Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. Join us in person at the ninth annual Jamf Nation User Conference (JNUC) this November for three days of learning, laughter and IT love.

Junos Pulse Secure

HI Jamf Nation,

I am running into a weird issue in which installing Junos Pulse when installed manually is able to start and add connections just fine. However, when packaging the app in Composer using the normal snapshot method, and packaged as a DMG. Has anyone experienced this or know of a fix? I have attached screenshots below. Thanks!

I get the following error:

Failed to connect to the Pulse Secure service.

This is what it should look like, done with normal install

This is after packaging with composer as a DMG using the snapshot method, Pulse Secure is turned off.

This is the error I receive when trying to add a connection from the DMG that was packaged.

Like Comment
Order by:
SOLVED Posted: by AVmcclint

We use Pulse and there is an install script that is required to run in order to get it installed. My install policy copies the actual installer pkg and a configuration file to /users/shared/ and then a script runs that calls upon the installer to reference the files. I was given the installer script by our Network team. I presume it's a script that was provided to them by Junos. You may want to look down that avenue. I would seriously doubt a snapshot is enough to get things working because it's a service that is basically always running and something (maybe a LaunchDaemon?) needs to get it going.

Like
SOLVED Posted: by ddcdennisb

I have a snapshot package that I use to install Junos during imaging and stand alone if needed. I have baked in our configures. After the install we need to run a script to make sure each computer is getting a unique GUID so that when connecting machines don't kick each other off.

We used to see that error as well and after updating my package to the latest version it hasn't seemed to be an issue. Pulse 5.1.5 (60701)

Below is the script I created to do so.

#!/bin/bash
# stop pulse access service
# remove local guid from connstore.dat
# restart service
sudo launchctl unload /Library/LaunchDaemons/net.juniper.AccessService.plist
sudo rm -rf /Library/Application\ Support/Juniper\ Networks/Junos\ Pulse/DeviceID
sudo sed -i .bak "/guid/d" /Library/Application\ Support/Juniper\ Networks/Junos\ Pulse/connstore.dat
sudo launchctl load /Library/LaunchDaemons/net.juniper.AccessService.plist
Like
SOLVED Posted: by emily
Like
SOLVED Posted: by gachowski

In the past few years I have just copied the Pulse Secure app straight to casper admin, with "install on boot drive after imaging" selected.

We have a second .pkg with the custom .jnprpreconfig file install in a temp location, and in our 1st log in script we just have a line....

/Applications/Pulse\ Secure.app/Contents/Plugins/JamUI/jamCommand -importfile /temp location

( I think that is straight from the manual/deployment guide many years ago) : )

I haven't ever had to do this on an "in use computer" but once in testing possible BYOC ( years ago) with self service or pushed in a policy but I kinda remember that it need a reboot...

If you are using script I think the one of the most recent versions changed the internal names to Pulse Secure instead of Junos Pulse... too so watch out for that ...

C

Like
SOLVED Posted: by franton

+1 to @emily 's suggestion of @rtrouton 's blog post above. That is the most reliable method of deploying and auto configuring Junos Pulse / Pulse Secure.

Like
SOLVED Posted: by shawnis43

I ran into the exact same issue when using Composer. I was able to get the install working by copying the .pkg (the one you use to manually install) to the computer then installing it using the command:

/usr/sbin/installer -pkg <location of the .pkg> -target /

So far this method is working for me through Self Service
Odd part is that the Composer version works when used with Capser Imaging but not through Self Service

\m/

Like
SOLVED Posted: by cwaldrip

I never could get the profiles to just 'work' but with some digging I found that you can use Pulse's little advertised command line tool to import them.

So I have a package that I run separate from the app. It puts a file I received from our netsec group (it's just a text file so I was able to rename the connections as we pleased) in /tmp, then runs the ocmmandline tool to import that, and finally removes the original file.

#!/bin/bash

open /Applications/Junos\ Pulse.app/Contents/Plugins/JamUI/PulseTray.app

/Applications/Junos\ Pulse.app/Contents/Plugins/JamUI/jamCommand -importfile /var/tmp/ConfigDeploy.jnprpreconfig

rm -rf /tmp/ConfigDeploy.jnprpreconfig
Like
SOLVED Posted: by Mark.Ballesteros

Thank you all for your responses. Once I get the VPN configuration from my admin I will let you know the results of @rtrouton 's guide.

Like
SOLVED Posted: by kjohnston

I have just been tasked with trying to get this to work. I have followed @rtrouton guide, and it does not work for me.
Being a new person to Mac, I am taking the unlikely road of "hey just take what he did and rename a few things and hope it sticks"
I know i am doing something wrong, as I am kinda flying blind with this.
The new version of Pulse Secure 5.2R4 is obviously named different than the Junos name, so in the script i renamed what I believe is correct.
I am leveraging Casper so I was not sure if there was something that needs to be done differently to the created package in order for it to work, but just running the .pkg on a machine does not install.

I see things like this is the install.log

./postinstall: installer: Error the package path specified was invalid: ''.
./postinstall: hdiutil: detached failed - no such file or directory

So without a doubt it is not working as intended.

If i am deploying it using Casper, do I need to check off "Require Admin password for installation"? I asume so as it is touching the Application folder.

My .pulsepreconfig file has a space in it, so not sure if that also has something to do with it.

This is just a snippet, but you get the idea that is is just a rename of the client and location names...

#!/bin/sh

# Specify location of the Pulse Secure disk image

  TOOLS=$install_dir/“PulseSecure.dmg"

# Specify location of the Pulse Secure configuration file

  VPN_CONFIG_FILE=$install_dir/"My Company.pulsepreconfig”

# Specify a /tmp/pulsesecure.XXXX mountpoint for the disk image

  TMPMOUNT=`/usr/bin/mktemp -d /tmp/pulsesecure.XXXX`

# Applying VPN configuration file
#

if [[ -d "$3/Applications/PulseSecure.app" ]]; then

    echo "Pulse Secure VPN Client Installed"
    "$3/Applications/PulseSecure.app/Contents/Plugins/JamUI/./jamCommand" -importFile "$VPN_CONFIG_FILE"
    echo "VPN Configuration Installed"
else 
    echo "Pulse Client Not Installed"

Kevin

Like
SOLVED Posted: by rtrouton

@kjohnson,

I think the script is being messed up thanks to smart quotes. I've marked in the script where I see them.

Smart quotes are not recognized as legal quote marks when the script is run, which may be why you're having issues. For more information, please see the link below:

https://derflounder.wordpress.com/2014/02/01/disabling-smart-quotes-in-mavericks/

Like
SOLVED Posted: by cwaldrip

@kjohnson If you're using Text Edit then the defaults are for it to replace things like straight quotes with curly quotes, three dots with an ellipse, etc. You can turn all that off by going to Edit > Substitutions. You can turn on/off specific ones, or edit them.

Like
SOLVED Posted: by kjohnston

@rtrouton Well i learn somethign new everyday. I will look into that and see if that is indeed the case.

@cwaldrip I was actually using textwrangler, but i did not change any of the default settings. I will look into Text Edit and see if i can make those changes to fix it and try again.

thanks guys!

Like
SOLVED Posted: by kjohnston

Well that looks to have helped. It now installs, but the configuration file does not appear to import (postinstall).

If i understand the install.log, it is saying that it can't find the configuration file.

I am just running the package manually on a machine to test.

So i am definetly in the right direction now..

Like
SOLVED Posted: by rtrouton

Here's what I'm currently using for my Pulse Secure postinstall script:

#!/bin/bash

# Determine working directory

install_dir=`dirname $0`

#
# Installing Pulse Secure
#

# Specify location of the Pulse Secure disk image

  TOOLS=$install_dir/"PulseSecure.dmg"

# Specify location of the Pulse Secure configuration file

  VPN_CONFIG_FILE=$install_dir/"Filename_here.jnprpreconfig"

# Specify a /tmp/PulseSecure.XXXX mountpoint for the disk image

  TMPMOUNT=`/usr/bin/mktemp -d /tmp/PulseSecure.XXXX`

# Mount the latest Pulse Secure disk image to the /tmp/PulseSecure.XXXX mountpoint

  hdiutil attach "$TOOLS" -mountpoint "$TMPMOUNT" -nobrowse -noverify -noautoopen

# Install Pulse Secure

  /usr/sbin/installer -dumplog -verbose -pkg "$(/usr/bin/find $TMPMOUNT -maxdepth 1 \( -iname \*\.pkg -o -iname \*\.mpkg \))" -target "$3"

#
# Applying VPN configuration file
#

if [[ -d "$3/Applications/Pulse Secure.app" ]]; then

    echo "Pulse Secure VPN Client Installed"
    "$3/Applications/Pulse Secure.app/Contents/Plugins/JamUI/jamCommand" -importFile "$VPN_CONFIG_FILE"
    echo "VPN Configuration Installed"
else 
    echo "Pulse Client Not Installed" 
fi

#
# Clean-up
#

# Unmount the Pulse Secure disk image

  /usr/bin/hdiutil detach "$TMPMOUNT"

# Remove the /tmp/PulseSecure.XXXX mountpoint

  /bin/rm -rf "$TMPMOUNT"

exit 0

I just tested it today with Pulse Secure 5.2.5.869, as that's the newly-released Sierra-compatible Pulse Secure VPN client:

https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40245

Like
SOLVED Posted: by kjohnston

@rtrouton Thank you. I copied what you had and everything worked perfectly. I think it may have been how i did the sudo part.
Either case things are working.

Like
SOLVED Posted: by lonney.harper

I've run into a strange issue with jamCommand.

Setting this up, both the above mentioned way, and an alternative way mentioned below, and running it from Self Service I get an error.

To see where it was going wrong, I manually ran the commands in terminal and found that the Pulse client opens and prompts for a username and password on the jamCommand step. I cant figure out why its doing this, I have tired different versions of PulseSecure, compared my jnprpreconfig config with others that use this, and I don't see anything different. Wiped the machine and started again, you name it! Its a real mystery at the moment.

I also discovered perhaps an easier way to do this too, rather than create a package with the script and config file inside it, install the regular PulseSecure pkg/dmg, then add a simple script to JSS and run it to to echo out the jnprpreconfig and run jamCommand:

#!/bin/sh
# VPN Config Scirpt
# Write out config file to /tmp
cat <<EOF >/tmp/tpus.jnprpreconfig
## paste the contents of your jnprpreconfig file here
EOF
# Import Config into VPN Client
"$3/Applications/Pulse Secure.app/Contents/Plugins/JamUI/jamCommand" -importfile /tmp/tpus.jnprpreconfig
rm /tmp/tpus.jnprpreconfig

I figure this way, you don't have to create a custom package, and the script is easily editable via JSS.

Like
SOLVED Posted: by perkins

Issue that I have is that deploying Pulse Secure with the jnprpreconfig import still requires a full restart to display the list of connections in the Connections window. The install packages works. Not great UX.

I would like to avoid having to restart the Mac.

I am looking into how to unload and load the correct Daemon / Agent to get the connections to show up in the Connections window. Suggestions?

This command does work to unload the PulseTray or menu bar item:
sudo -u <user> launchctl unload /Library/LaunchAgents/net.juniper.pulsetray.plist

However, unloading and loading the PulseTray does not refresh the list in the Connections window.

This command does not work, resulting in "Could not find specified service": sudo /bin/launchctl unload /Library/LaunchDaemons/net.juniper.AccessService.plist

My guess is that the syntax is wrong. Ideas? Thank you!

Like
SOLVED Posted: by AVmcclint

I package the installer I get from Junos and the jnprpreconfig file and put them in /Users/Shared/Pulse/ but you could put them in /tmp/Pulse if you wanted. This is the script I use and it works fine. NEW in 5.2.5: The name of the installed app is now just "Pulse Secure.app" The installer leaves behind an invisible "Junos Pulse Secure.app" If you're upgrading from the old version. I have a subsequent script to delete that too after the installation is complete.

#!/bin/sh

# Change working directory
cd "/Users/Shared/Pulse/"

# Install Pulse Secure software
/usr/sbin/installer -pkg PulseSecure\ 5.2.5.pkg -target /
sleep 1

/bin/chmod +x /Applications/Pulse\ Secure.app/Contents/Plugins/JamUI/PulseTray.app/Contents/MacOS/PulseTray
/bin/chmod +x /Applications/Pulse\ Secure.app/Contents/MacOS/Pulse\ Secure
/bin/chmod +x /Applications/Pulse\ Secure.app/Contents/Plugins/JamUI/jamCommand

# Launch the Pulse Tray
/usr/bin/open -a '/Applications/Pulse Secure.app/Contents/Plugins/JamUI/PulseTray.app/Contents/MacOS/PulseTray'
sleep 1

# Open Pulse Secure in the background and then hide the app
/usr/bin/open --background -a '/Applications/Pulse Secure.app/Contents/MacOS/Pulse Secure'
/usr/bin/osascript -e 'tell application "System Events" to set visible of application process "Pulse Secure" to false'
sleep 1 

# Import the company VPN settings. Specify your file here
/Applications/Pulse\ Secure.app/Contents/Plugins/JamUI/jamCommand -importFile MyCompany.jnprpreconfig  
sleep 1

# Quit  the Pulse Secure app
/usr/bin/osascript -e 'tell application "Pulse Secure" to quit'
sleep 2

# Open Junos Pulse in the background a second time and then hide the app
/usr/bin/open --background -a '/Applications/Pulse Secure.app/Contents/MacOS/Pulse Secure'
/usr/bin/osascript -e 'tell application "System Events" to set visible of application process "Pulse Secure" to false'
sleep 5

# Quit  the Junos Pulse app
/usr/bin/osascript -e 'tell application "Pulse Secure" to quit'

# cleanup after installation
rm -Rf /Users/Shared/Pulse

exit 0
Like
SOLVED Posted: by perkins

Thanks @AVmcclint I appreciate the help.

Like
SOLVED Posted: by dvasquez

The script from @rtrouton and using a few commands from @AVmcclint works well, no issues.

Question anyone run into the pulse app always prompting for credentials to connect after reboot and or login and logout?

This only happens when using an imported configuration.

Gracias

Like
SOLVED Posted: by AVmcclint

You may want to speak with your network engineers or whoever built the Pulse configuration file for you. I've learned that they can lock down or open up and control certain aspects of how the Pulse program works via that config file. It sounds to me like maybe there's a setting within it that forces the computer to automatically reconnect. Whether that's by design or by accident would be for your network team to address and possibly give you a new config file. If they do that, then you'll have to run through the installer all over again to import the new config file.

Like
SOLVED Posted: by dvasquez

I figured that was it.

I received another but there were issues. I am working with my Net-Team.

I am still testing at this point but once I get/if I get this I will post up.

Thank you.

Like
SOLVED Posted: by baldiesrt

Hello,

I am new to Jamf and Macs. I have packaged the pulse secure with all the company connections using Composer. I was also verified that the connstore.dat file is stored in /library/application support/pulse secure/pulse/connstore.dat has the connections listed. When installing the package on a new Mac, i do not see any connections listed, yet i can see it listed in the path above. I assume I need to use one of the scripts above to get the connections listed? If so, which one and how do i create the *.jnprpreconfig file? Can you also explain how to import this script to JSS so it runs after the pulse install?

Thanks!

Like
SOLVED Posted: by baldiesrt

Please disregard, after reboot, i was able to see the connections!

Thanks

Like
SOLVED Posted: by rastogisagar123

Pule Secure or junos goes to Jamf mdm to confirm mac is compliant. Is it possible, if yes how can be possible?

Like
SOLVED Posted: by rihardsp

Hi,

In our environment we distinguish between managed and unmanaged macs with device certificates. It can be issued either using SCEP or AD certificate payload.
Pulse is configured to accept devices with certificates issued by our CA. Not ideal solution but it works for us.

Like
SOLVED Posted: by ddcdennisb

@rastogisagar we used to use the host checker to look for the jamf binary to allow connection.

Like
SOLVED Posted: by rastogisagar123

@rihardsp do you have any reference link please, when you say not ideal solution then what do you mean exactly?

Like
SOLVED Posted: by rihardsp

@rastogisagar The certificate can be exported and imported to unmanaged device and it will become "compliant". There is a way to make scep certificates not exportable, as well as you can make the AD certs not exportable in the payload, but I think they will then require local admin rights for the user to use them. Not 100% sure, but I think I had this with AD certificates.
So maybe solution mentioned by @ddcdennisb might be more secure. I'm actually now considering to change it to this method.

Like
SOLVED Posted: by rastogisagar123

@ddcdennisb will it make sure the jamf device is compliant if yes could you please help me walk through with process.

Like
SOLVED Posted: by ddcdennisb

@rastogisagar what do you mean by jamf device is compliant.

We were using the fact that the machine had the jamf binary installed as being "compliant" in order to gain access to our VPN.

I was not the one that actually setup the host checker policy on the VPN Connector so I'm sorry but I won't be able to fully assist there.

Like
SOLVED Posted: by gachowski

@rastogisagar

That is a great idea, I have reached out to Pulse Secure a few times asking for that feature (multiple calls) and they have not followed through ... If you network team has a good relationship with Pulse Secure maybe you could get them to ask Pulse Secure too?

With Jamf's "Jamf and" culture I am 1000% sure Jamf would work with them....

C

PS if you get any movement from Pulse Secure let me know and I will reach out again ...

Like
SOLVED Posted: by rastogisagar123

@gachowski what do you mean by With Jamf's "Jamf and" culture I am 1000% sure Jamf would work with them....

Like
SOLVED Posted: by gachowski

@rastogisagar

It's part of Jamf's DNA that they work with other software vendors to make our job easier ... The have worked with Cisco, Symantec, and Microsoft just to name a few. I am 1000% sure that that the ball in "Pulse Secure" court and we need to try and "force" them to work with Jamf.

Here are some other examples ...
https://marketplace.jamf.com/apps/

C

Like
SOLVED Posted: by sdagley

@rastogisagar Pulse Secure can do quite a few different things to check for device compliance. Things we've used in our compliance matrix have included: jamf process running, boot drive encrypted with FileVault, version of installed McAFee software, and checksum of "fingerprint" file. Your admin for your Pulse Secure server should be able to configure this easily. If that's supposed to be you I suggest you contact Pulse Secure support about configuring compliance checks.

Like
SOLVED Posted: by gachowski

@sdagley

You are right Pulse can do all those checks, however smart group integration with Jamf Pro would allow for more data points to check, faster adoption of Apple supported setting like SIP and real custom checks that are similar to what Pulse provides for windows.

C

Like
SOLVED Posted: by rastogisagar123

@sdagley thanks a lot for your reply, do we need JAMF engagement in this, if this is the case then we need to engaged our JAMF technician. I am not from Pulse Secure , I am trying to collect information for my pulse secure team before jumping to any team , i should be aware if that can be feasible, whatever you have mentioned that sounds perfect for me. Do you have any reference or supporting link or document for the same.

Like
SOLVED Posted: by gachowski

@rastogisagar

It's all configured on the Pulse box..

C

Like
SOLVED Posted: by sdagley

@gachowski Are you thinking along the lines of the Network Integration feature in the JSS to provide compliance verification to Cisco ISE as a means of providing compliance verification for Pulse Secure? That could be useful if my VPN server folks were willing to cede Mac compliance control to Jamf Pro. Network Integration configurations are currently limited to one per Site, so my Support multiple Network Integration instances without requiring separate Sites Feature Request would hopefully come along for the ride.

Like
SOLVED Posted: by sdagley

@rastogisagar The Mac compliance settings for Pulse Secure are completely independent of Jamf Pro, but will likely utilize the presence of the Jamf software on your Mac as a compliance item. Unfortunately I do not have any documentation I can share with you on the subject. You really need to work with your Pulse Secure team, and probably Pulse Secure's technical support, to get the compliance check appropriate for your environment configured.

Like
SOLVED Posted: by rastogisagar123

@sdagley No worries thanks a lot make sense, I need one expert advice fro you. I am going for Classroom 200 certification . Please suggest me how to prepare, any mock test or study material i need to go through

Like
SOLVED Posted: by sdagley

@rastogisagar Other than saying you should complete the online Jamf 100 course before taking the Jamf 200 course I don't have any specific advice on pre-course prep resources. Having completed your Jump Start, and having some hands on time with Jamf Pro would definitely help. I thought there were course specific resource references listed on the course description pages on the Jamf site, but I don't see those now, but they may be provided after you register. Take notes during the course, testing is (or at least used to be) open book, and for the 200 testing will pretty much be specific to material covered in the class. The 300 and 400 courses require deeper Mac knowledge and/or good search foo for Jamf Nation posts and Rich Trouton's blog on the subject in question.

Like
SOLVED Posted: by sdagley

@rastogisagar I found the Jamf course resources page I was thinking of: Course Resources

Like
SOLVED Posted: by gachowski

@sdagley

While I don't know all the details of the Cisco ISE integration, that is the "general" idea I tried to "sell" to Pulse Secure and was trying to get re-started again now. I don't think the server folks have to cede Mac compliance controls to Jamf... I just more controls than the Pulse offers, I am sort of sure that Pulse doesn't even do the checking I think it's a third party app that Pulse Secure runs inside Pulse. A true win would be the current Pulse checks plus Jamf Pro smart groups that way I can use EAs for even more checks.

C

Like
SOLVED Posted: by nikjamf

Hi, The above scripts are not working with new Pulse Secure 9.0.3 and we really do not need to copy the config file when we use DUO authentication when you log in to the VPN. I'll appreciate if anybody has a new workflow building the package and post-install script for the new version. Also, we need the kext and Team ID. The MDM protocol specifies a kernel extension policy:
To approve Pulse Secure kernel extension thru MDM and without user consent, please add the following keys to the MDM kernel extension policy described above:
Team Identifier = 3M2L5SNZL8
Bundle Identifier of kext = net.pulsesecure.PulseSecureFirewall Thanks in an advance!

Like
SOLVED Posted: by gachowski

@nikjamf

We are still using

/Applications/Pulse\ Secure.app/Contents/Plugins/JamUI/jamCommand -importfile /temp location

And the same process as my 2016 post in this thread...

I just tested mins ago with yesterdays released Pulse 9.0r3.2-b1667 in our dev environment worked as it should...

C

Like
SOLVED Posted: by Ram

Hi @nikjamf , im new to mac packaging . Im looking for help packaging pulse secure 9.0.3 with composer . I'll appreciate if anyone can help me .

Thank you .

Like
SOLVED Posted: by gachowski

@Ram

You don't have to re-package Pulse, you can just upload the app... you just have run

/Applications/Pulse\ Secure.app/Contents/Plugins/JamUI/jamCommand -importfile /temp location

To preload the connections ...

C

PS there is 9.1 available

Like
SOLVED Posted: by Ram

@gachowski

Could you help me do this step by step to install pulse secure on mac devices from jamf . I really need help on this .

When i try to install manually on mac , it works without any issues and creates pulse secure folder in /Library/application support .

when uploading the same pkg to jamf, creating policy to make the pkg available in self service .

Trying to install the pkg its installing , but not working :(

There is only one log file inside Library/application support .

When opening pulse secure its throwing error as 'failed to connect to pulse secure service'

plz help

Like
SOLVED Posted: by gachowski

@Ram

No promises but this is what we do...

  1. Add Pulse.app straight to Jamf Pro
  2. Download from your Pulse Server a custom components.jnprpreconfig file (this is just a .sh changed to .jnprpreconfig) but you have to follow the Pulse directions so you get the correct info in the file.
  3. Use composer to build a .pkg to store the components.jnprpreconfig in a temp location of your choice
  4. Install both the app and the components.jnprpreconfig file on the machine
  5. Using a 3rd script before you launch Pulse run /Applications/Pulse\ Secure.app/Contents/Plugins/JamUI/jamCommand -importfile / "temp location of your components.jnprpreconfig"

  6. Delete the components.jnprpreconfig file as it's plain text and has all your wifi info..

Old but still current I think..

https://www.juniper.net/documentation/software/pulse/guides/j-pulse-3.0R1-adminguide.pdf

https://community.pulsesecure.net/t5/Pulse-Connect-Secure/Where-to-obtain-jnprpreconfig-for-preconfigured-installation/td-p/5758

C

Like
SOLVED Posted: by Ram

@gachowski thanks a lot for your reply !

Much helpful :)

Like
SOLVED Posted: by csanback

we do what @gachowski describes

Like
SOLVED Posted: by Winterpil

@gachowski Do you have a link to 9.1?

Like
SOLVED Posted: by gachowski

@Winterpil

Sorry, you need an Pulse Secure account and then that account has to be linked to "your products" in their downloads section. Short version you still need to work with your network team.

: )

C

Like