Deploying Pulse Secure Desktop Client
Pulse Secure Desktop Client Installation Overview
This section describes how to deploy Pulse Secure Desktop Client (Pulse Client) for Windows and Pulse Client for macOS client software from Pulse Policy Secure and Pulse Connect Secure platforms.
Pulse Policy Secure and Pulse Connect Secure include a default connection set and a default component set. These defaults enable you to deploy Pulse Client to users without creating new connection sets or component sets. The default settings for the client permit dynamic connections, install only the components required for the connection, and permit an automatic connection to Pulse Connect Secure or Pulse Policy Secure to which the endpoint connects.
In all deployment scenarios, you must have already configured authentication settings, realms, and roles.
You can deploy Pulse Client to endpoints from Pulse Connect Secure and Pulse Policy Secure in the following ways:
•Web install: With a Web install (also called a server-based installation), users log in to the Pulse Secure server's Web portal and are assigned to a role that supports a Pulse Client installation. When a user clicks the link to run Pulse Client, the default installation program adds Pulse Client to the endpoint and adds the default component set and the default connection set. If you do not make any changes to the defaults, the endpoint receives a Pulse Client installation in which a connection to the Pulse Secure server is set to connect automatically. You can edit the default connection set to add connections of other Pulse Secure servers and change the default options.
Note:The exact mechanism used to launch and install a particular Pulse Client from a web browser depends on a number of factors, including:
- The Pulse Client (Windows/Mac desktop client, Network Connect, Host Checker, WSAM, Windows Terminal Services, Secure Meeting client) being launched/installed.
- The endpoint operating system type and version.
- The web browser type and version.
- The security settings of the endpoint operating system and browser.
For a particular client/OS/browser combination, you may need to enable the appropriate technology on the endpoint device. For example, to launch the Pulse Client from Firefox on Windows, you will need to ensure that Java is enabled in Firefox on the end user's endpoint device. For more information, consult the "Adaptive Delivery" section of the Pulse Secure Supported Platforms Guide.
A Web install is not compatible with the Pulse Secure rebranding tool, BrandPackager.
•Preconfigured installer: Create the connections that an endpoint needs for connectivity and services, download the settings file (.pulsepreconfig), and download default Pulse Client installation program. For Windows endpoints you run the Pulse Client installation program by using an msiexec command with the settings file as an option. For OS X endpoints, you run the default installer and then import the .pulsepreconfig file using a separate command.
•Default installer: You can download the default Pulse Client installation program and distribute it to endpoints using your local organization's standard software distribution method (such as Microsoft SMS/SCCM). Pulse Client software is installed with all components and no connections. After users install a default Pulse Client installation, they can add new connections manually through Pulse Client user interface or by using a browser to access a Pulse Secure server's Web portal. For the latter, the Pulse Secure server's dynamic connection is downloaded automatically and the new connection is added to Pulse Client's connections list when the user starts Pulse Client by using the Pulse Secure server's Web portal interface. Dynamic connections are created as manual rather than automatic connections, which means that they are run only when the user initiates the connection or the user browses to a Pulse Secure server and launches Pulse Client from the server's Web interface.
If the Windows endpoints in your environment do not have admin privileges, you can use the Pulse Client Installer program, which is available on the admin console System Maintenance Installers page. The Pulse Client Installer allows users to download, install, upgrade, and run client applications without administrator privileges. In order to perform tasks that require administrator privileges, the Pulse Client Installer runs under the client's Local System account (a powerful account with full access to the system) and registers itself with Windows' Service Control Manager (SCM). An Active-X control or a Java applet running inside the user's Web browser communicates the details of the installation processes to be performed through a secure channel between the Pulse Secure server and the client system.
•Installing the Pulse Client Installer MSI package requires administrator rights to install onto your client systems. If you plan to use the EXE version, administrator rights are not needed as long as a previous version of the access service component (deployed through, for example, JIS, Pulse Client, and so forth) is already present. If policies are defined for your client with the group policy "Run only Allowed Windows Application", the following files must be allowed to run in the group policy. If not, client applications might not install.
•dsmmf.exe
•PulseCompMgrInstaller.exe
•PulseSetupClient.exe
•PulseSetupClientOCX.exe
•PulseSetupXP.exe
•uninstall.exe
•x86_Microsoft.*.exe
•You should ensure that the Microsoft Windows Installer exists on the client system prior to installing the Pulse Client Installer.
•Your end-users' client systems must contain either a valid and enabled Java Runtime Engine (JRE) or a current Pulse Connect Secure ActiveX control. If the client systems do not contain either of these software components, the users will be unable to connect to the gateway. If there is no JRE on your end-users' client systems, you should download an appropriate installer package from Maintenance > System > Installers. The service appears in the Windows Services (Local) list as Neoteris Setup Service. The service starts automatically on install and during client system start up.