Cisco AnyConnect 4.4

KyleEricson
Valued Contributor

I have created a custom .pkg for Cisco AnyConnect. It seems that after install the service isn't running so you have to reboot for the vpn to work. Can I make this as a post install script with composer and what service would that be?6bde5f776efe4e21a199f2d81a41ab5f


Hire me as an independent contractor.
40 REPLIES 40

blackholemac
Valued Contributor III

This package is an example of one where I would consider using the vendor-provided package as its scripts make changes to various things in the network stack.

If we want to customize, what I might do is create a "helper package" that is essentially a snapshot from the point of finishing the install the vendor package to the point it is ready for the end user to login with. That way you can populate preference files and such. You could also consider installing with Cisco's AnyConnect profiles as well, but may take some more advanced packaging. A snapshot is not a great choice here simply because AnyConnect does have an impact on network settings.

KyleEricson
Valued Contributor

The vender told me to do this and they offer no other solution that what I have done. I just need the VPN server to start after the install.


Hire me as an independent contractor.

jhbush
Valued Contributor II

This is currently what I'm using for AnyConnect.
14fe6dd15a354f808849a37a8e70da72

#!/bin/sh
## postinstall

pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3

# Install the software

installer -package "/private/tmp/AnyConnect/AnyConnect.pkg" -target / -applyChoiceChangesXML "/private/tmp/AnyConnect/choices.xml"

# Hide the opt folder

chflags hidden /opt

# Remove the files from /private/tmp

/bin/rm -rf "/private/tmp/AnyConnect"

exit 0      ## Success
exit 1      ## Failure
choices.xml
<array>
    <string>choice_fireamp</string>
    <string>choice_websecurity</string>
    <string>choice_posture</string>
    <string>choice_nvm</string>
    <string>choice_umbrella</string>
</array>

JustDeWon
Contributor III

Why not just have it to require a reboot after install in the policy?

chriscollins
Valued Contributor

We deploy this similarly to @jhbush1973. Use the vendor package and use the choice changes xml functionality of the command line installer command to choose the components you want to install and let the vendor package do its thing. No restarts or anything else like that required.

al_platt
Contributor II

I extract the bit I need from the AnyConnect pkg with Pacifist and then deploy with an xml for the connection setting.

iJake
Valued Contributor

I would highly recommend you use our package as opposed to building your own but it can be modified and this is what I do. I'd be happy to help you @kericson with getting this working as you need it. Feel free to send me an email: jadavids AT cisco.com

blackholemac
Valued Contributor III

I think @iJake 's post coming from a Cisco employee is probably the gold standard saying that it is not a good idea to repackage this. I only go to a repackage personally if no other technique gets the software the way I want it on a system and that is very rare. I would be interested to see @iJake 's response to the original poster if he is offering custom help. I don't have to deploy AnyConnect too often, but having a bonafide recipe to get it deployed from a Mac guy at the vendor itself is the best that can be sought.

iJake
Valued Contributor

Sorry it took a while for the reply but wanted to make sure the process worked for @kericson. Below is the process we use to package AnyConnect with only certain modules.

External Requirements:
Packages (http://s.sudre.free.fr/Software/Packages/about.html)
XML Editor (Such as TextWrangler, BBedit)

Overview:
Create Choice Change XML (See end of post)
Create Pre and Post flight scripts (See end of post)
Create wrapper package to install vendor AnyConnect.pkg with Choice Change XML

Create Choice Change XML:
Like the attached plist, you create an xml file saved as whatever name you like but ensuring it is in the proper plist format. I’ve already created it this time with the modules you want enabled.

Create Pre and Post Scripts:
I’ve attached examples of these scripts. You’ll see where to use them below.
The preflight closes AnyConnect if it is already installed and running.
The postflight installs the vendor package with the choices XML file so you only install what you want.

Create Wrapper package:
Create folder for AnyConnect Packages project. Here is how I structure my folders:
5d747497ff34495b8a92dd4f47a83956

Open the Packages app to create a new Raw package and name it anything you like:
86aa6d02738e4971851dd0dca342e547

Choose an identifier (ours is com.cisco.x.x because we are Cisco. I would use something unique to you) and supply a version number for your package. I make the version number match the version of AnyConnect:
ee6a3c753ca0416a80381ec9c5e302db

There is no payload to specify so you can skip this screen.

On the Scripts tab add your Pre and Post scripts and add the Choices xml and vendor package as addition resources:
67ca0e5efaee4d66b7a6b82e8b726571
(The file can be named whatever you would like. This was an example for @kericson )

Save the project and then choose to build it. You should now have a package, though unsigned, that will install only the modules you want. If you need to install profiles or other files you can create further packages or simply add to the payload. Packages can apply a cert to your package if you have one or you can sign it after you build it.

Choice XML Example:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
    <dict>
        <key>attributeSetting</key>
        <integer>1</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_vpn</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>0</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_websecurity</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>0</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_fireamp</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>1</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_dart</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>1</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_posture</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>0</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_iseposture</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>0</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_nvm</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>0</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_umbrella</string>
    </dict>
</array>
</plist>

To see what these options are in the future when more modules might be added:

installer -showChoiceChangesXML -pkg AnyConnect.pkg

Preflight Script (just closes AC if already open):

#!/bin/bash

## BODY
osascript -e 'tell application "Cisco AnyConnect Secure Mobility Client" to quit'

## FOOTER
exit 0

Postflight Script Example:

#!/bin/bash

ResourceLocation=$(dirname $0)
PackageName="AnyConnect.pkg"
ChoicesXML="acChoices_TrueMFG.plist"

## BODY
if [[ -e "$ResourceLocation/$PackageName" ]]; then
    echo "Executing installer package"
    installer -dumplog -verbose -pkg "$ResourceLocation/$PackageName" -target / -allowUntrusted -applyChoiceChangesXML "$ResourceLocation/$ChoicesXML"
else
    echo "Unable to locate installer package"
    ls "$ResourceLocation"
fi

## FOOTER
exit 0

CasperSally
Valued Contributor II

I did pretty much exactly what @iJake did above. Actually, on my list of things to do was to document it. Thanks to him for saving me the trouble :)

winterboer
New Contributor III

@iJake What is the acChoices_TrueMFG.plist? Is it the XML file to create connection profiles?

iJake
Valued Contributor

@winterboer No, it is the file that controls what packages Installer installs. Specifically that name in the documentation above is just an example name.

chriscollins
Valued Contributor

@winterboer Its an XML file you feed to the command line installer application to tell it what your choices are for what you are choosing to install. Its the XML equivalent of checking what you want to install in the GUI based install. You can learn more by looking at the man page for installer. But basically its how you specify what's in this screenshot when you are doing an install from the command line.

e010eb11b6ac45c6b59c56a498330937

winterboer
New Contributor III

@chriscollins I built a custom installer using the directions above and I ended up with everything installed, I just want the VPN client. When I ran the GUI based installer it only offers VPN, everything else is greyed out.

buckychappell
New Contributor II

We're testing for an upgrade to version 4.5 of AnyConnect; is there a place in this recipe where we can prevent the app from becoming a user login item?

Eric 'Bucky' Chappell

chriscollins
Valued Contributor

@buckychappell I don't believe so but you can easily add as part of your post install script a step that just deletes or unloads the LaunchAgent plist file in "/Library/LaunchAgents/com.cisco.anyconnect.gui.plist"

Kyuubi
Contributor

@iJake Quick question: what is the best way to install profiles for the various modules with your workflow? I'd like to just add it to the package that has the vendor installer and Choices Plist.

Kyuubi
Contributor

@iJake Never mind, i see the answer above.

Kyuubi
Contributor

@jhbush1973 I'm following your workflow and am having trouble with the XML file. Created on just like your example, and put it in the package. I've run xmllint in Terminal and it shows as a valid xml file but when i run the command I get an error that says it can't find the xml file or its malformed. Any ideas?

mhinsz
New Contributor III

@chriscollins @buckychappell - I'm having the same auto login issue, but mine only seems to occur when the Cisco ISE Posturing package is deployed. I can manually kill it, but it returns after a computer restart. Did you have sucess?

Kyuubi
Contributor

Same here @mhinsz . Auto login is a pain.

asommerio
New Contributor

I know this thread is a bit old but I was able to successfully deploy the Cisco AnyConnect VPN module and the ISE Posture Module (the only two we use) separately by extracting them with Pacifist. Yes I have to upload two separate .pkg's to the JSS but the result was smooth and everything works great.

  1. Open .DMG with Pacifist and navigate to the AnyConnect.pkg
  2. The dropdown will show you the packages for all of the modules within the main AnyConnect.pkg
  3. Choose the ones you want to deploy later and use the "Extract Subpackages" option.
  4. Upload to the JSS and create your policy for deployment. Thats it. Hope this helps anyone not keen on editing XML and plist files. 5cd033d3058245d294847a0d7ecac040 7ba2a8be5082448d8c8ac219099f8cb5

itupshot
Contributor II

I have a question: which of the two v.4.5.x packages from Cisco is the one we need to download, the "pre-deploy," or "web-deploy?"

What's the difference?

asommerio
New Contributor

The packages I extracted were from the "pre-deploy" and they work fine.

ostrowsp
Contributor

With this installer it does not show how you are supposed to add your own VPN Profiles. Also how are people dealing with the KEXT issue with 10.13 and the new version of anyconnect?

iJake
Valued Contributor

@ostrowsp I'd suggest signing up for the jamf 10.3 beta where you can create and test Approved Kernel Extensions Configuration Profiles. The Team ID for Cisco AnyConnect is DE8Y96K9QP

rqomsiya
Contributor III

@ostrowsp : Take a look at this JN post

https://www.jamf.com/jamf-nation/discussions/26583/kextpocalyse-2-the-remediation-blog-post-by-our-own-franton

boanes
New Contributor III

Hey @iJake, I'm trying to follow this process and one additional thing that my admins want me to complete is to add some XML files that reference our 3 different VPN Servers...

How would I include this in the package?

iJake
Valued Contributor

@boanes I package our profiles in a separate pkg that places them in either opt/cisco/anyconnect/profile or umbrella depending on what type of profile it is (this is manual just do both kinds in the same package). This profiles package is then part of the larger package that installs AC, Profiles, and some other bits all at once via individual packages.

boanes
New Contributor III

Sorry @iJake, I don't quite follow... Can you elaborate a bit more?

boanes
New Contributor III

Hey @iJake,
I got now what you're saying about the various profiles...

Right now I'm not quite sure how to build part 1 to this package... I've followed your process that you've outlined bak on 3/6/17 and I'm running into issues...

When I build the package then attempt to deploy it, it doesn't install anything... help?

saikitjk
New Contributor

@boanes

I am having the same issue as well.
Followed the instructions above and the pkg file does not install on the machine.
Changed the post script to set directory for the pkg file and still no luck.

@iJake, any help would be awesome!

boanes
New Contributor III

@saikitjk What's your email address, I've written down some instructions that I'd like you to go over and verify that they're clear...

landon_Starr
Contributor

Hi all,

Sorry for bumping an old thread, but I was hoping I could get some insight for an issue I've been seeing.

Using @asommerio method, I pulled the VPN and Umbrella components from my pre-deploy DMG, but when I go to install them I get nothing but errors. Self Service reports an error upon install, and if I try to install them by hand, I'm getting this:

6743debe67e246cd8e0df566d6697946

Is this related to some new Mojave security policy?

kcadm
New Contributor II

@landon_Starr i am getting the same error on Mojave 10.14.2

CasperSally
Valued Contributor II

@kcadm @landon_Starr how did you work around this error? I'm seeing it on 10.14 and 10.13 so I don't think it's a Mojave issue. I'm trying to extract pkgs from v4.7 dmg.

Edit: choices.xml install (mostly following iJakes instructions above) worked fine.

cbruce
New Contributor III

@boanes I am running into the same thing. I build it and it looks great and run it and there is nothing installed.
@iJake, any help would be great !

stevewood
Honored Contributor II
Honored Contributor II

@cbruce

Check out this post from this morning. I provide a little detail around how I do this using pkgbuild from the Terminal instead of Packages or Composer.

GregE
Contributor

Am I missing the part where everyone has said where they're adding their VPN server address? Presumably we're all getting 4.8 ready for Catalina and the above workflows are great! I think we're up to 4 different ways to achieve the same result :D

I can't see anything obvious in /opt/cisco or ~/Library/Preferences/com.cisco. so I'm not sure where it contains the server address, or if we have to use AnyConnect Profile Editor to create it?

Edit: Just in case anyone else comes across this. In order to have your server address pre-fill in to the GUI, you need to install the Profile Editor Tool on to your Windows computer, launch VPN Profile Editor then choose Server List and edit the server address and FQDN. Export this .xml and copy it in to the /Profiles/vpn/ folder that's contained within your AnyConnect_PreDeploy.dmg. Now when you run the installer it'll reference the /profiles folder and basically copy the .xml in to /opt/cisco/anyconnect/profile/ post installation. When the end user launches AnyConnect for the first time, it'll have your server address pre-filled.