We are trying to get Pulse Secure to allow a user to start the VPN before logon. We need this to be optional, not mandatory. This is easily accomplished in Cisco AnyConnect.
Our MSP is really struggling to get this working. Almost to the point that they are ready to throw in the towel. The best they can do is get it to start all the time. This is not acceptable as our general policy is to avoid having remote users connected via VPN unless it is actually needed.
I presume they configured always-on and machine connection.
What would be your requirement for “unless it is actually needed”?
Did they try to combine that with location awareness?
I don’t think this is possible with Pulse Secure, at least not before login. You can either do credential provider in which case the VPN will launch at login or you can launch it after login. However, if the user doesn’t have internet (or can’t establish a VPN), you can still configure it to let you login with the cached credentials.
Thinking about it, what is the purpose of allowing the user to choose prelogin or not? If the user is given the choice to launch or not launch the VPN, why not just let them launch it post login? Generally prelogin VPN is used to enforce AD Auth of the user, or for Always On VPN which makes the device always connected and typically used either for high security environments or for patch management of road warriors. Is there something you’re looking for with pre-login?
Did you ever make any progress with this?
We want to have the user manually initiate the VPN connection only when needed. With Cisco, you just select the network icon on the lock screen, enter credentials and can then login with user credentials to the desktop
We are trying to deploy machines remotely using the MS Autopilot feature. The devices are to be co managed with Intune and AD. We need this for the first login to AD. Everything else we have been able to solve.
We ended up having to do it with a machine connection one time to do the first login. We then delete the machine profile and go back to the regular Pulse behavior.
We only need to do this once.
I don’t think Pulse client supports the lock screen “VPN widget”.
You can definitely set it to be manual/user initiated connection when the user is logged in.
I’m not very familiar with Windows, but if that lock-screen connection is supported by the built-in IKEv2 client, you can use that one instead of the Pulse client. The problem might be there’s no split tunnel for IKEv2 connections.
I’m not familiar with requirements for Autopilot. I would probably just have it do prelogin as it gives you more ability to deny access by just disabling the AD account if a user quits, especially in the world we are in now. If you really don’t want to do that, what I would do is create a realm/role/pulse client connection set for onboarding. Have users connect to this sign-in policy for the initial login which will deploy the prelogin (based on connection set). Once onboarding is done, have user login again, but this time connect to the regular sign-in policy. The pulse client should get updated and remove the prelogin and replace it with post login connection in the client.
That’s interesting scenario.
Do you include the Pulse client to the OS image?
Out of curiosity, how does the AnyConnect VPN work with GINA if user profiles are not active?
Would you mind sending me the command line you’re using for the install via Intune? I have the .intunewin file that I created but it’s failing.
Would you mind sharing how you did this? We’re struggling with this as well. I can’t get credential provider functioning, as it only works on domain joined machines, and I can’t domain join without the VPN…Argh.
Would truly appreciate it.
Can you please share the solution for using Pulse Secure. We are also using autopilot and also not able to sign into the device as it cannot connect to the domain controller and the Pulse Secure VPN connection is just not working.
We push the Pulse client via Intune to the device. The machine has no image on it when the process starts. Just Windows and drivers from the OEM. We then configure everything via Intune or SCCM via the Azure CMG.
Thanks for the info.
Most o my customers include the client with two profiles (machine and user) in pre-build images. After booting a laptop, it is basically the same; machine connection comes up so a user account can be activated.
Why is it a problem if the machine connection is up until a user logs in?