Posted on 05-06-2020 06:18 AM
Hello
Does anyone had any issue with Cisco AnyConnect 4.8 deployment on Catalina?
So far I had no problem deploying this policy or previous versions on Mojave and below.
Manual installation works well.
I collected log files from installation process.
Appreciate any suggestion.
Solved! Go to Solution.
Posted on 05-06-2020 09:28 AM
how are you installing it?
i add relevant profiles and the choices xml onto the dmg given from the ASA. i upload this dmg, and cache it to my machines, then run a script in the policy
this script removes all umbrella roaming agent components and anyconnect modules from the machine and then installs the anyconnect 4.8 package with my defined profiles from the ASA
#!/bin/bash
#AnyConnect MFA Prep
#Remove old configuration data and binaries
#from Umbrella client and existing VPN agent
#installations
##UPDATE dmgName FOR NEW VERSIONS OF ANYCONNECT##
ciscoDir="/opt/cisco"
dmgName="Anyconnect - 4.8.dmg"
waitRoom="/Library/Application Support/JAMF/Waiting Room"
#remove anyconnect and all of its components first#
#checking for anyconnect install#
echo "
"
echo "###########################"
if [[ -d $ciscoDir/anyconnect/bin ]];
then
echo "Anyconnect Directory found"
echo "Calling uninstall script"
sudo "$ciscoDir/anyconnect/bin/anyconnect_uninstall.sh"
echo "completed anydirect removal"
else
echo "No $ciscoDir/anyconnect directory found"
fi
echo "
"
echo "##########################"
echo "
"
echo "##########################"
if [[ -d "/Applications/OpenDNS Roaming Client/" ]]; then
echo "Found Umbrella client, calling uninstaller"
sudo "/Applications/OpenDNS Roaming Client/rcuninstall"
else
echo "Roaming Client Not Found"
fi
echo "##########################
"
echo "
"
echo "##########################
"
if [[ -d "$ciscoDir/anyconnect/bin/umbrella_uninstall.sh" ]]; then
echo "Found umbrella plugin remnants...calling uninstall script"
sudo "$ciscoDir/anyconnect/bin/umbrella_uninstall.sh"
echo "Script complete
"
else
echo "Nothing found for Umbrella plugin
"
fi
echo "##########################"
#check for remnants of anyconnect directory"
if [[ -d "$ciscoDir/anyconnect" ]]; then
rm -rf "$ciscoDir/anyconnect/"
else
echo "no remnants of the anyconnect directory found
"
fi
echo "#############################"
echo "Status check: Prep Complete
"
echo "#############################"
echo "
"
echo "#######################################
"
echo "Beginning the installation
"
echo "attempting to mount dmg"
/usr/bin/hdiutil attach "$waitRoom"/"$dmgName"
echo "DMG mounted. About to call installer..."
installer -pkg "/Volumes/Anyconnect - 4.8/AnyConnect.pkg" -applyChoiceChangesXML "/Volumes/Anyconnect - 4.8/choicesForAnyConnect.xml" -target /
echo "Package installed, ejecting DMG"
/usr/bin/hdiutil detach "/Volumes/Anyconnect - 4.8"
echo "
"
echo "#######################################
"
echo "AnyConnect 4.8 installation is complete"
echo "########################################"
exit 0
Posted on 05-06-2020 09:28 AM
how are you installing it?
i add relevant profiles and the choices xml onto the dmg given from the ASA. i upload this dmg, and cache it to my machines, then run a script in the policy
this script removes all umbrella roaming agent components and anyconnect modules from the machine and then installs the anyconnect 4.8 package with my defined profiles from the ASA
#!/bin/bash
#AnyConnect MFA Prep
#Remove old configuration data and binaries
#from Umbrella client and existing VPN agent
#installations
##UPDATE dmgName FOR NEW VERSIONS OF ANYCONNECT##
ciscoDir="/opt/cisco"
dmgName="Anyconnect - 4.8.dmg"
waitRoom="/Library/Application Support/JAMF/Waiting Room"
#remove anyconnect and all of its components first#
#checking for anyconnect install#
echo "
"
echo "###########################"
if [[ -d $ciscoDir/anyconnect/bin ]];
then
echo "Anyconnect Directory found"
echo "Calling uninstall script"
sudo "$ciscoDir/anyconnect/bin/anyconnect_uninstall.sh"
echo "completed anydirect removal"
else
echo "No $ciscoDir/anyconnect directory found"
fi
echo "
"
echo "##########################"
echo "
"
echo "##########################"
if [[ -d "/Applications/OpenDNS Roaming Client/" ]]; then
echo "Found Umbrella client, calling uninstaller"
sudo "/Applications/OpenDNS Roaming Client/rcuninstall"
else
echo "Roaming Client Not Found"
fi
echo "##########################
"
echo "
"
echo "##########################
"
if [[ -d "$ciscoDir/anyconnect/bin/umbrella_uninstall.sh" ]]; then
echo "Found umbrella plugin remnants...calling uninstall script"
sudo "$ciscoDir/anyconnect/bin/umbrella_uninstall.sh"
echo "Script complete
"
else
echo "Nothing found for Umbrella plugin
"
fi
echo "##########################"
#check for remnants of anyconnect directory"
if [[ -d "$ciscoDir/anyconnect" ]]; then
rm -rf "$ciscoDir/anyconnect/"
else
echo "no remnants of the anyconnect directory found
"
fi
echo "#############################"
echo "Status check: Prep Complete
"
echo "#############################"
echo "
"
echo "#######################################
"
echo "Beginning the installation
"
echo "attempting to mount dmg"
/usr/bin/hdiutil attach "$waitRoom"/"$dmgName"
echo "DMG mounted. About to call installer..."
installer -pkg "/Volumes/Anyconnect - 4.8/AnyConnect.pkg" -applyChoiceChangesXML "/Volumes/Anyconnect - 4.8/choicesForAnyConnect.xml" -target /
echo "Package installed, ejecting DMG"
/usr/bin/hdiutil detach "/Volumes/Anyconnect - 4.8"
echo "
"
echo "#######################################
"
echo "AnyConnect 4.8 installation is complete"
echo "########################################"
exit 0
Posted on 05-06-2020 11:37 PM
Posted on 05-08-2020 01:21 AM
Thanks @hdsreid
Script works well.
Posted on 06-25-2020 12:31 AM
@hdsreid : Thanks for the script, Just like to know below,
1. If i run this script, does existing Cisco xml will remove as all the settings will be there in the xml. /opt/cisco/profiles
Posted on 02-06-2021 10:59 AM
Does it work on Big sur too? because I couldn't deploy it on Big sur.
Posted on 02-10-2021 10:28 AM
@Professional most of the stuff between AnyConnect 4.8 and 4.9 should be the same, but keep in mind that 4.8 is for Catalina and 4.9 is for Big Sur.
We are running the AnyConnect package with the choices xml below. Just shove the pkg you get from the ASA and the choices.xml (must be named that for anyconnect to pick it up) in the same directory and repackage them with the post install script below. Cisco could make this much less convoluted and document it better, but then would it really be cisco?
#!/bin/sh
## postinstall
pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3
sudo installer -pkg /Library/{folder name}/tmp/Cisco_AnyConnect_4.9.04053/Cisco_AnyConnect_4.9.04053.pkg -target / -applyChoiceChangesXML /Library/{folder name}/tmp/Cisco_AnyConnect_4.9.04053/choice.xml
exit 0 ## Success
exit 1 ## Failure
Choices.xml. Flip 1's and 0's based on what you need disabled and enabled. As Cisco adds more keys they would have to be added to this XML to be told to install or not.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
<dict>
<key>attributeSetting</key>
<integer>1</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_vpn</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_websecurity</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_fireamp</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>1</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_dart</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>1</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_posture</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_iseposture</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>1</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_nvm</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_umbrella</string>
</dict>
</array>
</plist>
Posted on 07-14-2022 10:56 AM
Script works great thx for sharing. As I build this deployment further there are a few other things to address, can you advise?
1. After installation, there is an immediate alert that the "AnyConnect System Extension is blocked", do you have this built into your deployment?
2. Message appears, "Cisco AnyConnect Socket Filter would like to filter network content", there are "Allow" and "Don't Allow" buttons. Can these preferences be set so this box doesn't appear?
3. Do you deploy the cert, if so, how?
4. Do you deploy the .json file to /opt/cisco/anyconnect/Umbrella/? If so, how?
Posted on 07-14-2022 11:44 AM
Sounds like you are missing the configuration side of things. AnyConnect needs several configuration profiles to install silently. The link below should cover most of what you need to get AnyConnect working. Take it with a grain of salt as with most Cisco documentation, it is horribly outdated and they never look at it.
AnyConnect macOS 11 Big Sur Advisory - Cisco
Posted on 07-15-2022 06:49 AM
Wow all very helpful, thanks. Can you share a screenshot of the socket filter settings you have? Like you said their documentation is less than optimal, so I am am having some trouble translating their language in the article to the Jamf config profile.
07-15-2022 07:06 AM - edited 07-15-2022 07:07 AM
Oh, its beyond that. The "code" as Cisco calls it is bad, they need to rewrite it. I was in a pretty lengthy TAC with them over it. After 3 months of them trying to find someone who knows the "code" I finally gave up and rewrote the JSON. Cisco tried to get me to give them the mobileconfig I wrote and I said no, maybe if they did not lead me on for 3 months but I was pretty salty.
because no body likes typing from a screenshot
Socket Filter Designated RequirementDesignated requirement of the socket filter provider system extension
anchor apple generic and identifier "com.cisco.anyconnect.macos.acsockext" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = DE8Y96K9QP)
Posted on 07-16-2022 10:38 AM
A lot to unpack here for me, will check out over the weekend thanks. Crazy you had to rewrite their code. I assume you just pushed the json along with your policy for the pkg?
Posted on 06-23-2021 09:51 AM
Hi. I followed the Method #1 on this URL for Cisco Anyconnect 4.10. That method doesn't require any the vendor's original package manipulation, it allows you to customize the DMG with profiles for each product and XML for module selection. Cache the modified DMG (read only) in a policy then execute the following modified script AFTER (see above post from @hdsreid for other script details).
#!/bin/bash
##UPDATE dmgName FOR NEW VERSIONS OF ANYCONNECT##
ciscoDir="/opt/cisco"
## DMG Image name provided in script parameter 4
## Installer Volume name in parameter 5
## XML File name in parameter 6
dmgName=$4
waitRoom="/Library/Application Support/JAMF/Waiting Room"
echo "Beginning the installation"
echo "attempting to mount dmg"
/usr/bin/hdiutil attach "$waitRoom"/"$dmgName" -nobrowse
echo "DMG mounted. About to call installer..."
installer -pkg "/Volumes/$5/AnyConnect.pkg" -applyChoiceChangesXML "/Volumes/$5/$6" -target /
echo "Package installed, ejecting DMG"
/usr/bin/hdiutil detach "$waitRoom"/"$dmgName"
echo "########################################"
echo "AnyConnect 4.10 installation is complete"
echo "########################################"
exit 0
Posted on 08-04-2021 06:48 AM
## DMG Image name provided in script parameter 4 ## Installer Volume name in parameter 5 ## XML File name in parameter 6
This should be the exact name for the dmg file ( source file ), what is Parameter 5 ? is its Macintosh HD or any other name can choose to run the script?