Posted on 12-06-2023 09:36 AM
As Cisco is phasing out just Umbrella we have to create a package using their secure client instead. Whilst I have followed the instructions here (https://docs.umbrella.com/deployment-umbrella/docs/customize-macos-anyconnect-installation#prerequis...) to customise the installation on a single machine, I have been completely unsuccessful is creating a package from the customisation.
Has anyone done this and if so could they share what they did? It does not help when the help documents refer to the product as anyconnect still, and some of the documents online I did find about building a package in Composer refer to xml files which do not exist in the updated secure client...so I am stuck on this.
Many thanks!
Posted on 12-06-2023 09:41 AM
Which XML files does it reference that don't exist in the new install?
Posted on 12-06-2023 09:47 AM
Some of the documentation relates to anyconnect and refers to profile xml - the cisco secure documentation which in theory is updated (but still calls it anyconnect) is the one I referenced above and it works on a single installation but I cannot get a package created from it thus I cannot deploy it.
Posted on 12-07-2023 06:35 AM
I'm having trouble as well. Having a hard time rebuilding Secure Client in Composer with the old HCS Online docs. I did it once and have been unable to do it again in recent versions.
Posted on 12-07-2023 06:49 AM
I've been able to do it finally with a mixed method but so far it seems successful.
1 - I followed the instructions here (https://docs.umbrella.com/deployment-umbrella/docs/customize-macos-anyconnect-installation) to edit the xml files to hide the VPN component, and to only install DART and Umbrella.
2 - I created a tmp folder and copied the installation pkg into it and also the Profiles folder you get in the DMG and put my two xml files in it and by org.json file into the umbrella folder.
3 - I used Composer to create a package of this (the pkg and the profiles folder and contents) and uploaded to JAMF
4 - I created a policy which installs that package (so all it does is basically create the folder and copy the contents into it) and also on that policy I have two scripts. The first runs the installer command shown on the Cisco page, but from that folder:
#!/bin/bash
installer -pkg /Library/tmp/Cisco\ Secure\ Client.pkg -applyChoiceChangesXML /Library/tmp/Profiles/install_choices.xml -target /
exit 0
The second opens it once installed as by default it does not automatically open like Umbrella did:
#!/bin/bash
open /Applications/Cisco/Cisco\ Secure\ Client.app
exit 0
5 - This policy is set to run based on a smart group which computers are only added to once they have a configuration file installed which permits the applications to run in the background etc. via extension kernel (this is also referenced on that Cisco page)
6 - So far that seems to be working in testing but have not deployed to student devices just yet.
Posted on 12-11-2023 01:27 PM
Hi,
Recently gone through the same steps for some reason I'm still not able to get it to deploy properly the package say successfully deployed however I don't see cisco in application I also did get an error on the script path
"
Script exit code: 1 |
Script result: installer: Error - the package path specified was invalid: 'u/Library/tmp/Cisco Secure Client.pkg'. |
Error running script: return code was 1." could you please assist me I'm not sure whats the best way to you reach you however. |
Posted on 05-02-2024 04:31 PM
Is it possible to see the layout of #3? I have had success previously with just VPN but bundling with Umbrella now having issue getting the Umbrella Service turn active. I have the Json in right area but I think the issue for me is how its being packaged in composer. Once I run it through Jamf doesnt work. Any help would be great.
Posted on 05-03-2024 08:47 AM
For my org, we have to leave the json out. Network team has it so the ASA downloads and activates it, so it may be the same for your org.
Posted on 05-03-2024 08:51 AM
They have released newer instructions which seem to work just fine - just pay attention to the subfolders as last I looked, they did not show consistent images.
Posted on 05-03-2024 09:01 AM
So I ended up figuring out the issue this morning, going to say it here just incase someone else runs into issue. Cisco wouldnt show up in login items and oddly that was keeping umbrella from going active. There's a link I found in here to help
Posted on 05-03-2024 09:03 AM
Yes I keep forgetting that - I had to add them manually as it is not part of their set up - the newer instructions certainly help but they are not perfect but it should get everything working!
Posted on 12-08-2023 11:22 AM
We use the below to create our Anyconnect pkg's including the new agent.
Posted on 01-16-2024 02:28 PM
This is by far the easiest method. It was also the only one that fully worked for me.
Thanks for this!
Posted on 12-12-2023 06:54 AM
the steps @wolfhead outlined are the correct process - or similar - there are a few ways to do it. In my case,
Edit the choices XML and package it, and any other files you need (vpn profile xml, umbrella json etc) with composer this creates your "support files", install this pkg to a temp directory in the policy. in the same policy CACHE the secure client PKG installer, and then use a script to run the install and any file ops you need. here is what my script looks like.
sudo installer -pkg /Library/Application\ Support/JAMF/Waiting\ Room/CiscoSecureClient5.0.05040.pkg -applyChoiceChangesXML /Users/Shared/SecureClientSupportFiles/SecureClient_install_choices.xml -target /
mkdir -p /opt/cisco/anyconnect/Umbrella/ && cp /Users/Shared/SecureClientSupportFiles/OrgInfo.json /opt/cisco/secureclient/Umbrella/OrgInfo.json
mkdir -p /opt/cisco/anyconnect/profile/ && cp /Users/Shared/SecureClientSupportFiles/vpnprofile.xml /opt/cisco/secureclient/vpn/profile/vpnprofile.xml
open -a /Applications/Cisco/Cisco\ Secure\ Client.app
Posted on 01-10-2024 12:23 PM
Hi All,
I've been trying to get this to work for weeks and I've succumbed to a slipshod method that works but only if I manually run sudo jamf policy on every device, which is less than ideal. I've followed @wolfhead's method more or less and I continually get the following error:
Script result: installer: Package name is Cisco Secure Client
installer: choices changes file '/private/tmp/csc_choices.xml' applied installer: Installing at base path / installer: The install failed. (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance. An error occurred while running scripts from the package “Cisco Secure Client.pkg”.)
I believe I have set the proper permissions in Composer, so I am not sure what is broken here. When I run sudo jamf policy, the pkg downloads; however, I still see the above message in the Logs even though the pkg downloads on the device. My script looks like this:
#!/bin/bash
installer -pkg /private/tmp/Cisco\ Secure\ Client.pkg -applyChoiceChangesXML /private/tmp/csc_choices.xml -target /
exit 0
Like I mentioned, if I run a sudo jamf policy under the local admin user the package will download properly along with the XML choices. It just won't download when pushed from Jamf.
Any ideas?
Posted on 01-10-2024 12:32 PM
have you tried putting the Sudo in the script in front of installer like my example?
Posted on 01-10-2024 12:36 PM
Yeah, same error pops up in the log even with the sudo.
Posted on 01-10-2024 02:42 PM
I am wondering if this actually any issue with DUO Desktop. First off, I don't even want DUO, but it seems to be included with the Cisco Secure Client PKG. When I run sudo jamf policy, the first thing that appears to download is the DUO Desktop App. I see DUO needs a cert... could that potentially be the issue? I'm clutching at straws here...
Posted on 01-12-2024 01:01 PM
SO, after hours of sleuthing, I found the issue. The Secure Client PKG I am using packages Duo Desktop along with it. The installation errors were occurring due to cert I didn't for DUO not the Secure Client... SUPER ANNOYING. And none of Cisco's documentation mentioned anything about needing a cert for DUO, which is hilarious because I don't even need DUO in the first place... Anyways, if anyone comes across this issue, follow the instructions here to create and push out the config for DUO before installing the Cisco Secure Client: https://help.duo.com/s/article/6403?language=en_US
The issue had nothing to do with the secure client install script after all.