Cisco anyconnect VPN Client Upgrade

Santosh
New Contributor III

I was wondering how do you guys upgrade the cisco anyconnect VPN Client ? as we are all working from home , we need upgrade them remotely and we need to upgrade user VPN Session is not active.

if you are aware of any process or any script can you please let me know

Thanks

santosh

 

8 REPLIES 8

steve_summers
Contributor III

We just had to do this in our org.  Luckily, I already had a script ready which:

  • Checked for an active VPN connection before proceeding
  • If the VPN connection was active, it quit and would show "Failed" in the Jamf policy
  • If it wasn't active, it called the uninstaller for all the pieces we had in place
  • Then it installed the VPN package I preconfigured before uploading into Jamf Admin

Here it is:

 

 

#!/bin/bash
# Written by Steve Summers
# ifconfig is searching for a connection to the VPN.  If a device
# is connected, the IP variable will contain the IP address.  If a device is not
# connected, it does not return anything.  

# You'll need to input the first 2 octets of your institutions IP range when a
# device is connected.

IP=$(ifconfig | grep -E '(ip\.range)' -A 3 -B 1)

# This is a simple test condition, the -z tests for a "ZERO" in the IP variable
# If the customer is on the vpn, IP will not be zero and the script will end
# If the customer is NOT on the vpn, the condition is true, and the script runs
# the removal of the old and installs the new.

if [[ -z $IP ]]; then
 echo "VPN Not Connected, uninstalling old and installing new version..."

# this calls the silent uninstaller.  we don't use the one in applications
 sudo /opt/cisco/anyconnect/bin/umbrella_uninstall.sh
 sleep 20
 sudo /opt/cisco/anyconnect/bin/anyconnect_uninstall.sh
 sleep 30
# policy to install the new VPN
sudo jamf policy -id <your Policy ID here>
sleep 180

else
 echo "VPN Connected, exiting..."
 exit 1
fi

 

This could probably improved and I take no offense to anyone who can make it better, but it worked for my purpose. All our clients were upgraded from 4.9 to 4.10.  
You'll have to ask a network person (unless you know) for the first two octets of your org's VPN range, then input them in place of the "ip.\range" on this line:

 

IP=$(ifconfig | grep -E '(ip\.range)' -A 3 -B 1)

 

So if it's 10.10.xxx.xxx if someone is on the VPN, enter "10\.10" on that line.  Then if the test condition IS zero ( the -z) it knows there is no active VPN connection and it will begin removing the VPN pieces you enter after it.  It it's NOT zero, then it will exit the script.  
As always...test test test.  
Good luck.  Hope that helps you.  

ljcacioppo
Contributor III

I used app_quitter.py that goes based on if the bundle identifier for the app is open and it worked well for me

https://github.com/t-lark/Auto-Update/blob/master/app_quitter.py

Wow.  That's pretty nice.  Is it customizable with a company logo and stuff?  

Yes, it is! It is calling Jamf Helper, which is customizable. I just point it to a company logo that I drop locally on the machine 

Santosh
New Contributor III

thats awesome @ljcacioppo @stex ..thanks a lot for your help .. i will test it in my LAB first before moving it to production. 

If i understand correctly i have to deploy appquitter.py script and call the uninstall & Install application with the same script 

 

I just ran the script via a jamf policy. You can use parameters to specify which bundle ID, if you want it to force quit, the policy to the updated version it is calling for the install of, etc. Here's what the parameters looked like for meScreen Shot 2021-08-18 at 12.30.08 PM.png Also, Here's the wiki which has some more explanation: https://github.com/t-lark/Auto-Update/wiki/Implementation.
I just modified the verbiage in the script for what it was going to say to users in the prompt boxes

And I didn't even uninstall the old version of AnyConnect. I deployed the new one right over the top

IamGroot
New Contributor III

I just recently started using the new Title Editor to build my own Patch Management titles. I built one for AnyConnect and used that.

Maclife
New Contributor III

can you maybe share that title or json file of cisco any connect please?