Reset Search



KB43839 - System Extension Blocked when installing Pulse Desktop client 9.0 on macOS 10.13 and up

« Go Back


Last Modified Date9/14/2018 8:30 PM
This article describes an issue on macOS 10.13 and above where the following pop-up may appear during Pulse Desktop client 9.0 installation:
System Policy is preventing loading PulseSecure.  Please click ALLOW button for "Pulse Secure LLC" under Security & Privacy Settings.

Problem or Goal
When installing Pulse desktop client 9.0 and up on macOS 10.13 and up the following pop-up is displayed:  

User-added image

Until "Pulse secure LLC" is added in the Security & Privacy settings of the System Preferences, the VPN tunnel will not get established.  The following error will be generated:
Connection Error:

Error 1205 (Error 1205)

No additional details available.

User-added image
This issue is caused by a change to the kext installation procedure in macOS High Sierra. When an application tries to install a kernel extension (kext), macOS prompts the user to authorize the installation of the kext.

In earlier versions of macOS, the kext was installed automatically without the user being prompted.

Starting with macOS High Sierra, if the user does not manually allow Pulse Secure LLC service in the Security & Privacy settings of the System Preferences, then the Pulse Secure service will be turned off until further notice.  This will prevent any VPN tunnels from getting connected.
There is a local solution and an MDM solution for this issue.

Local Solution:

Follow the steps below to authorize the kext for full functionality of the Pulse desktop client for macOS:
Authorize kext in System Preferences
  1. Click the Apple menu at the top left of your desktop.
  2. Click System Preferences.
  3. Click Security & Privacy.
  4. Click the lock to make changes.
  5. Click the General tab.
  6. Under Allow apps downloaded from, select App Store and identified developers
  7. Look for the following message: System software from developer "Pulse Secure LLC" was blocked from loading.
  8. Next to the message click Allow to enable the extension.
  9. Close the Security & Privacy window.
  10. The kernel extension has been authorized and full functionality of the Pulse Desktop client should be available.

MDM Solution:

Starting with macOS 10.13.4, User Approved Kernel Extension Loading is enabled on all devices, including those enrolled in MDM. Use the Kernel Extension Policy payload to:
  • Specify which kernel extensions should load without user consent.
  • Optionally prevent users from approving additional kernel extensions.
The MDM protocol specifies a kernel extension policy:
To approve Pulse Secure kernel extension thru MDM and without user consent, please add the following keys to the MDM kernel extension policy described above:
Team Identifier = 3M2L5SNZL8
Bundle Identifier of kext = net.pulsesecure.PulseSecureFirewall
Related Links
This approval UI is only present in the Security & Privacy preferences pane for 30 minutes after the alert. Until the user approves the KEXT, future load attempts will cause the approval UI to reappear but will not trigger another user alert.

For more information please refer to 
Attachment 1 
Created ByNirmal Sivagananam



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255