Cisco AnyConnect VPN Start Before Login on

k84
New Contributor III

Has anyone had any success to get Cisco AnyConnect VPN start before login on to allow us to deal with the scenario of needing to ship a Mac to a user who is working remotely and who has never logged into the laptop previously

10 REPLIES 10

c_kay
New Contributor III

AnyConnect has a command line interface, you could create a launch daemon that connects before login. You’ll need to provide a username and password in your script to connect

/opt/cisco/anyconnect/bin/vpn -s connect [HOST_ADDRESS] <<"EOF"
[VPN_USERNAME]
[VPN_PASSWORD] y
EOF

k84
New Contributor III

@c.kay Is there a way of the end user that has received the machine just to enter their credentials rather than a service/generic account & password

bcbackes
Contributor

I'm interested in this as well. This functionality is available for the Windows based version, however, haven't seen this for our Mac environment at all. Maybe I'm missing something?

AdamCraig
Contributor III

Not familiar with Cisco Anyconnect but we discussed something similar here

https://www.jamf.com/jamf-nation/discussions/35375/vpn-before-login

c_kay
New Contributor III

I guess you could use something like DEPNotify and a script in a Enrollment Customization Configuration to prompt the user for name and password and then call the VPN binary with them to establish a VPN connection

circadmin
New Contributor

If you looking to add the mobile profile to the account over VPN, I was able to do it by the following steps.

Connect to VPN
Join the machine to the domain
Enable Create mobile account at login (located under Directory Utility)
Open terminal
Use the below script to create a domain account for the user a. This will put the user account on the computer (leave the single quotes):
sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -a $adminUsername -U $'adminPassword' -n $USERNAME b. This will cache the user's password so you can log in with them:
dscacheutil -q user -a name $USERNAME

I found the instructions in this article: https://www.jamf.com/jamf-nation/discussions/35250/how-to-offline-add-a-domain-user-to-a-mac

bcbackes
Contributor

Resurrecting this thread. Has anyone found a way to get this to work? Ideally, I would like the AnyConnect VPN gui window to popup at the login screen on a Mac. Allowing the user the ability to establish a VPN connection before logging into the Mac. @c.kay referenced that we might be able to use a launch daemon to do this workflow, however, I have no experience with creating launch daemons. Thoughts?

NightFlight
New Contributor III

A custom login window plug-in will need to be created to interface with the above login process. No such dialog controls exist. Cisco should be up on point to create this interface for MacOS - they have the dev team and resources.

oliverr
Contributor

And if FileVault is used there is no network activity at the login window anyway.

NightFlight
New Contributor III

This can be used to bring up the login window regardless of FileVault credential pass thru

defaults write /Library/Preferences/com.apple.loginwindow.plist DisableFDEAutoLogin -bool true