Build a package for Cisco Secure Client 5 (replacing Umbrella)

wolfhead
New Contributor III

As Cisco is phasing out just Umbrella we have to create a package using their secure client instead.  Whilst I have followed the instructions here (https://docs.umbrella.com/deployment-umbrella/docs/customize-macos-anyconnect-installation#prerequis...) to customise the installation on a single machine, I have been completely unsuccessful is creating a package from the customisation.  

Has anyone done this and if so could they share what they did?  It does not help when the help documents refer to the product as anyconnect still, and some of the documents online I did find about building a package in Composer refer to xml files which do not exist in the updated secure client...so I am stuck on this.

Many thanks!

18 REPLIES 18

Nicholaus
Contributor

Which XML files does it reference that don't exist in the new install?

wolfhead
New Contributor III

Some of the documentation relates to anyconnect and refers to profile xml - the cisco secure documentation which in theory is updated (but still calls it anyconnect) is the one I referenced above and it works on a single installation but I cannot get a package created from it thus I cannot deploy it.

 

vcherubino
New Contributor III

I'm having trouble as well. Having a hard time rebuilding Secure Client in Composer with the old HCS Online docs. I did it once and have been unable to do it again in recent versions.

wolfhead
New Contributor III

I've been able to do it finally with a mixed method but so far it seems successful.

1 - I followed the instructions here (https://docs.umbrella.com/deployment-umbrella/docs/customize-macos-anyconnect-installation) to edit the xml files to hide the VPN component, and to only install DART and Umbrella.

2 - I created a tmp folder and copied the installation pkg into it and also the Profiles folder you get in the DMG and put my two xml files in it and by org.json file into the umbrella folder.

3 - I used Composer to create a package of this (the pkg and the profiles folder and contents) and uploaded to JAMF

4 - I created a policy which installs that package (so all it does is basically create the folder and copy the contents into it) and also on that policy I have two scripts.  The first runs the installer command shown on the Cisco page, but from that folder:

#!/bin/bash

installer -pkg /Library/tmp/Cisco\ Secure\ Client.pkg -applyChoiceChangesXML /Library/tmp/Profiles/install_choices.xml -target /

exit 0

The second opens it once installed as by default it does not automatically open like Umbrella did:

#!/bin/bash

open /Applications/Cisco/Cisco\ Secure\ Client.app

exit 0

5 - This policy is set to run based on a smart group which computers are only added to once they have a configuration file installed which permits the applications to run in the background etc. via extension kernel (this is also referenced on that Cisco page)

6 - So far that seems to be working in testing but have not deployed to student devices just yet.

Hi,

Recently gone through the same steps for some reason I'm still not able to get it to deploy properly the package say successfully deployed however I don't see cisco in application I also did get an error on the script path

"

Script exit code: 1
Script result: installer: Error - the package path specified was invalid: 'u/Library/tmp/Cisco Secure Client.pkg'.

Error running script: return code was 1."

could you please assist me I'm not sure whats the best way to you reach you however.

wwhite36
New Contributor II

Is it possible to see the layout of #3? I have had success previously with just VPN but bundling with Umbrella now having issue getting the Umbrella Service turn active. I have the Json in right area but I think the issue for me is how its being packaged in composer. Once I run it through Jamf doesnt work. Any help would be great. 

vcherubino
New Contributor III

For my org, we have to leave the json out. Network team has it so the ASA downloads and activates it, so it may be the same for your org.

wolfhead
New Contributor III

They have released newer instructions which seem to work just fine - just pay attention to the subfolders as last I looked, they did not show consistent images.

 

https://support.umbrella.com/hc/en-us/articles/23515921165844-How-to-deploy-Cisco-Secure-Client-via-...

wwhite36
New Contributor II

So I ended up figuring out the issue this morning, going to say it here just incase someone else runs into issue. Cisco wouldnt show up in login items and oddly that was keeping umbrella from going active. There's a link I found in here to help

https://community.jamf.com/t5/jamf-nation/cisco-secure-client-5-1-0-136-anyconnect-vpn-service-not-e...

wolfhead
New Contributor III

Yes I keep forgetting that - I had to add them manually as it is not part of their set up - the newer instructions certainly help but they are not perfect but it should get everything working!

SMR1
Contributor III

We use the below to create our Anyconnect pkg's including the new agent.

 

GitHub - talkingmoose/Choices-Packager: Creates an Apple Installer package bundled with a Choices XM...

vcherubino
New Contributor III

This is by far the easiest method. It was also the only one that fully worked for me.

Thanks for this!

msergi
New Contributor III

the steps @wolfhead outlined are the correct process - or similar - there are a few ways to do it. In my case,

Edit the choices XML and package it, and any other files you need (vpn profile xml, umbrella json etc) with composer this creates your "support files", install this pkg to a temp directory in the policy. in the same policy CACHE the secure client PKG installer, and then use a script to run the install and any file ops you need. here is what my script looks  like.

sudo installer -pkg /Library/Application\ Support/JAMF/Waiting\ Room/CiscoSecureClient5.0.05040.pkg -applyChoiceChangesXML /Users/Shared/SecureClientSupportFiles/SecureClient_install_choices.xml -target /
mkdir -p /opt/cisco/anyconnect/Umbrella/ && cp /Users/Shared/SecureClientSupportFiles/OrgInfo.json /opt/cisco/secureclient/Umbrella/OrgInfo.json
mkdir -p /opt/cisco/anyconnect/profile/ && cp /Users/Shared/SecureClientSupportFiles/vpnprofile.xml /opt/cisco/secureclient/vpn/profile/vpnprofile.xml
open -a /Applications/Cisco/Cisco\ Secure\ Client.app

Jmardian
New Contributor III

Hi All, 

I've been trying to get this to work for weeks and I've succumbed to a slipshod method that works but only if I manually run sudo jamf policy on every device, which is less than ideal.  I've followed @wolfhead's method more or less and I continually get the following error: 

Script result: installer: Package name is Cisco Secure Client
installer: choices changes file '/private/tmp/csc_choices.xml' applied installer: Installing at base path / installer: The install failed. (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance. An error occurred while running scripts from the package “Cisco Secure Client.pkg”.) 

I believe I have set the proper permissions in Composer, so I am not sure what is broken here. When I run sudo jamf policy, the pkg downloads; however, I still see the above message in the Logs even though the pkg downloads on the device. My script looks like this: 

#!/bin/bash

installer -pkg /private/tmp/Cisco\ Secure\ Client.pkg -applyChoiceChangesXML /private/tmp/csc_choices.xml -target /

exit 0

Like I mentioned, if I run a sudo jamf policy under the local admin user the package will download properly along with the XML choices. It just won't download when pushed from Jamf.  

Any ideas? 

msergi
New Contributor III

have you tried putting the Sudo in the script in front of installer like my example?

Jmardian
New Contributor III

Yeah, same error pops up in the log even with the sudo. 

Jmardian
New Contributor III

I am wondering if this actually any issue with DUO Desktop. First off, I don't even want DUO, but it seems to be included with the Cisco Secure Client PKG.  When I run sudo jamf policy, the first thing that appears to download is the DUO Desktop App. I see DUO needs a cert... could that potentially be the issue? I'm clutching at straws here... 

Jmardian
New Contributor III

SO, after hours of sleuthing, I found the issue. The Secure Client PKG I am using packages Duo Desktop along with it. The installation errors were occurring due to cert I didn't for DUO not the Secure Client... SUPER ANNOYING. And none of Cisco's documentation mentioned anything about needing a cert for DUO, which is hilarious because I don't even need DUO in the first place... Anyways, if anyone comes across this issue, follow the instructions here to create and push out the config for DUO before installing the Cisco Secure Client: https://help.duo.com/s/article/6403?language=en_US 

 

The issue had nothing to do with the secure client install script after all.