This package is an example of one where I would consider using the vendor-provided package as its scripts make changes to various things in the network stack.

If we want to customize, what I might do is create a "helper package" that is essentially a snapshot from the point of finishing the install the vendor package to the point it is ready for the end user to login with. That way you can populate preference files and such. You could also consider installing with Cisco's AnyConnect profiles as well, but may take some more advanced packaging. A snapshot is not a great choice here simply because AnyConnect does have an impact on network settings.

The vender told me to do this and they offer no other solution that what I have done. I just need the VPN server to start after the install.

This is currently what I'm using for AnyConnect.

#!/bin/sh
## postinstall

pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3

# Install the software

installer -package "/private/tmp/AnyConnect/AnyConnect.pkg" -target / -applyChoiceChangesXML "/private/tmp/AnyConnect/choices.xml"

# Hide the opt folder

chflags hidden /opt

# Remove the files from /private/tmp

/bin/rm -rf "/private/tmp/AnyConnect"

exit 0      ## Success
exit 1      ## Failure

choices.xml
<array>
    <string>choice_fireamp</string>
    <string>choice_websecurity</string>
    <string>choice_posture</string>
    <string>choice_nvm</string>
    <string>choice_umbrella</string>
</array>

Why not just have it to require a reboot after install in the policy?

We deploy this similarly to @jhbush1973. Use the vendor package and use the choice changes xml functionality of the command line installer command to choose the components you want to install and let the vendor package do its thing. No restarts or anything else like that required.

I extract the bit I need from the AnyConnect pkg with Pacifist and then deploy with an xml for the connection setting.

I would highly recommend you use our package as opposed to building your own but it can be modified and this is what I do. I'd be happy to help you @kericson with getting this working as you need it. Feel free to send me an email: jadavids AT cisco.com

I think @iJake 's post coming from a Cisco employee is probably the gold standard saying that it is not a good idea to repackage this. I only go to a repackage personally if no other technique gets the software the way I want it on a system and that is very rare. I would be interested to see @iJake 's response to the original poster if he is offering custom help. I don't have to deploy AnyConnect too often, but having a bonafide recipe to get it deployed from a Mac guy at the vendor itself is the best that can be sought.

Sorry it took a while for the reply but wanted to make sure the process worked for @kericson. Below is the process we use to package AnyConnect with only certain modules.

External Requirements:
Packages (http://s.sudre.free.fr/Software/Packages/about.html)
XML Editor (Such as TextWrangler, BBedit)

Overview:
Create Choice Change XML (See end of post)
Create Pre and Post flight scripts (See end of post)
Create wrapper package to install vendor AnyConnect.pkg with Choice Change XML

Create Choice Change XML:
Like the attached plist, you create an xml file saved as whatever name you like but ensuring it is in the proper plist format. I’ve already created it this time with the modules you want enabled.

Create Pre and Post Scripts:
I’ve attached examples of these scripts. You’ll see where to use them below.
The preflight closes AnyConnect if it is already installed and running.
The postflight installs the vendor package with the choices XML file so you only install what you want.

Create Wrapper package:
Create folder for AnyConnect Packages project. Here is how I structure my folders:

Open the Packages app to create a new Raw package and name it anything you like:

Choose an identifier (ours is com.cisco.x.x because we are Cisco. I would use something unique to you) and supply a version number for your package. I make the version number match the version of AnyConnect:

There is no payload to specify so you can skip this screen.

On the Scripts tab add your Pre and Post scripts and add the Choices xml and vendor package as addition resources:

(The file can be named whatever you would like. This was an example for @kericson )

Save the project and then choose to build it. You should now have a package, though unsigned, that will install only the modules you want. If you need to install profiles or other files you can create further packages or simply add to the payload. Packages can apply a cert to your package if you have one or you can sign it after you build it.

Choice XML Example:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
    <dict>
        <key>attributeSetting</key>
        <integer>1</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_vpn</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>0</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_websecurity</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>0</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_fireamp</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>1</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_dart</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>1</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_posture</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>0</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_iseposture</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>0</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_nvm</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>0</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_umbrella</string>
    </dict>
</array>
</plist>

To see what these options are in the future when more modules might be added:

installer -showChoiceChangesXML -pkg AnyConnect.pkg

Preflight Script (just closes AC if already open):

#!/bin/bash

## BODY
osascript -e 'tell application "Cisco AnyConnect Secure Mobility Client" to quit'

## FOOTER
exit 0

Postflight Script Example:

#!/bin/bash

ResourceLocation=$(dirname $0)
PackageName="AnyConnect.pkg"
ChoicesXML="acChoices_TrueMFG.plist"

## BODY
if [[ -e "$ResourceLocation/$PackageName" ]]; then
    echo "Executing installer package"
    installer -dumplog -verbose -pkg "$ResourceLocation/$PackageName" -target / -allowUntrusted -applyChoiceChangesXML "$ResourceLocation/$ChoicesXML"
else
    echo "Unable to locate installer package"
    ls "$ResourceLocation"
fi

## FOOTER
exit 0

I did pretty much exactly what @iJake did above. Actually, on my list of things to do was to document it. Thanks to him for saving me the trouble :)

@iJake What is the acChoices_TrueMFG.plist? Is it the XML file to create connection profiles?

@winterboer No, it is the file that controls what packages Installer installs. Specifically that name in the documentation above is just an example name.

@winterboer Its an XML file you feed to the command line installer application to tell it what your choices are for what you are choosing to install. Its the XML equivalent of checking what you want to install in the GUI based install. You can learn more by looking at the man page for installer. But basically its how you specify what's in this screenshot when you are doing an install from the command line.

@chriscollins I built a custom installer using the directions above and I ended up with everything installed, I just want the VPN client. When I ran the GUI based installer it only offers VPN, everything else is greyed out.

We're testing for an upgrade to version 4.5 of AnyConnect; is there a place in this recipe where we can prevent the app from becoming a user login item?

@buckychappell I don't believe so but you can easily add as part of your post install script a step that just deletes or unloads the LaunchAgent plist file in "/Library/LaunchAgents/com.cisco.anyconnect.gui.plist"

@iJake Quick question: what is the best way to install profiles for the various modules with your workflow? I'd like to just add it to the package that has the vendor installer and Choices Plist.

@iJake Never mind, i see the answer above.

@jhbush1973 I'm following your workflow and am having trouble with the XML file. Created on just like your example, and put it in the package. I've run xmllint in Terminal and it shows as a valid xml file but when i run the command I get an error that says it can't find the xml file or its malformed. Any ideas?

@chriscollins @buckychappell - I'm having the same auto login issue, but mine only seems to occur when the Cisco ISE Posturing package is deployed. I can manually kill it, but it returns after a computer restart. Did you have sucess?

Same here @mhinsz . Auto login is a pain.

I know this thread is a bit old but I was able to successfully deploy the Cisco AnyConnect VPN module and the ISE Posture Module (the only two we use) separately by extracting them with Pacifist. Yes I have to upload two separate .pkg's to the JSS but the result was smooth and everything works great.

1. Open .DMG with Pacifist and navigate to the AnyConnect.pkg
2. The dropdown will show you the packages for all of the modules within the main AnyConnect.pkg
3. Choose the ones you want to deploy later and use the "Extract Subpackages" option.
4. Upload to the JSS and create your policy for deployment. Thats it. Hope this helps anyone not keen on editing XML and plist files.

I have a question: which of the two v.4.5.x packages from Cisco is the one we need to download, the "pre-deploy," or "web-deploy?"

What's the difference?

The packages I extracted were from the "pre-deploy" and they work fine.

With this installer it does not show how you are supposed to add your own VPN Profiles. Also how are people dealing with the KEXT issue with 10.13 and the new version of anyconnect?