I have created a custom .pkg for Cisco AnyConnect. It seems that after install the service isn't running so you have to reboot for the vpn to work. Can I make this as a post install script with composer and what service would that be?
This package is an example of one where I would consider using the vendor-provided package as its scripts make changes to various things in the network stack.
If we want to customize, what I might do is create a "helper package" that is essentially a snapshot from the point of finishing the install the vendor package to the point it is ready for the end user to login with. That way you can populate preference files and such. You could also consider installing with Cisco's AnyConnect profiles as well, but may take some more advanced packaging. A snapshot is not a great choice here simply because AnyConnect does have an impact on network settings.
This is currently what I'm using for AnyConnect.
#!/bin/sh ## postinstall pathToScript=$0 pathToPackage=$1 targetLocation=$2 targetVolume=$3 # Install the software installer -package "/private/tmp/AnyConnect/AnyConnect.pkg" -target / -applyChoiceChangesXML "/private/tmp/AnyConnect/choices.xml" # Hide the opt folder chflags hidden /opt # Remove the files from /private/tmp /bin/rm -rf "/private/tmp/AnyConnect" exit 0 ## Success exit 1 ## Failure
choices.xml <array> <string>choice_fireamp</string> <string>choice_websecurity</string> <string>choice_posture</string> <string>choice_nvm</string> <string>choice_umbrella</string> </array>
I think @iJake 's post coming from a Cisco employee is probably the gold standard saying that it is not a good idea to repackage this. I only go to a repackage personally if no other technique gets the software the way I want it on a system and that is very rare. I would be interested to see @iJake 's response to the original poster if he is offering custom help. I don't have to deploy AnyConnect too often, but having a bonafide recipe to get it deployed from a Mac guy at the vendor itself is the best that can be sought.
Sorry it took a while for the reply but wanted to make sure the process worked for @kericson. Below is the process we use to package AnyConnect with only certain modules.
XML Editor (Such as TextWrangler, BBedit)
Create Choice Change XML (See end of post)
Create Pre and Post flight scripts (See end of post)
Create wrapper package to install vendor AnyConnect.pkg with Choice Change XML
Create Choice Change XML:
Like the attached plist, you create an xml file saved as whatever name you like but ensuring it is in the proper plist format. I’ve already created it this time with the modules you want enabled.
Create Pre and Post Scripts:
I’ve attached examples of these scripts. You’ll see where to use them below.
The preflight closes AnyConnect if it is already installed and running.
The postflight installs the vendor package with the choices XML file so you only install what you want.
Create Wrapper package:
Create folder for AnyConnect Packages project. Here is how I structure my folders:
Open the Packages app to create a new Raw package and name it anything you like:
Choose an identifier (ours is com.cisco.x.x because we are Cisco. I would use something unique to you) and supply a version number for your package. I make the version number match the version of AnyConnect:
There is no payload to specify so you can skip this screen.
On the Scripts tab add your Pre and Post scripts and add the Choices xml and vendor package as addition resources:
(The file can be named whatever you would like. This was an example for @kericson )
Save the project and then choose to build it. You should now have a package, though unsigned, that will install only the modules you want. If you need to install profiles or other files you can create further packages or simply add to the payload. Packages can apply a cert to your package if you have one or you can sign it after you build it.
Choice XML Example:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <array> <dict> <key>attributeSetting</key> <integer>1</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>choice_vpn</string> </dict> <dict> <key>attributeSetting</key> <integer>0</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>choice_websecurity</string> </dict> <dict> <key>attributeSetting</key> <integer>0</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>choice_fireamp</string> </dict> <dict> <key>attributeSetting</key> <integer>1</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>choice_dart</string> </dict> <dict> <key>attributeSetting</key> <integer>1</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>choice_posture</string> </dict> <dict> <key>attributeSetting</key> <integer>0</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>choice_iseposture</string> </dict> <dict> <key>attributeSetting</key> <integer>0</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>choice_nvm</string> </dict> <dict> <key>attributeSetting</key> <integer>0</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>choice_umbrella</string> </dict> </array> </plist>
To see what these options are in the future when more modules might be added:
installer -showChoiceChangesXML -pkg AnyConnect.pkg
Preflight Script (just closes AC if already open):
#!/bin/bash ## BODY osascript -e 'tell application "Cisco AnyConnect Secure Mobility Client" to quit' ## FOOTER exit 0
Postflight Script Example:
#!/bin/bash ResourceLocation=$(dirname $0) PackageName="AnyConnect.pkg" ChoicesXML="acChoices_TrueMFG.plist" ## BODY if [[ -e "$ResourceLocation/$PackageName" ]]; then echo "Executing installer package" installer -dumplog -verbose -pkg "$ResourceLocation/$PackageName" -target / -allowUntrusted -applyChoiceChangesXML "$ResourceLocation/$ChoicesXML" else echo "Unable to locate installer package" ls "$ResourceLocation" fi ## FOOTER exit 0
@winterboer Its an XML file you feed to the command line installer application to tell it what your choices are for what you are choosing to install. Its the XML equivalent of checking what you want to install in the GUI based install. You can learn more by looking at the man page for installer. But basically its how you specify what's in this screenshot when you are doing an install from the command line.
@jhbush1973 I'm following your workflow and am having trouble with the XML file. Created on just like your example, and put it in the package. I've run xmllint in Terminal and it shows as a valid xml file but when i run the command I get an error that says it can't find the xml file or its malformed. Any ideas?
I know this thread is a bit old but I was able to successfully deploy the Cisco AnyConnect VPN module and the ISE Posture Module (the only two we use) separately by extracting them with Pacifist. Yes I have to upload two separate .pkg's to the JSS but the result was smooth and everything works great.
@boanes I package our profiles in a separate pkg that places them in either opt/cisco/anyconnect/profile or umbrella depending on what type of profile it is (this is manual just do both kinds in the same package). This profiles package is then part of the larger package that installs AC, Profiles, and some other bits all at once via individual packages.
I got now what you're saying about the various profiles...
Right now I'm not quite sure how to build part 1 to this package... I've followed your process that you've outlined bak on 3/6/17 and I'm running into issues...
When I build the package then attempt to deploy it, it doesn't install anything... help?
Sorry for bumping an old thread, but I was hoping I could get some insight for an issue I've been seeing.
Using @asommerio method, I pulled the VPN and Umbrella components from my pre-deploy DMG, but when I go to install them I get nothing but errors. Self Service reports an error upon install, and if I try to install them by hand, I'm getting this:
Is this related to some new Mojave security policy?
Am I missing the part where everyone has said where they're adding their VPN server address? Presumably we're all getting 4.8 ready for Catalina and the above workflows are great! I think we're up to 4 different ways to achieve the same result :D
I can't see anything obvious in /opt/cisco or ~/Library/Preferences/com.cisco. so I'm not sure where it contains the server address, or if we have to use AnyConnect Profile Editor to create it?
Edit: Just in case anyone else comes across this. In order to have your server address pre-fill in to the GUI, you need to install the Profile Editor Tool on to your Windows computer, launch VPN Profile Editor then choose Server List and edit the server address and FQDN. Export this .xml and copy it in to the /Profiles/vpn/ folder that's contained within your AnyConnect_PreDeploy.dmg. Now when you run the installer it'll reference the /profiles folder and basically copy the .xml in to /opt/cisco/anyconnect/profile/ post installation. When the end user launches AnyConnect for the first time, it'll have your server address pre-filled.