Juniper Network Connect fails in Mac OS 10.10

https://coderwall.com/p/_gpxpq/workaround-for-failing-juniper-network-connect-in -yosemite

Text of site:

The current version 8.0.7 of Network Connect and the latest Yosemite 10.10.1 don't like each other: you simply can't connect.

A workaround (and it should be nothing more if you care) is to allow unsigned kernel extensions (which are unsupported/disabled in Yosemite by default):

sudo nvram boot-args="kext-dev-mode=1"

(reboot afterward) To revert this:

sudo nvram -d boot-args

Looks like this is also helpful for some other problematic extensions.

Thank you!!

This tweak worked for Network Connect 8.0.7 on OS X 10.10.5.

Thanks so much!

Also I've heard that in OSX 11 will not allow allow unsigned kernel extensions. So please as long as Network Connect doesn't update, don't update to 10.11 !!

deedougie wrote:

Also I've heard that in OSX 11 will not allow allow unsigned kernel extensions. So please as long as Network Connect doesn't update, don't update to 10.11 !!

El Capitan does still allow unsigned kernel extension but like Yosemite you have to turn off requiring signed extensions. Wether this alone is sufficient you will have to try as I fortunately in my current job do not have to suffer Java based VPN client software.

Personally I regard all Java based VPN clients like Juniper as the work of cyber-terrorists.

I know why they use Java - because it allows an 'easy' way to push the entire VPN client and configuration to clients via a simple webpage but the stupidity of this approach is that it requires installing support for Java in a web-browser which is by far the most insecure thing you can do and I would say is even worse than (gag!) Flash. Because Java is cross-platform it means even Macs are then rendered as vulnerable as Windows PCs.

Due to this Apple do periodically send out updates to their XProtect list which disables Java completely until Oracle issue a new 'fixed' version. This can and has resulted in everybody losing the ability to access for example a Juniper VPN system for several days. The worst case I personally experienced was when Apple disabled Java on a Friday and because of a bank holiday it was a Tuesday before a fixed version from Oracle become available meaning four days downtime.

In case you are wondering what one should use instead, I would suggest using Apple's built-in VPN client. Both iOS9 and El Capitan now support as standard both Cisco IPSec (with certificates), and now IKEv2 (with certificates) clients. One can then push out configurations via a MDM solution. No need for messing about with Java and in theory an end to operating system updates breaking your VPN client each time.

Can you tell me where/how to download the Network Connect client? My client uses it for Windows but doesn't have Mac clients. The Juniper website (juniper.net) makes no mention of it and I'm loath to download it from a 3rd party site. Or doesn't it work that way?

Lord Swad wrote:

Can you tell me where/how to download the Network Connect client? My client uses it for Windows but doesn't have Mac clients. The Juniper website (juniper.net) makes no mention of it and I'm loath to download it from a 3rd party site. Or doesn't it work that way?

Typically it is made downloadable from the Juniper appliance itself - if the administrator has ticked the option to allow it to be downloaded. This would then allow a web address to download it from. The URL would look something like http://address.of.your.juniper.appliance/dana-cached/nc/NetworkConnect.dmg

The more common way is to also use a web address again accessing your Juniper appliance which then runs a Java applet which automates checking for whether Network Connect is already installed, whether it is the right version and if either is not true downloading and installing Network Connect for you. This all sounds fine and dandy and a clever solution but has one huge flaw - IT REQUIRES ENABLING JAVA IN YOUR WEB-BROWSER. This is by far the most likely means of also exposing your computer to malware. The irony of a security product requiring Java web applet support is staggering. (This is by no means solely a Juniper issue.) A lot of network administrator chose to only enable this method because it also installs the settings as well client software and they sadly appear oblivious to all the Java related issues. (Shudder 😮.)

I personally prefer using the built-in VPN client on Mac and iOS and pushing settings via an MDM system. This ensures you are using the VPN client that is part of the relevant operating system and therefore has the best possible chance of being compatible with that operating system and does not require enabling the dreaded Java web-browser support.

OS X and iOS have built-in support in order of best first

IKEv2

Cisco IPSec

L2TP

PPTP

PS. Juniper's Network Connect has been superseded by their Pulse client. It is slightly less offensive than Network Connect but not much. All the same issues as above still apply.