Skip to main content

Hi all,

I've seen various threads on this, some dating back to years ago, and I was hoping to get some concrete suggestions on the most efficient way to go about this.

We're wanting to deploy only the VPN, Umbrella, and AMP portions of AnyConnect, along with their respective config files from our organization. I've seen seen mention of using the Packages app, as well as Pacifist, but going that route leads to the com.apple.installer issue. I've tried a myriad of different things, but I can't seem to get it setup without issue.

Any insight is greatly appreciated!

As information (and maybe as reminder for me when I face the same problem again)
I first did as described above:

mounted the anyconnect-macos-4.9.06037-predeploy-k9.dmg and copied the AnyConnect.pkg to my Desktop
Then I expanded it with the command:

pkgutil --expand AnyConnect.pkg  pkg_dev/expand/AnyConnect

Now I deleted all pkgs inside I don't need (we only need the VPN installer) and edited the Distribution File by deleting or commenting out the not needed installation pkgs
After that I did:

pkgutil --flatten pkg_dev/expand/AnyConnect AnyConnect.pkg

I was able to install this pkg by double clicking it but JAMF was not able to install it for me
Error: pkg uses a deprecated pre-10.2 format
Also did not delete the not needed pkgs, same error

What was then working was just flatten the vpn_module.pkg

pkgutil --flatten pkg_dev/expand/AnyConnect/vpn_module.pkg Cisco AnyConnect 4.9.06037_VPNonly.pkg

Now the installation with JAMF was working.

Maybe this might be useful for someone else ;)
BR
Daniel


Hello dptratl how do you add the profile and choice into the package?

Hello dptratl how do you add the profile and choice into the package?


I currently have the latest version of anyconnect packages this way.

I have found that changing the name of the package to any thing other that AnyConnect.pkg that is created by the process and it will fail to install. Create the package and after that renaming will work.

I would not delete any thing from the package. I don't and it works. only change you make is editing the distribution file. 

 

Also there have been questions on the profiles in this PKG. I do not include these but rather place the correct xml file in the /opt directory location for profiles. You just package this with composer from a working system. It will install the profile. After that our concentrators will send any update's. 

Hello dptratl how do you add the profile and choice into the package?


Hi @EddyLara,

 

We provide the profile and connection nodes with a seperate pkg which installs the edited AnyConnectProfile.xml to the path /opt/cisco/anyconnect/profile/

 

I hope that helps.

BR
Daniel  

I am packaging AnyConnect 4.8 for Catalina. This is the first version that will actually work correctly with 10.15. I am not doing any thing different than with previous versions.

Expand the anyconnect.pkg so you can modify the dist file

Pkgutil --expand AnyConnect.pkg ~/Documents/AnyConnectVPN

then I opened the Distribution file inside of the expanded package

This is what I wanted to install
<choices-outline> <line choice="choice_vpn"/>

<line choice="choice_dart"/>

<line choice="choice_posture"/>

</choices-outline>

Save the list file

Flatten the pkg and then you can install.

pkgutil --flatten ~/Documents/AnyConnectVPN ~/Desktop/AnyConnect.pkg

This works for us.


I can confirm that this works for 4.9 on Monterey. Just need to get the extension to auto approve so the user doesnt have to.

For the record, I tried using pkgutil to remove the VPN as we do not need it.. But it breaks the installation.

I am able to remove everything else, just not VPN.

Anyone else having this issue I am open to hearing any work arounds.

I was repacking version 4.10.06 today with only VPN and DART modules, everything was working fine, as usual. Tested, installed recombined package. 

I was repacking version 4.10.06 today with only VPN and DART modules, everything was working fine, as usual. Tested, installed recombined package. 


can you share how you repackage? I am working on the same with the newer Cisco Secure Client 5.0 and tried the following:

pkgutil --expand Path/Cisco\\ Secure\\ Client.pkg  path/Cisco\\ Secure\\ Client
pkgutil --flatten path/Cisco\\ Secure\\ Client Path/Cisco\\ Secure\\ Client.pkg

but I still get a "uses a deprecated pre-10.2 format (or uses a newer format but is invalid)." I didn't rename the pkg till after the flatten

Could I just pull the PKGs i need after its expanded and install them both with one policy or is that resources folder needed?

can you share how you repackage? I am working on the same with the newer Cisco Secure Client 5.0 and tried the following:

pkgutil --expand Path/Cisco\\ Secure\\ Client.pkg  path/Cisco\\ Secure\\ Client
pkgutil --flatten path/Cisco\\ Secure\\ Client Path/Cisco\\ Secure\\ Client.pkg

but I still get a "uses a deprecated pre-10.2 format (or uses a newer format but is invalid)." I didn't rename the pkg till after the flatten

Could I just pull the PKGs i need after its expanded and install them both with one policy or is that resources folder needed?


I ended up leaving all the PKGs inside and just editing the distribution file to only include the parts I needed. That was able to run through self service without errors.

Hi all,

Greetings from 2025! I just stumbled onto this thread.  It would have been helpful to me a while back, but I built another solution. 🤣

Seeking to use JAMF Composer, I put together a procedure for putting your `choices.xml` and DMG into a package, and a modified `postinstall` that installs using the `choices.xml`.  

https://github.com/atlauren/CiscoSecureClient-choices.xml-Composer-Jamf

Enjoy!

 

-Andrew

Terms & ConditionsCookie settingsAccessibility statement