KB15208 - Why am I receiving "Setup Control - Warning" when I launch PCS client components? Is it required to launch/install PCS/PPS client components?

This article shows how to address the inherent trust problems with two launch mechanisms, as administrators can create a text file (called a whitelist) that contains a list of trusted PCS Series and/or Pulse Policy Secure appliances, fully qualified domain names (FQDN) or IP addresses, one per line. The article addresses the issue of: "Why am I receiving "Setup Control - Warning" when I launch PCS client components? Is it required to launc/install PCS/PPS client components?"

When software launches from a PCS Appliance or PPS Appliance that is not in the administrator whitelist or the user whitelist, the user is prompted if they want to launch the software with the message "Do you want to download, install and/or execute software from the following server". If the user declines, the launch fails.  If the user accepts, the launch proceeds. The user also has the option to automatically add the PCS Series Appliance to the user whitelist file by selecting one of the following options from the message window:

• Always - Add the server to the user whitelist file and download, install or launch the software
• Yes - Download, install or launch the software but don’t add the server to the user whitelist file
• No - Don’t download, install or launch software and don’t add the server to the user whitelist file

When software launches from an PCS SeriesAppliance or PPS that is not in the administrator whitelist and Allow Admin List Only enforcement is used, the launch fails and the user receives the error message “You are not allowed to launch software downloaded from the following server. Contact your system administrator for assistance.”  If the PCS Series Appliance or PPS Appliance is in the administrator whitelist, the launch proceeds as requested.

• ActiveX controls (available only for Windows/IE)
• Java applets

• When the user trusts an ActiveX control that control is trusted forever.
• When trusting a Java applet, users are trusting all code that is signed by the exact same code signing certificate.

• Admin whitelist - The admin whitelist file can be modified only by the endpoint administrator. The administrator must use SMS or other mechanism to copy the admin whitelist file to the end-user's system. Admin whitelist files are located in:
   

  OS	Location
  Windows	%ProgramFiles%\Juniper Networks\Whitelist.txt
  Macintosh and Linux	/usr/local/juniper/whitelist.txt

• User whitelist - Users can themselves make the decision to trust a PCS Appliance. When the user makes a decision to trust a PCS Appliance, the PCS Appliance is added to the user whitelist. User whitelist files are located in:
   

  OS	Location
  Windows	%AppData%\Juniper Networks\Whitelist.txt
  Macintosh	/~/Library/Application Support/Juniper Networks/whitelist.txt
  Linux	/~/.juniper_networks/whitelist.txt

AllowAdminListOnly
qa.pulsesecure.net
dev1.pulsesecure.net
172.XX.XX.XXX

• For Active/Passive clusters enter the VIP in the whitelist (if using IP-based access to the cluster); otherwise, use the FQDN.
• For Active/Active clusters enter the load balancer hostname in the whitelist.

1. If the URL of the page initiating the launch does not begin with HTTPS, abort the launch and notify the user.
2. Else if the admin whitelist exists:
   • If the origin site is listed in the whitelist, proceed with the launch.
   • If the origin site is not in the whitelist and the whitelist starts with “AllowAdminListOnly”, abort the launch and notify the user.
3. Else if the user whitelist exists:
    
   • If the origin site is in the user whitelist, proceed with the launch.
4. Prompt the user if they trust the origin site.
5. If the user agrees to trust the origin:
    
   • If they select Always then add the server to user whitelist file. 
   • Proceed with the launch.
6. Abort the launch.