Cisco AnyConnect 4.8 deployment

Tomik_UNO
New Contributor II

Hello

Does anyone had any issue with Cisco AnyConnect 4.8 deployment on Catalina?
So far I had no problem deploying this policy or previous versions on Mojave and below.

90b687bcc6a54419a4779208bd966e45

Manual installation works well.
I collected log files from installation process.
Appreciate any suggestion.

1 ACCEPTED SOLUTION

hdsreid
Contributor III

how are you installing it?

i add relevant profiles and the choices xml onto the dmg given from the ASA. i upload this dmg, and cache it to my machines, then run a script in the policy
this script removes all umbrella roaming agent components and anyconnect modules from the machine and then installs the anyconnect 4.8 package with my defined profiles from the ASA

#!/bin/bash
#AnyConnect MFA Prep
#Remove old configuration data and binaries
#from Umbrella client and existing VPN agent
#installations


##UPDATE dmgName FOR NEW VERSIONS OF ANYCONNECT##
ciscoDir="/opt/cisco"
dmgName="Anyconnect - 4.8.dmg"
waitRoom="/Library/Application Support/JAMF/Waiting Room"
#remove anyconnect and all of its components first#
#checking for anyconnect install#
echo "


"
echo "###########################"
if [[ -d $ciscoDir/anyconnect/bin ]]; 
then
    echo "Anyconnect Directory found"
    echo "Calling uninstall script"
    sudo "$ciscoDir/anyconnect/bin/anyconnect_uninstall.sh"
    echo "completed anydirect removal"
else
    echo "No $ciscoDir/anyconnect directory found"
fi
echo "
"
echo "##########################"
echo "


"
echo "##########################"
if [[ -d "/Applications/OpenDNS Roaming Client/" ]]; then
    echo "Found Umbrella client, calling uninstaller"
    sudo "/Applications/OpenDNS Roaming Client/rcuninstall"
else
    echo "Roaming Client Not Found"
fi
echo "##########################
"


echo "


"
echo "##########################
"
if [[ -d "$ciscoDir/anyconnect/bin/umbrella_uninstall.sh" ]]; then
    echo "Found umbrella plugin remnants...calling uninstall script"
    sudo "$ciscoDir/anyconnect/bin/umbrella_uninstall.sh"
    echo "Script complete
"
else
    echo "Nothing found for Umbrella plugin
"
fi
echo "##########################"

#check for remnants of anyconnect directory"

if [[ -d "$ciscoDir/anyconnect" ]]; then
    rm -rf "$ciscoDir/anyconnect/"
else
    echo "no remnants of the anyconnect directory found
"

fi
echo "#############################"
echo "Status check: Prep Complete
"
echo "#############################"

echo "
"
echo "#######################################
"
echo "Beginning the installation
 "
echo "attempting to mount dmg"
/usr/bin/hdiutil attach "$waitRoom"/"$dmgName"
echo "DMG mounted. About to call installer..."
installer -pkg "/Volumes/Anyconnect - 4.8/AnyConnect.pkg" -applyChoiceChangesXML "/Volumes/Anyconnect - 4.8/choicesForAnyConnect.xml" -target /
echo "Package installed, ejecting DMG"
/usr/bin/hdiutil detach "/Volumes/Anyconnect - 4.8"
echo "
"
echo "#######################################
"
echo "AnyConnect 4.8 installation is complete"
echo "########################################"
exit 0

View solution in original post

13 REPLIES 13

hdsreid
Contributor III

how are you installing it?

i add relevant profiles and the choices xml onto the dmg given from the ASA. i upload this dmg, and cache it to my machines, then run a script in the policy
this script removes all umbrella roaming agent components and anyconnect modules from the machine and then installs the anyconnect 4.8 package with my defined profiles from the ASA

#!/bin/bash
#AnyConnect MFA Prep
#Remove old configuration data and binaries
#from Umbrella client and existing VPN agent
#installations


##UPDATE dmgName FOR NEW VERSIONS OF ANYCONNECT##
ciscoDir="/opt/cisco"
dmgName="Anyconnect - 4.8.dmg"
waitRoom="/Library/Application Support/JAMF/Waiting Room"
#remove anyconnect and all of its components first#
#checking for anyconnect install#
echo "


"
echo "###########################"
if [[ -d $ciscoDir/anyconnect/bin ]]; 
then
    echo "Anyconnect Directory found"
    echo "Calling uninstall script"
    sudo "$ciscoDir/anyconnect/bin/anyconnect_uninstall.sh"
    echo "completed anydirect removal"
else
    echo "No $ciscoDir/anyconnect directory found"
fi
echo "
"
echo "##########################"
echo "


"
echo "##########################"
if [[ -d "/Applications/OpenDNS Roaming Client/" ]]; then
    echo "Found Umbrella client, calling uninstaller"
    sudo "/Applications/OpenDNS Roaming Client/rcuninstall"
else
    echo "Roaming Client Not Found"
fi
echo "##########################
"


echo "


"
echo "##########################
"
if [[ -d "$ciscoDir/anyconnect/bin/umbrella_uninstall.sh" ]]; then
    echo "Found umbrella plugin remnants...calling uninstall script"
    sudo "$ciscoDir/anyconnect/bin/umbrella_uninstall.sh"
    echo "Script complete
"
else
    echo "Nothing found for Umbrella plugin
"
fi
echo "##########################"

#check for remnants of anyconnect directory"

if [[ -d "$ciscoDir/anyconnect" ]]; then
    rm -rf "$ciscoDir/anyconnect/"
else
    echo "no remnants of the anyconnect directory found
"

fi
echo "#############################"
echo "Status check: Prep Complete
"
echo "#############################"

echo "
"
echo "#######################################
"
echo "Beginning the installation
 "
echo "attempting to mount dmg"
/usr/bin/hdiutil attach "$waitRoom"/"$dmgName"
echo "DMG mounted. About to call installer..."
installer -pkg "/Volumes/Anyconnect - 4.8/AnyConnect.pkg" -applyChoiceChangesXML "/Volumes/Anyconnect - 4.8/choicesForAnyConnect.xml" -target /
echo "Package installed, ejecting DMG"
/usr/bin/hdiutil detach "/Volumes/Anyconnect - 4.8"
echo "
"
echo "#######################################
"
echo "AnyConnect 4.8 installation is complete"
echo "########################################"
exit 0

Tomik_UNO
New Contributor II

Hello @hdsreid

I used to follow the @MikeF solution from this thread:
link text
Just to modify the modules in Distribution file, re-pack and deploy pkg as it is.
I will test your script right away. Thanks!

Tomik_UNO
New Contributor II

Thanks @hdsreid

Script works well.

SGN
New Contributor III

@hdsreid : Thanks for the script, Just like to know below,
1. If i run this script, does existing Cisco xml will remove as all the settings will be there in the xml. /opt/cisco/profiles

  1. What will be the impact if the user is already connected to the CISCO VPN ? while pushing the package along with the settings. Can we have any trigger message saying that user vpn will be upgrade etc.

Professional
New Contributor II

Does it work on Big sur too? because I couldn't deploy it on Big sur.

AJPinto
Honored Contributor II

@Professional most of the stuff between AnyConnect 4.8 and 4.9 should be the same, but keep in mind that 4.8 is for Catalina and 4.9 is for Big Sur.

We are running the AnyConnect package with the choices xml below. Just shove the pkg you get from the ASA and the choices.xml (must be named that for anyconnect to pick it up) in the same directory and repackage them with the post install script below. Cisco could make this much less convoluted and document it better, but then would it really be cisco?

#!/bin/sh
## postinstall

pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3


sudo installer -pkg /Library/{folder name}/tmp/Cisco_AnyConnect_4.9.04053/Cisco_AnyConnect_4.9.04053.pkg -target / -applyChoiceChangesXML /Library/{folder name}/tmp/Cisco_AnyConnect_4.9.04053/choice.xml




exit 0      ## Success
exit 1      ## Failure

Choices.xml. Flip 1's and 0's based on what you need disabled and enabled. As Cisco adds more keys they would have to be added to this XML to be told to install or not.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
    <dict>
        <key>attributeSetting</key>
        <integer>1</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_vpn</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>0</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_websecurity</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>0</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_fireamp</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>1</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_dart</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>1</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_posture</string>
    </dict>
        <dict>
        <key>attributeSetting</key>
        <integer>0</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_iseposture</string>
    </dict>
        <dict>
        <key>attributeSetting</key>
        <integer>1</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_nvm</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>0</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_umbrella</string>
    </dict>
</array>
</plist>

4e359a11d3514a00934dcd6b926f139e

TomDay
Release Candidate Programs Tester

Script works great thx for sharing. As I build this deployment further there are a few other things to address, can you advise?

1. After installation, there is an immediate alert that the "AnyConnect System Extension is blocked", do you have this built into your deployment?

 

2. Message appears, "Cisco AnyConnect Socket Filter would like to filter network content", there are "Allow" and "Don't Allow" buttons. Can these preferences be set so this box doesn't appear?

 

3. Do you deploy the cert, if so, how?

 

4. Do you deploy the .json file to /opt/cisco/anyconnect/Umbrella/? If so, how?

AJPinto
Honored Contributor II

Sounds like you are missing the configuration side of things. AnyConnect needs several configuration profiles to install silently. The link below should cover most of what you need to get AnyConnect working. Take it with a grain of salt as with most Cisco documentation, it is horribly outdated and they never look at it.

AnyConnect macOS 11 Big Sur Advisory - Cisco

  1. You need a configuration profile to approve the system extension.
  2. You need a configuration profile to approve the socket filter. Be aware the configuration profile must be installed BEFORE the socket filter or it will need user approval.
  3. You will need a configuration profile to deploy a qualifying certificate. Consult with your security teams on the requirements. JAMF can deploy AD, AD CS, SCEP, and custom uploaded certificates among others. Its all down to what you need.
  4. We do not use umbrella so I cannot speak from experience on that. 

 

AJPinto_0-1657823563046.png

 

TomDay
Release Candidate Programs Tester

Wow all very helpful, thanks. Can you share a screenshot of the socket filter settings you have? Like you said their documentation is less than optimal, so I am am having some trouble translating their language in the article to the Jamf config profile.

AJPinto
Honored Contributor II

Oh, its beyond that. The "code" as Cisco calls it is bad, they need to rewrite it. I was in a pretty lengthy TAC with them over it. After 3 months of them trying to find someone who knows the "code" I finally gave up and rewrote the JSON. Cisco tried to get me to give them the mobileconfig I wrote and I said no, maybe if they did not lead me on for 3 months but I was pretty salty.


AJPinto_0-1657893968904.png

 

because no body likes typing from a screenshot

 

Socket Filter Designated RequirementDesignated requirement of the socket filter provider system extension
anchor apple generic and identifier "com.cisco.anyconnect.macos.acsockext" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = DE8Y96K9QP)

 

TomDay
Release Candidate Programs Tester

A lot to unpack here for me, will check out over the weekend thanks. Crazy you had to rewrite their code. I assume you just pushed the json along with your policy for the pkg?

rluna
New Contributor II

Hi. I followed the Method #1 on this URL for Cisco Anyconnect 4.10. That method doesn't require any the vendor's original package manipulation, it allows you to customize the DMG with profiles for each product and XML for module selection. Cache the modified DMG (read only) in a policy then execute the following modified script AFTER (see above post from @hdsreid for other script details).

#!/bin/bash
##UPDATE dmgName FOR NEW VERSIONS OF ANYCONNECT##
ciscoDir="/opt/cisco"
## DMG Image name provided in script parameter 4
## Installer Volume name in parameter 5
## XML File name in parameter 6
dmgName=$4 
waitRoom="/Library/Application Support/JAMF/Waiting Room"

echo "Beginning the installation"
echo "attempting to mount dmg"
/usr/bin/hdiutil attach "$waitRoom"/"$dmgName" -nobrowse
echo "DMG mounted. About to call installer..."
installer -pkg "/Volumes/$5/AnyConnect.pkg" -applyChoiceChangesXML "/Volumes/$5/$6" -target /
echo "Package installed, ejecting DMG"
/usr/bin/hdiutil detach "$waitRoom"/"$dmgName"

echo "########################################"
echo "AnyConnect 4.10 installation is complete"
echo "########################################"
exit 0

SGN
New Contributor III
## DMG Image name provided in script parameter 4
## Installer Volume name in parameter 5
## XML File name in parameter 6

 This should be the exact name for the dmg file ( source file ), what is Parameter 5 ? is its Macintosh HD or any other name can choose to run the script?