Can't Install Cisco AnyConnect Via Self Service

derek_ritchison
Contributor

I know there are already a number of discussions about deploying AnyConnect, but I haven't seen anything regarding my situation exactly. Here's what I'm doing:

I open Jamf Composer and drop the AnyConnect .pkg file into the left side pane.
I choose "Convert To Source."
I save as a package.
I move the package to JSS via Jamf Admin.
I set up the Policy and point it to the Package using the Jamf Cloud.
I test on a dummy MacBook running Self Service. The installer "runs" but only drops the package in the root folder of the HD.

I cannot get the installer to actually run and install the application in the way that it does for every other app I've set up in Composer.

Once this is resolved I will also need to package an XML file with our VPN server's information, but that seems to be well documented in the forums here.

10 REPLIES 10

jtarantino
New Contributor II

Hi Derek,

You don't need to create a custom package to add an XML config file.
You will have a painful process to create again the package after each AnyConnect update (while it is likely that your config file don't change frequently).

Alternatively you can keep original AnyConnect.pkg and include it in JSS. You will update it after each Cisco update.
In the meantime you create a AnyConnectSettings.pkg and included it in JSS (using a postinstall script).

The SelfService policy will first install Cisco package then the settings package.

In addition to reducing maintenance load it will also avoid to sign Cisco's package with you own DeveloperID.
On a security point of view this is a weakness because you 'whitelist' any package with your own corporate signature, bypassing Apple's trust chain for original provider.

acaveny
New Contributor III

@derek.ritchison ,

I follwed the repackaging notes here:

https://www.jamf.com/jamf-nation/discussions/18309/cisco-vpn-anyconnect-client-packaging-issues

Worked well for me. Composer would break the installer. Using pkgutil seemed to resolve those issues.

Hope this helps!

derek_ritchison
Contributor

I appreciate the tips, but we may have to back way up to see what I'm doing wrong. I've attempted to create this package many, many, many different ways. Each time, after adding the policy to Self Service and pointing it to my package I get one of three things.

1/ an install the finishes and drops a package named AnyConnect.pkg into the "Macintosh HD/" root folder

2/ an install that finishes but as far as I can tell does absolutely nothing

3/ an install that gives me an error

Every other package I've build I simply drag the .pkg or .dmg file (or even the installed app after installing on my dummy computer) into Composer, click "Convert to Source," and then choose that source and select "Build as PKG." Then I upload that package to my JSS. What is different about Composer that won't let me do this?

cpdecker
Contributor III

@derek.ritchison , try dropping the original AnyConnect.pkg that you haven't edited in any way straight into Jamf Admin. Don't do anything in Composer yet. Some .pkg files work this way, although I'm not well-versed enough to understand or explain the difference between those that do and those that don't. Add that .pkg to a policy and see if you can get it to install on your test machine.

I am not familiar with the process with AnyConnect but I'm guessing you can create a package via Composer after the fact that just includes your XML file and stick it in whatever directory you need. Pair that with your untouched .pkg into one single policy so they run at the same time and you might be golden. Sounds like the two previous posters understand the process much better than I but it seems like you may be confused about the ability to drag some .pkg's straight into Jamf Admin so there's my two cents.

Best of luck!

derek_ritchison
Contributor

Will try that now! Thanks! I'm wondering though if this will try to install all of the Cisco apps and not just the VPN client. Somehow I might have to "unpack" the original Cisco package and only upload the VPN portion of the installer to Jamf Admin. Will update shortly.

derek_ritchison
Contributor

Same results, unfortunately. It simply "installs" the AnyConnect.pkg file here:

8020121af34c43f389aafdb8b64dbebd

CapU
Contributor III

What happens when you use Composer to capture the install then build as a dmg?

derek_ritchison
Contributor

I'm not sure what you mean by capture the install. Are you saying to try exactly what I'd been doing already, but then choosing DMG this time? I can do that. I haven't yet...

iJake
Valued Contributor

@derek.ritchison Follow my below guide on how to create a package to only install certain modules of AnyConnect. The package you make following that guide can be put directly into Casper Admin.

How Cisco packages AnyConnect Internally

brytox
New Contributor III

I reply just the default pkg and then the config after, just quit and relaunch the agent.

Means you can have different setup for different people, we have some user who use the vpn module and some who don’t but everyone has the compliance one enabled.