Help

Cisco Secure Client Installation Failed - JAMF Support

mills1
New Contributor II

Friday

Hi,

Just in case anyone is struggling with the Cisco Secure Client deployment, modification of the xml file, etc etc, below is the step by step guide offered by Jamf Support, it differs slightly from the guide here - How to deploy Cisco Secure Client via JAMF (MacOS) – Cisco Umbrella  ( Which is still great for the configuration profile setup )

 

1. Download cisco-secure-client-macos-#.#.#####-predeploy-k9.dmg from Cisco's Download site

2. Double click the DMG to mount it. You should see the items below.

3. Create a temporary folder to store files. For example:

* Click shift+command+G on the keyboard, enter /Users/Shared/, and click enter.
* Right click and select New Folder.
* Enter folder name, i.e: CiscoSecureClient

4. Drag and drop Cisco Secure Client.pkg and Profiles from mounted DMG to the folder you created in the previous step.

5.Open terminal and navigate to the folder you created above (i.e. cd /Users/Shared/CiscoSecureClient) then run the following command:

* installer -pkg Cisco\ Secure\ Client.pkg -showChoiceChangesXML > install_choices.xml

Afterwards, an install_choices.xml file will be created in the folder. Open the file in a text editor and modify the AttributeSetting integer value to 1 for any modules that you want to install and to 0 for any that should not be installed. Note that each module will have multiple entries, and you are only modifying the entry with the choiceAttribute set to selected.

6. (Optional) Navigate to the folder created in step 3 to edit the ACTransforms.xml if necessary. When this XML file is in the same folder as the installer, the installer reads this file before running the installation. The installer searches in this order to see if a modification is found.
* Modify ACTransforms.xml to look like this.<!-- Optional AnyConnect installer settings are provided below. Uncomment the setting(s) to perform optional action(s) at install time. -->
* <Transforms>
* <DisableVPN>true</DisableVPN>
* <DisableCustomerExperienceFeedback>true</DisableCustomerExperienceFeedback>
* </Transforms>

7. (Optional) If installing Umbrella, there will also be an OrgInfo.json file. Copy the OrgInfo.json file to /Users/Shared/CiscoSecureClient/Profiles/Umbrella/.

8. Open Composer and drag and drop the folder from step 3 into Composer's SOURCES on the left side.

9. Right click the package in the Sources column and select Rename CiscoSecureClient_#.#.#####. Replace #.#.##### with the version number we are deploying.

10. Click > next to the Source Name to open the settings drop down. Right click Scripts, then select postinstall under Add Shell Script.

11. Remove the following:
pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3

12. Add the text below. If you used a different path or folder name in step 3 update the path and names.
#This will install Cisco Secure Client
/usr/sbin/installer -applyChoiceChangesXML /Users/Shared/CiscoSecureClient/install_choices.xml -pkg /Users/Shared/CiscoSecureClient/Cisco\ Secure\ Client.pkg -target /
#Cleanup the Cisco Secure Client tmp folders
/bin/rm -rf /Users/Shared/CiscoSecureClient
13. Click File from the menu bar and then click Save. Click Build as PKG.
14. Upload CiscoSecureClient_#.#.#####.pkg into Jamf Pro.

 

The above covers the packaging and modification of the files needed. The link for the guide covers everything else.

2 REPLIES 2

junjishimazaki
Valued Contributor

Friday

I do my Cisco client installation a bit different. I don't package mine. I let Jamf do all the work for me with a script.  After getting the choice.xml file and modifying it of what I need to install. I upload the Cisco installation package to Jamf. Then I script the installation which creates the choice xml file  and then it creates the VPN profile which Cisco ISE updates once the user logs into the VPN. 

When I create the policy, I add the Cisco installation package but I don't install it but cache it which resides in the waiting room. Then I add my script to the policy and deploy it. 

 

CODE: 

#!/bin/sh
echo "Creating xml file for AnyChoice"
 
# Creating cisco temp install folder
echo "Creating anyconnect temp folder"
mkdir -p /tmp/secure_Client_5_0
 
# Cisco application install choice XML file
echo "Creating anyconnect xml file at /private/tmp/secure_Client_5_0"
xmlPath1='/tmp/secure_Client_5_0/anyconnect_choices_5_0.xml'
 
cat <<EndXML > $xmlPath1
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt;
<plist version="1.0">
<array>
    <dict>
        <key>attributeSetting</key>
        <integer>1</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_anyconnect_vpn</string>
    </dict>
<dict>
        <key>attributeSetting</key>
        <integer>0</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_fireamp</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>0</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_dart</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>1</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_secure_firewall_posture</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>0</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_iseposture</string>
    </dict>
      <dict>
        <key>attributeSetting</key>
        <integer>1</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_nvm</string>
    </dict>
     <dict>
        <key>attributeSetting</key>
        <integer>0</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_secure_umbrella</string>
    </dict>
</array>
</plist>
EndXML
 
echo "Installing Cisco Secure Client 5.0.000556..."
installer -applyChoiceChangesXML /tmp/secure_Client_5_0/anyconnect_choices_5_0.xml -pkg  /Library/Application\ Support/JAMF/Waiting\ Room/Cisco_Secure_Client_v5_000556.pkg -target / 
 
echo "Creating VPN profile file in /opt/cisco/secureclient/vpn/profile folder..."
# VPN Profile
xmlPath2='/opt/cisco/secureclient/vpn/profile/preferences.xml'
cat <<EndXML > $xmlPath2
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ClientInitialization>
<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
<AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
<ShowPreConnectMessage>false</ShowPreConnectMessage>
<CertificateStore>All</CertificateStore>
<CertificateStoreMac>All</CertificateStoreMac>
<CertificateStoreOverride>false</CertificateStoreOverride>
<ProxySettings>Native</ProxySettings>
<AllowLocalProxyConnections>true</AllowLocalProxyConnections>
<AuthenticationTimeout>60</AuthenticationTimeout>
<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
<LocalLanAccess UserControllable="true">true</LocalLanAccess>
<DisableCaptivePortalDetection UserControllable="true">false</DisableCaptivePortalDetection>
<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
<IPProtocolSupport>IPv4,IPv6</IPProtocolSupport>
<AutoReconnect UserControllable="false">true
<AutoReconnectBehavior UserControllable="false">DisconnectOnSuspend</AutoReconnectBehavior>
</AutoReconnect>
<AutoUpdate UserControllable="false">false</AutoUpdate>
<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
<PPPExclusion UserControllable="false">Automatic
<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
</PPPExclusion>
<EnableScripting UserControllable="false">false</EnableScripting>
<CertificateMatch>
<MatchOnlyCertsWithKU>false</MatchOnlyCertsWithKU>
<DistinguishedName>
<DistinguishedNameDefinition Operator="Equal" Wildcard="Enabled" MatchCase="Enabled">
<Name>ISSUER-CN</Name>
<Pattern>Go Daddy Secure*</Pattern>
</DistinguishedNameDefinition>
</DistinguishedName>
</CertificateMatch>
<EnableAutomaticServerSelection UserControllable="true">false
<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
</EnableAutomaticServerSelection>
<RetainVpnOnLogoff>false
</RetainVpnOnLogoff>
<AllowManualHostInput>true</AllowManualHostInput>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>HOST_NAME</HostName>
<HostAddress>HOST_ADDRESS</HostAddress>
<BackupServerList>
<HostAddress>HOST_ADDRESS</HostAddress>
</BackupServerList>
</HostEntry>
</ServerList>
</AnyConnectProfile>
EndXML
 
echo "Cleaning up..."
echo "Deleting anyconnect temp folder"
rm -rf /private/tmp/anyconnect_5_0/
 
echo "Deleting anyconnect cache files from waiting room"
rm -rf  /Library/Application\ Support/JAMF/Waiting\ Room/Cisco_Secure_Client*
echo "Installation complete"
exit 0

mickl089
Contributor III

yesterday

working also with this script from @junjishimazaki, works like a charm.

0 Kudos