Installing NetExtender on OS X El Capitan

On October 31, 2015, in Mac, Miscellaneous, by Anuj Gakhar

If you are trying to install Dell SonicWALL NetExtender (it’s a VPN client) on OSX El Capitan, you might run into a situation where it won’t connect to the VPN server and you might see this in the logs.

[xml]
10/31/2015 13:09:33.292 [general notice] SSL Connection is ready
10/31/2015 13:09:34.301 [general info] Using new PPP frame encoding mechanism
10/31/2015 13:09:34.302 [general info] Using PPP async mode
10/31/2015 13:09:34.308 [general info] Connecting tunnel…
10/31/2015 13:09:34.308 [general error] ERROR: Pppd is not setuid-root and the invoking user is not root. (3)
10/31/2015 13:09:34.308 [general fatal] Please delete and reinstall NetExtender, or run ‘chmod u+s /usr/sbin/pppd’ as an administrator.
10/31/2015 13:09:34.308 [general notice] SSL VPN logging out…
10/31/2015 13:09:35.094 [general notice] SSL VPN connection is terminated.
[/xml]

If you then try to do as the logs say, you won’t be able to do it.

[xml]
$ sudo chmod u+s /usr/sbin/pppd
Password:
chmod: Unable to change file mode on /usr/sbin/pppd: Operation not permitted
[/xml]

Apparently, there is a new feature called ‘System Integrity Protection‘ in OSX El Capitan, which restricts the root account to do perform certain actions.

System Integrity Protection is a security technology in OS X El Capitan that’s designed to help prevent potentially malicious software from modifying protected files and folders on your Mac.

In OS X, the “root” user account previously had no permission restrictions and could access any system folder or application on your Mac. Software gained root-level access when you entered your administrator name and password to install it and could then modify or overwrite any system file or application.

System Integrity Protection restricts the root account and limits the actions that the root user can perform on protected parts of OS X.

So, in order to fix the issue at hand, the System Integrity Protection (SIP) must be disabled first, then NetExtender must be installed and SIP must then be enabled back again. Here is MacWorld’s article on how to do it. Basically, these are the steps :-

  1. Restart your Mac in recovery mode (hold CMD+R during restart)
  2. Go to Utilities menu and open Terminal and type in the command ‘csrutil disable’
  3. Restart Mac again and run the command ‘sudo chmod u+s /usr/sbin/pppd’ and then install NetExtender again. Try connecting to VPN and confirm it works this time.
  4. Restart Mac again in recovery mode and run command ‘csrutil enable’

SIP enabling/disabling might be needed for a lot of other reasons, however, I needed it today to install NetExtender. But the same steps could be followed for any other command that’s been restricted because of this new feature.

 

4 Responses to Installing NetExtender on OS X El Capitan

  1. Jeff Gauthier says:

    Thanks very much Anuj. You helped me get my Net Extender VPN connection working. Very much appreciated. Jeff

  2. Pratap says:

    Thank you Anuj, that help me fix my Net Extender VPN too.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© 2011 Anuj Gakhar
%d bloggers like this: