Jamf Nation Community

The vender told me to do this and they offer no other solution that what I have done. I just need the VPN server to start after the install.

This is currently what I'm using for AnyConnect.

#!/bin/sh
## postinstall

pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3

# Install the software

installer -package "/private/tmp/AnyConnect/AnyConnect.pkg" -target / -applyChoiceChangesXML "/private/tmp/AnyConnect/choices.xml"

# Hide the opt folder

chflags hidden /opt

# Remove the files from /private/tmp

/bin/rm -rf "/private/tmp/AnyConnect"

exit 0      ## Success
exit 1      ## Failure

choices.xml
<array>
    <string>choice_fireamp</string>
    <string>choice_websecurity</string>
    <string>choice_posture</string>
    <string>choice_nvm</string>
    <string>choice_umbrella</string>
</array>

Why not just have it to require a reboot after install in the policy?

We deploy this similarly to @jhbush1973. Use the vendor package and use the choice changes xml functionality of the command line installer command to choose the components you want to install and let the vendor package do its thing. No restarts or anything else like that required.

I extract the bit I need from the AnyConnect pkg with Pacifist and then deploy with an xml for the connection setting.

I would highly recommend you use our package as opposed to building your own but it can be modified and this is what I do. I'd be happy to help you @kericson with getting this working as you need it. Feel free to send me an email: jadavids AT cisco.com

I think @iJake 's post coming from a Cisco employee is probably the gold standard saying that it is not a good idea to repackage this. I only go to a repackage personally if no other technique gets the software the way I want it on a system and that is very rare. I would be interested to see @iJake 's response to the original poster if he is offering custom help. I don't have to deploy AnyConnect too often, but having a bonafide recipe to get it deployed from a Mac guy at the vendor itself is the best that can be sought.

Sorry it took a while for the reply but wanted to make sure the process worked for @kericson. Below is the process we use to package AnyConnect with only certain modules.

External Requirements:
Packages (http://s.sudre.free.fr/Software/Packages/about.html)
XML Editor (Such as TextWrangler, BBedit)

Overview:
Create Choice Change XML (See end of post)
Create Pre and Post flight scripts (See end of post)
Create wrapper package to install vendor AnyConnect.pkg with Choice Change XML

Create Choice Change XML:
Like the attached plist, you create an xml file saved as whatever name you like but ensuring it is in the proper plist format. I’ve already created it this time with the modules you want enabled.

Create Pre and Post Scripts:
I’ve attached examples of these scripts. You’ll see where to use them below.
The preflight closes AnyConnect if it is already installed and running.
The postflight installs the vendor package with the choices XML file so you only install what you want.

Create Wrapper package:
Create folder for AnyConnect Packages project. Here is how I structure my folders:

Open the Packages app to create a new Raw package and name it anything you like:

Choose an identifier (ours is com.cisco.x.x because we are Cisco. I would use something unique to you) and supply a version number for your package. I make the version number match the version of AnyConnect:

There is no payload to specify so you can skip this screen.

On the Scripts tab add your Pre and Post scripts and add the Choices xml and vendor package as addition resources:

(The file can be named whatever you would like. This was an example for @kericson )

Save the project and then choose to build it. You should now have a package, though unsigned, that will install only the modules you want. If you need to install profiles or other files you can create further packages or simply add to the payload. Packages can apply a cert to your package if you have one or you can sign it after you build it.

Choice XML Example:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
    <dict>
        <key>attributeSetting</key>
        <integer>1</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_vpn</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>0</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_websecurity</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>0</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_fireamp</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>1</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_dart</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>1</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_posture</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>0</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_iseposture</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>0</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_nvm</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>0</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_umbrella</string>
    </dict>
</array>
</plist>

To see what these options are in the future when more modules might be added:

installer -showChoiceChangesXML -pkg AnyConnect.pkg

Preflight Script (just closes AC if already open):

#!/bin/bash

## BODY
osascript -e 'tell application "Cisco AnyConnect Secure Mobility Client" to quit'

## FOOTER
exit 0

Postflight Script Example:

#!/bin/bash

ResourceLocation=$(dirname $0)
PackageName="AnyConnect.pkg"
ChoicesXML="acChoices_TrueMFG.plist"

## BODY
if [[ -e "$ResourceLocation/$PackageName" ]]; then
    echo "Executing installer package"
    installer -dumplog -verbose -pkg "$ResourceLocation/$PackageName" -target / -allowUntrusted -applyChoiceChangesXML "$ResourceLocation/$ChoicesXML"
else
    echo "Unable to locate installer package"
    ls "$ResourceLocation"
fi

## FOOTER
exit 0

I did pretty much exactly what @iJake did above. Actually, on my list of things to do was to document it. Thanks to him for saving me the trouble :)

@iJake What is the acChoices_TrueMFG.plist? Is it the XML file to create connection profiles?

@winterboer No, it is the file that controls what packages Installer installs. Specifically that name in the documentation above is just an example name.

@winterboer Its an XML file you feed to the command line installer application to tell it what your choices are for what you are choosing to install. Its the XML equivalent of checking what you want to install in the GUI based install. You can learn more by looking at the man page for installer. But basically its how you specify what's in this screenshot when you are doing an install from the command line.

@chriscollins I built a custom installer using the directions above and I ended up with everything installed, I just want the VPN client. When I ran the GUI based installer it only offers VPN, everything else is greyed out.

We're testing for an upgrade to version 4.5 of AnyConnect; is there a place in this recipe where we can prevent the app from becoming a user login item?

@buckychappell I don't believe so but you can easily add as part of your post install script a step that just deletes or unloads the LaunchAgent plist file in "/Library/LaunchAgents/com.cisco.anyconnect.gui.plist"

@iJake Quick question: what is the best way to install profiles for the various modules with your workflow? I'd like to just add it to the package that has the vendor installer and Choices Plist.

@iJake Never mind, i see the answer above.

@jhbush1973 I'm following your workflow and am having trouble with the XML file. Created on just like your example, and put it in the package. I've run xmllint in Terminal and it shows as a valid xml file but when i run the command I get an error that says it can't find the xml file or its malformed. Any ideas?

@chriscollins @buckychappell - I'm having the same auto login issue, but mine only seems to occur when the Cisco ISE Posturing package is deployed. I can manually kill it, but it returns after a computer restart. Did you have sucess?

Same here @mhinsz . Auto login is a pain.

I know this thread is a bit old but I was able to successfully deploy the Cisco AnyConnect VPN module and the ISE Posture Module (the only two we use) separately by extracting them with Pacifist. Yes I have to upload two separate .pkg's to the JSS but the result was smooth and everything works great.

1. Open .DMG with Pacifist and navigate to the AnyConnect.pkg
2. The dropdown will show you the packages for all of the modules within the main AnyConnect.pkg
3. Choose the ones you want to deploy later and use the "Extract Subpackages" option.
4. Upload to the JSS and create your policy for deployment. Thats it. Hope this helps anyone not keen on editing XML and plist files.

I have a question: which of the two v.4.5.x packages from Cisco is the one we need to download, the "pre-deploy," or "web-deploy?"

What's the difference?

The packages I extracted were from the "pre-deploy" and they work fine.

With this installer it does not show how you are supposed to add your own VPN Profiles. Also how are people dealing with the KEXT issue with 10.13 and the new version of anyconnect?

@ostrowsp I'd suggest signing up for the jamf 10.3 beta where you can create and test Approved Kernel Extensions Configuration Profiles. The Team ID for Cisco AnyConnect is DE8Y96K9QP

@ostrowsp : Take a look at this JN post

https://www.jamf.com/jamf-nation/discussions/26583/kextpocalyse-2-the-remediation-blog-post-by-our-own-franton

Hey @iJake, I'm trying to follow this process and one additional thing that my admins want me to complete is to add some XML files that reference our 3 different VPN Servers...

How would I include this in the package?

@boanes I package our profiles in a separate pkg that places them in either opt/cisco/anyconnect/profile or umbrella depending on what type of profile it is (this is manual just do both kinds in the same package). This profiles package is then part of the larger package that installs AC, Profiles, and some other bits all at once via individual packages.

Sorry @iJake, I don't quite follow... Can you elaborate a bit more?

Hey @iJake,
I got now what you're saying about the various profiles...

Right now I'm not quite sure how to build part 1 to this package... I've followed your process that you've outlined bak on 3/6/17 and I'm running into issues...

When I build the package then attempt to deploy it, it doesn't install anything... help?

@boanes

I am having the same issue as well.
Followed the instructions above and the pkg file does not install on the machine.
Changed the post script to set directory for the pkg file and still no luck.

@iJake, any help would be awesome!

@saikitjk What's your email address, I've written down some instructions that I'd like you to go over and verify that they're clear...

Hi all,

Sorry for bumping an old thread, but I was hoping I could get some insight for an issue I've been seeing.

Using @asommerio method, I pulled the VPN and Umbrella components from my pre-deploy DMG, but when I go to install them I get nothing but errors. Self Service reports an error upon install, and if I try to install them by hand, I'm getting this:

Is this related to some new Mojave security policy?

@landon_Starr i am getting the same error on Mojave 10.14.2

@kcadm @landon_Starr how did you work around this error? I'm seeing it on 10.14 and 10.13 so I don't think it's a Mojave issue. I'm trying to extract pkgs from v4.7 dmg.

Edit: choices.xml install (mostly following iJakes instructions above) worked fine.

@boanes I am running into the same thing. I build it and it looks great and run it and there is nothing installed.
@iJake, any help would be great !

@cbruce

Check out this post from this morning. I provide a little detail around how I do this using pkgbuild from the Terminal instead of Packages or Composer.

Am I missing the part where everyone has said where they're adding their VPN server address? Presumably we're all getting 4.8 ready for Catalina and the above workflows are great! I think we're up to 4 different ways to achieve the same result :D

I can't see anything obvious in /opt/cisco or ~/Library/Preferences/com.cisco. so I'm not sure where it contains the server address, or if we have to use AnyConnect Profile Editor to create it?

Edit: Just in case anyone else comes across this. In order to have your server address pre-fill in to the GUI, you need to install the Profile Editor Tool on to your Windows computer, launch VPN Profile Editor then choose Server List and edit the server address and FQDN. Export this .xml and copy it in to the /Profiles/vpn/ folder that's contained within your AnyConnect_PreDeploy.dmg. Now when you run the installer it'll reference the /profiles folder and basically copy the .xml in to /opt/cisco/anyconnect/profile/ post installation. When the end user launches AnyConnect for the first time, it'll have your server address pre-filled.