KB25581 - Pulse Secure Desktop (Windows or macOS) client is intermittently disconnecting for multiple users at random intervals

This issue will occur when Pulse Secure Desktop client is preinstalled on a base image which is used to deploy to multiple machines.  If this is true, the local machine ID stored in the connection store file may be the same on multiple machine.

When a Pulse Secure Desktop client connects to the PCS device, some session data is sent including the local machine identifier in the connection store file.  The Pulse Connect Secure device identifies each user sessions by the local machine identifier and expects this value to be unique. If multiple connections are sending the same machine identifier, the PCS device will terminate the oldest session for security reasons.

To determine if Pulse Secure Desktop client users are affected by this issue, collect the LogsAndDiagnostics.zip from the multiple Pulse Secure Desktop client (File > Logs > Save As).  From the logs, browse to the Connection Store folder and open the connstore.dat file. With a text editor and locate the following parameter:
 

machine "local" {
     guid: "d96b50d4275ef266d402348641e6b57b10b48bd3"
     pulse-language: "en-US"
}

If the guid string is identical across multiple client PC's, then this confirms the issue.

Pulse 5.0R1 and above (Windows Only):

The Pulse Secure Desktop installer has a new flag called SHAREDINSTALL. This flag should be set to 1, as shown in the following example, when the installer is being used to create a base shared image that will be deployed to multiple computers. When set to 1, it will install the Pulse application on the image without starting any processes. This will prevent the guid parameter from being generated on a shared image installation. This unique guid parameter will be auto-generated when the Pulse Secure Network Service are started for the first time on the actual machine.

To implement this mode, add "SHAREDINSTALL=1" to support deployment on a shared operating system image.

Example:   msiexec -i <MSI FILE PATH> SHAREDINSTALL=1

Limitations:

• SHAREDINSTALL and CONFIGFILE (preconfiguration file) flags cannot be used at the same time.

If deploying a pre-configuration file is required, the following command will need to be manually executed or scripted on the end user machine once the image has been deployed.

1. Navigate to C:\Program Files (x86)\Common Files\Pulse Secure\JamUI via command line
2. Run jamCommand.exe -importFile <PRECONFIGURATION PATH>

Mac OS X:

Pulse 5.0R1 and below:

In the following versions, deploying Pulse Secure Desktop client on a shared operating system image is not supported.   The following manual solution can be implemented if machines have been deployed with a duplicate machine guid.

When deploying Pulse Secure Desktop client, which is pre-installed for a Windows OS image being shared across multiple endpoints, the guid value for the local machine should be removed from the configuration file after installation. This ensures that the configuration data files in the root image does not contain a guid value that would be replicated on all machines.  A new and unique guid value will be generated for each user when Pulse Secure Desktop client is launched and run for the first time.

Perform the following procedure to reset the guid for users who have already installed Pulse Secure Desktop client and have duplicate guid values in the configuration file:

1. Browse to C:\Program Files(x86)\Common Files\Juniper Networks\Connection Store and open the connstore.dat file in a text editor.
2. Locate the following parameter:

machine "local" {
    guid: "41cbc0d2a1a100855755b4355d6d2579836694cd"
    pulse-language: "en-US"
}

3. Remove the guid value from the parameter by deleting the entire second line. This will change the parameter setting to:

machine "local" {
    pulse-language: "en-US"
}

4. Save the modified connstore.dat file to the original directory.
   
   Note: It may be necessary to edit the connstore.dat file in a Text Editor, which is ,Run As Administrator if these changes are made locally from the affected PC, due to the folder and file permissions that are set on the directory.
5. Go to Task Manager > Services tab, locate and stop the JuniperAccessService service, and/or reboot the device to restart the service. When the service is restarted and Pulse Secure Desktop has been launched again, a new and unique guid will be generated and stored in the user's connstore.dat file.

#!/bin/bash
# stop pulse access service
# remove local guid from connstore.dat
# restart service
sudo launchctl unload /Library/LaunchDaemons/net.juniper.AccessService.plist
sudo sed -i .bak "/guid/d" "/Library/Application Support/Juniper Networks/Junos Pulse/connstore.dat"
sudo launchctl load /Library/LaunchDaemons/net.juniper.AccessService.plist

#!/bin/bash
# stop pulse access service
# remove local guid from connstore.dat
# restart service
sudo launchctl unload /Library/LaunchDaemons/net.pulsesecure.AccessService.plist
sudo rm -rf "/Library/Application Support/Pulse Secure/Pulse/DeviceId"
sudo sed -i .bak "/guid/d" "/Library/Application Support/Pulse Secure/Pulse/connstore.dat"
sudo launchctl load /Library/LaunchDaemons/net.pulsesecure.AccessService.plist

Note: The connstore.dat file also contains the connections that are displayed in the Pulse Secure Desktop UI, when it is launched. It is recommended that the above procedure be performed to modify only the portion of the connstore.dat file which was specified above to resolve this issue, as opposed to deleting the connstore.dat file from the user's machine. If the connstore.dat file is deleted from the machine, the user will need to manually recreate any and all connections that they regularly access.