpus.jnprpreconfig
rm /tmp/tpus.jnprpreconfig

I figure this way, you don't have to create a custom package, and the script is easily editable via JSS.

perkins
New Contributor

Issue that I have is that deploying Pulse Secure with the jnprpreconfig import still requires a full restart to display the list of connections in the Connections window. The install packages works. Not great UX.

I would like to avoid having to restart the Mac.

I am looking into how to unload and load the correct Daemon / Agent to get the connections to show up in the Connections window. Suggestions?

This command does work to unload the PulseTray or menu bar item:
sudo -u <user> launchctl unload /Library/LaunchAgents/net.juniper.pulsetray.plist

However, unloading and loading the PulseTray does not refresh the list in the Connections window.

This command does not work, resulting in "Could not find specified service": sudo /bin/launchctl unload /Library/LaunchDaemons/net.juniper.AccessService.plist

My guess is that the syntax is wrong. Ideas? Thank you!

AVmcclint
Valued Contributor III

I package the installer I get from Junos and the jnprpreconfig file and put them in /Users/Shared/Pulse/ but you could put them in /tmp/Pulse if you wanted. This is the script I use and it works fine. NEW in 5.2.5: The name of the installed app is now just "Pulse Secure.app" The installer leaves behind an invisible "Junos Pulse Secure.app" If you're upgrading from the old version. I have a subsequent script to delete that too after the installation is complete.

#!/bin/sh

# Change working directory
cd "/Users/Shared/Pulse/"

# Install Pulse Secure software
/usr/sbin/installer -pkg PulseSecure 5.2.5.pkg -target /
sleep 1

/bin/chmod +x /Applications/Pulse Secure.app/Contents/Plugins/JamUI/PulseTray.app/Contents/MacOS/PulseTray
/bin/chmod +x /Applications/Pulse Secure.app/Contents/MacOS/Pulse Secure
/bin/chmod +x /Applications/Pulse Secure.app/Contents/Plugins/JamUI/jamCommand

# Launch the Pulse Tray
/usr/bin/open -a '/Applications/Pulse Secure.app/Contents/Plugins/JamUI/PulseTray.app/Contents/MacOS/PulseTray'
sleep 1

# Open Pulse Secure in the background and then hide the app
/usr/bin/open --background -a '/Applications/Pulse Secure.app/Contents/MacOS/Pulse Secure'
/usr/bin/osascript -e 'tell application "System Events" to set visible of application process "Pulse Secure" to false'
sleep 1 

# Import the company VPN settings. Specify your file here
/Applications/Pulse Secure.app/Contents/Plugins/JamUI/jamCommand -importFile MyCompany.jnprpreconfig  
sleep 1

# Quit  the Pulse Secure app
/usr/bin/osascript -e 'tell application "Pulse Secure" to quit'
sleep 2

# Open Junos Pulse in the background a second time and then hide the app
/usr/bin/open --background -a '/Applications/Pulse Secure.app/Contents/MacOS/Pulse Secure'
/usr/bin/osascript -e 'tell application "System Events" to set visible of application process "Pulse Secure" to false'
sleep 5

# Quit  the Junos Pulse app
/usr/bin/osascript -e 'tell application "Pulse Secure" to quit'

# cleanup after installation
rm -Rf /Users/Shared/Pulse

exit 0

perkins
New Contributor

Thanks @AVmcclint I appreciate the help.

dvasquez
Contributor III

The script from @rtrouton and using a few commands from @AVmcclint works well, no issues.

Question anyone run into the pulse app always prompting for credentials to connect after reboot and or login and logout?

This only happens when using an imported configuration.

Gracias

AVmcclint
Valued Contributor III

You may want to speak with your network engineers or whoever built the Pulse configuration file for you. I've learned that they can lock down or open up and control certain aspects of how the Pulse program works via that config file. It sounds to me like maybe there's a setting within it that forces the computer to automatically reconnect. Whether that's by design or by accident would be for your network team to address and possibly give you a new config file. If they do that, then you'll have to run through the installer all over again to import the new config file.

dvasquez
Contributor III

I figured that was it.

I received another but there were issues. I am working with my Net-Team.

I am still testing at this point but once I get/if I get this I will post up.

Thank you.

baldiesrt
New Contributor

Hello,

I am new to Jamf and Macs. I have packaged the pulse secure with all the company connections using Composer. I was also verified that the connstore.dat file is stored in /library/application support/pulse secure/pulse/connstore.dat has the connections listed. When installing the package on a new Mac, i do not see any connections listed, yet i can see it listed in the path above. I assume I need to use one of the scripts above to get the connections listed? If so, which one and how do i create the *.jnprpreconfig file? Can you also explain how to import this script to JSS so it runs after the pulse install?

Thanks!

baldiesrt
New Contributor

Please disregard, after reboot, i was able to see the connections!

Thanks

rastogisagar123
Contributor

Pule Secure or junos goes to Jamf mdm to confirm mac is compliant. Is it possible, if yes how can be possible?

rihardsp
New Contributor III

Hi,

In our environment we distinguish between managed and unmanaged macs with device certificates. It can be issued either using SCEP or AD certificate payload.
Pulse is configured to accept devices with certificates issued by our CA. Not ideal solution but it works for us.

DBrowning
Valued Contributor

@rastogisagar we used to use the host checker to look for the jamf binary to allow connection.

rastogisagar123
Contributor

@rihardsp do you have any reference link please, when you say not ideal solution then what do you mean exactly?

rihardsp
New Contributor III

@rastogisagar The certificate can be exported and imported to unmanaged device and it will become "compliant". There is a way to make scep certificates not exportable, as well as you can make the AD certs not exportable in the payload, but I think they will then require local admin rights for the user to use them. Not 100% sure, but I think I had this with AD certificates.
So maybe solution mentioned by @ddcdennisb might be more secure. I'm actually now considering to change it to this method.

rastogisagar123
Contributor

@ddcdennisb will it make sure the jamf device is compliant if yes could you please help me walk through with process.

DBrowning
Valued Contributor

@rastogisagar what do you mean by jamf device is compliant.

We were using the fact that the machine had the jamf binary installed as being "compliant" in order to gain access to our VPN.

I was not the one that actually setup the host checker policy on the VPN Connector so I'm sorry but I won't be able to fully assist there.

gachowski
Valued Contributor II

@rastogisagar

That is a great idea, I have reached out to Pulse Secure a few times asking for that feature (multiple calls) and they have not followed through ... If you network team has a good relationship with Pulse Secure maybe you could get them to ask Pulse Secure too?

With Jamf's "Jamf and" culture I am 1000% sure Jamf would work with them....

C

PS if you get any movement from Pulse Secure let me know and I will reach out again ...

rastogisagar123
Contributor

@gachowski what do you mean by With Jamf's "Jamf and" culture I am 1000% sure Jamf would work with them....

gachowski
Valued Contributor II

@rastogisagar

It's part of Jamf's DNA that they work with other software vendors to make our job easier ... The have worked with Cisco, Symantec, and Microsoft just to name a few. I am 1000% sure that that the ball in "Pulse Secure" court and we need to try and "force" them to work with Jamf.

Here are some other examples ...
https://marketplace.jamf.com/apps/

C

sdagley
Honored Contributor II

@rastogisagar Pulse Secure can do quite a few different things to check for device compliance. Things we've used in our compliance matrix have included: jamf process running, boot drive encrypted with FileVault, version of installed McAFee software, and checksum of "fingerprint" file. Your admin for your Pulse Secure server should be able to configure this easily. If that's supposed to be you I suggest you contact Pulse Secure support about configuring compliance checks.

gachowski
Valued Contributor II

@sdagley

You are right Pulse can do all those checks, however smart group integration with Jamf Pro would allow for more data points to check, faster adoption of Apple supported setting like SIP and real custom checks that are similar to what Pulse provides for windows.

C

rastogisagar123
Contributor

@sdagley thanks a lot for your reply, do we need JAMF engagement in this, if this is the case then we need to engaged our JAMF technician. I am not from Pulse Secure , I am trying to collect information for my pulse secure team before jumping to any team , i should be aware if that can be feasible, whatever you have mentioned that sounds perfect for me. Do you have any reference or supporting link or document for the same.

gachowski
Valued Contributor II

@rastogisagar

It's all configured on the Pulse box..

C

sdagley
Honored Contributor II

@gachowski Are you thinking along the lines of the Network Integration feature in the JSS to provide compliance verification to Cisco ISE as a means of providing compliance verification for Pulse Secure? That could be useful if my VPN server folks were willing to cede Mac compliance control to Jamf Pro. Network Integration configurations are currently limited to one per Site, so my Support multiple Network Integration instances without requiring separate Sites Feature Request would hopefully come along for the ride.