Skip to main content
Solved

Cisco Secure Install Fails...But Only If Upgrading From Jamf

M
Forum|alt.badge.img+16

I'm in the process of building the latest Cisco Secure client for deployment.  I am building it using Stephane Sudre's Packages app (1.2.10).  I have the Cisco Secure pkg (pulled from Cisco directly) and the Choices.xml added in Scripts > Additional Resources.  The post-install script is very straight forward and just runs

/usr/sbin/installer -pkg ./Cisco\\ Secure\\ Client.pkg -applyChoiceChangesXML ./Cisco-Secure_choices.xml -target /

This works every time I run it on a clean install or if I run it locally on a machine with an older version of Cisco Secure.  If I try to deploy this package via Jamf policy to a machine with an older version of Cisco Secure installed, it fails 100% of the time and uninstalls the existing install.

The Jamf policy log just gives the standard unhelpful "The Installer encountered an error that caused the installation to fail." message.  The install.log tells me that the error was with the post-install script, but that is so straight forward I'm struggling to see where the error on it could even be.

Is there some trick to deploying updates to Cisco Secure via Jamf that I am missing?  I know the package is good since it works without issue on new and locally updated machines.  I'm just at a loss on why upgrading via Jamf policy would be any different.

Best answer by MehdiYawari

Hi 
I had the same issue with a policy which contains a script to first uninstall Cisco Secure Client and then install the new version of Cisco Secure Client triggered by a separate policy.
The uninstall part which also uses the vpn_uninstall.sh in /opt/cisco/secureclient/bin caused the issue. As in this script, every process is killed which contains the name "Cisco Secure Client". And our Script was named "Install/Update or Repair Cisco Secure Client". As this script contained "Cisco Secure Client" in its name, vpn_uninstall.sh script of Cisco has been killing my script which was triggered by our policy in Self Service.
After renaming the script in Jamf, the Problem was solved.

Dont know if this is also the issue in your case but is worth a shot to take a look at.

 

View original
    Did this topic help you find an answer to your question?

    16 replies

    M
    Forum|alt.badge.img+4
    • msergi
    • Contributor
    • 20 replies
    • December 5, 2023

    While this isn't a direct solution to your problem - would it be possible to upgrade your clients from the firewall push? this is how we have handed our Cisco client updates and it works very well, even going from Anyconnect v4 -> Secure Client v5. If you have several that are not able to be upgraded this way, it may be wise to run the uninstall script to fully remove the old version first in the policy, and then then run the fresh install of the latest version instead of going over the top.

    M
    Forum|alt.badge.img+16
    • McAwesome
    • Author
    • Honored Contributor
    • 329 replies
    • December 5, 2023
    msergi wrote:

    While this isn't a direct solution to your problem - would it be possible to upgrade your clients from the firewall push? this is how we have handed our Cisco client updates and it works very well, even going from Anyconnect v4 -> Secure Client v5. If you have several that are not able to be upgraded this way, it may be wise to run the uninstall script to fully remove the old version first in the policy, and then then run the fresh install of the latest version instead of going over the top.


    That would be my preference as well, but the team that handles that is....not the fastest.  Now that we're also working on getting Umbrella rolled out we're needing to get them to speed up to match.

    M
    Forum|alt.badge.img+11
    • mschlosser
    • Contributor
    • 126 replies
    • December 5, 2023

    interesting, issue, it may be worth remembering that scripts that run from jamf run as root this may cause issues depending on exactly what the Cisco software is trying to do, may be best to start the install as the current user toes if that solves the issue, similar to the below:

    #!/bin/bash #variable for storing the current users name currentuser=`stat -f "%Su" /dev/console` su "$currentuser" -c "<command to run>"

    also, while building the package it may be a good idea to double check that the posix permissions are correct on the installed files and have been propagated throughout the entire package. If IO had to guess; because it executes correct locally and errors form jamf, I'd look at user context.

    Hope those two things at least give you places to look.

    M

    M
    Forum|alt.badge.img+16
    • McAwesome
    • Author
    • Honored Contributor
    • 329 replies
    • December 5, 2023
    mschlosser wrote:

    interesting, issue, it may be worth remembering that scripts that run from jamf run as root this may cause issues depending on exactly what the Cisco software is trying to do, may be best to start the install as the current user toes if that solves the issue, similar to the below:

    #!/bin/bash #variable for storing the current users name currentuser=`stat -f "%Su" /dev/console` su "$currentuser" -c "<command to run>"

    also, while building the package it may be a good idea to double check that the posix permissions are correct on the installed files and have been propagated throughout the entire package. If IO had to guess; because it executes correct locally and errors form jamf, I'd look at user context.

    Hope those two things at least give you places to look.

    M


    I should clarify.  It executes correctly when run locally, when deployed as a new install via Jamf, and when installed on top of the same version via Jamf.  It's only failing if deployed through Jamf to a machine that has a previous version currently installed.

    I did forget about that user context bit, but if that were the cause shouldn't I expect it to fail on clean installs via Jamf policy?

    M
    Forum|alt.badge.img+11
    • mschlosser
    • Contributor
    • 126 replies
    • December 5, 2023
    McAwesome wrote:

    I should clarify.  It executes correctly when run locally, when deployed as a new install via Jamf, and when installed on top of the same version via Jamf.  It's only failing if deployed through Jamf to a machine that has a previous version currently installed.

    I did forget about that user context bit, but if that were the cause shouldn't I expect it to fail on clean installs via Jamf policy?


    Ah. that is interesting; and I see what you are saying regarding the inconsistency; as far as the reason for this sort of behavior, that is strange; I'd have to give it more thought. that said, the route of least resistance would be to remove the old version and then install the new one, in my opinion. 

    M
    Forum|alt.badge.img+7
    • MehdiYawari
    • Contributor
    • 26 replies
    • Answer
    • December 6, 2023

    Hi 
    I had the same issue with a policy which contains a script to first uninstall Cisco Secure Client and then install the new version of Cisco Secure Client triggered by a separate policy.
    The uninstall part which also uses the vpn_uninstall.sh in /opt/cisco/secureclient/bin caused the issue. As in this script, every process is killed which contains the name "Cisco Secure Client". And our Script was named "Install/Update or Repair Cisco Secure Client". As this script contained "Cisco Secure Client" in its name, vpn_uninstall.sh script of Cisco has been killing my script which was triggered by our policy in Self Service.
    After renaming the script in Jamf, the Problem was solved.

    Dont know if this is also the issue in your case but is worth a shot to take a look at.

     

    markopolo
    M
    T
    3 people like this
    • markopolo
      markopolo
    • M
      msergi
    • T
      Thrawnium06
    M
    Forum|alt.badge.img+16
    • McAwesome
    • Author
    • Honored Contributor
    • 329 replies
    • December 12, 2023
    MehdiYawari wrote:

    Hi 
    I had the same issue with a policy which contains a script to first uninstall Cisco Secure Client and then install the new version of Cisco Secure Client triggered by a separate policy.
    The uninstall part which also uses the vpn_uninstall.sh in /opt/cisco/secureclient/bin caused the issue. As in this script, every process is killed which contains the name "Cisco Secure Client". And our Script was named "Install/Update or Repair Cisco Secure Client". As this script contained "Cisco Secure Client" in its name, vpn_uninstall.sh script of Cisco has been killing my script which was triggered by our policy in Self Service.
    After renaming the script in Jamf, the Problem was solved.

    Dont know if this is also the issue in your case but is worth a shot to take a look at.

     


    Renamed the package from "Cisco Secure Client" to just "Cisco Secure" and it worked no issues.  I am so annoyed it was something like this, but as long as it's working now I'm ok with it.

    markopolo
    1 person likes this
    • markopolo
      markopolo
    J
    Forum|alt.badge.img+6
    • Jmardian
    • Contributor
    • 19 replies
    • January 10, 2024
    McAwesome wrote:

    Renamed the package from "Cisco Secure Client" to just "Cisco Secure" and it worked no issues.  I am so annoyed it was something like this, but as long as it's working now I'm ok with it.


    Could you elaborate on this? I've been running into a similar issue. I am deploying the pkg from a script similar to yours, and I get the same generic error in the logs. I can only find success when I run sudo jamf policy manually as the su.

     

    #!/bin/bash sudo installer -pkg /private/tmp/Cisco\\ Secure\\ Client.pkg -applyChoiceChangesXML /private/tmp/csc_choices.xml -target / exit 0

     

     

    M
    Forum|alt.badge.img+16
    • McAwesome
    • Author
    • Honored Contributor
    • 329 replies
    • January 10, 2024
    Jmardian wrote:

    Could you elaborate on this? I've been running into a similar issue. I am deploying the pkg from a script similar to yours, and I get the same generic error in the logs. I can only find success when I run sudo jamf policy manually as the su.

     

    #!/bin/bash sudo installer -pkg /private/tmp/Cisco\\ Secure\\ Client.pkg -applyChoiceChangesXML /private/tmp/csc_choices.xml -target / exit 0

     

     


    In my case, my package was name included "Cisco Secure Client", so when the install ran, the initial uninstall step from Cisco's pkg force killed my pkg I wrapped it in.  When I built it exactly the same but named "Cisco Secure" instead of "Cisco Secure Client", everything worked fine.

    J
    Forum|alt.badge.img+6
    • Jmardian
    • Contributor
    • 19 replies
    • January 10, 2024
    McAwesome wrote:

    In my case, my package was name included "Cisco Secure Client", so when the install ran, the initial uninstall step from Cisco's pkg force killed my pkg I wrapped it in.  When I built it exactly the same but named "Cisco Secure" instead of "Cisco Secure Client", everything worked fine.


    I see.  I don't think that applies to my issue, but I appreciate the response! 

    J
    Forum|alt.badge.img+4
    • jgaitherccu
    • Contributor
    • 22 replies
    • February 2, 2024
    Jmardian wrote:

    Could you elaborate on this? I've been running into a similar issue. I am deploying the pkg from a script similar to yours, and I get the same generic error in the logs. I can only find success when I run sudo jamf policy manually as the su.

     

    #!/bin/bash sudo installer -pkg /private/tmp/Cisco\\ Secure\\ Client.pkg -applyChoiceChangesXML /private/tmp/csc_choices.xml -target / exit 0

     

     


    Have you found a fix? I've been working on this for weeks, myself. Same issue as you. If I sudo jamf policy the CSC package installs just fine. If I let the system naturally check in for an install the package install reports complete but no Cisco folder and the log says "installer: The install failed. (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance. An error occurred while running scripts from the package “CiscoSecureClient.pkg”.)"

     

    I'm going to try renaming the package to CiscoSecure like that person below suggested. If that works it's a very bizarre fix.

    J
    Forum|alt.badge.img+6
    • Jmardian
    • Contributor
    • 19 replies
    • February 2, 2024
    jgaitherccu wrote:

    Have you found a fix? I've been working on this for weeks, myself. Same issue as you. If I sudo jamf policy the CSC package installs just fine. If I let the system naturally check in for an install the package install reports complete but no Cisco folder and the log says "installer: The install failed. (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance. An error occurred while running scripts from the package “CiscoSecureClient.pkg”.)"

     

    I'm going to try renaming the package to CiscoSecure like that person below suggested. If that works it's a very bizarre fix.


    Sure did. The Secure Client PKG I am using packages Duo Desktop along with it. The installation errors were occurring due to the cert I didn't have for DUO not the Secure Client... SUPER ANNOYING. And none of Cisco's documentation mentioned anything about needing a cert for DUO, which is hilarious because I don't even need DUO in the first place... Anyways, if your PKG contains DUO Desktop, follow the instructions here to create and push out the config for DUO before installing the Cisco Secure Client: https://help.duo.com/s/article/6403?language=en_US 

    J
    1 person likes this
    • J
      jgaitherccu
    J
    Forum|alt.badge.img+4
    • jgaitherccu
    • Contributor
    • 22 replies
    • February 2, 2024
    Jmardian wrote:

    Sure did. The Secure Client PKG I am using packages Duo Desktop along with it. The installation errors were occurring due to the cert I didn't have for DUO not the Secure Client... SUPER ANNOYING. And none of Cisco's documentation mentioned anything about needing a cert for DUO, which is hilarious because I don't even need DUO in the first place... Anyways, if your PKG contains DUO Desktop, follow the instructions here to create and push out the config for DUO before installing the Cisco Secure Client: https://help.duo.com/s/article/6403?language=en_US 


    ..............

    ..........

    .....

    .ffs

     

     

    That's about the stupidest thing I've ever seen. Especially since it installs just fine when manually typing sudo jamf policy into terminal. For posterity's sake here is what I ended up doing courtesy of your help.

    >Upload SecureClient pkg to JAMF

    >Create Script with the following text:

    echo "Adding empty Cisco Secure Client Duo File..."
    mkdir /Library/Application\\ Support/Duo
    mkdir /Library/Application\\ Support/Duo/Duo\\ Device\\ Health
    touch /Library/Application\\ Support/Duo/Duo\\ Device\\ Health/DisableMacOS11CertManagement

    >Create Policy with SecureClient pkg and "blank duo file" Script. Set Script to run Before.

    J
    1 person likes this
    • J
      Jmardian
    J
    Forum|alt.badge.img+4
    • jgaitherccu
    • Contributor
    • 22 replies
    • February 2, 2024
    jgaitherccu wrote:

    ..............

    ..........

    .....

    .ffs

     

     

    That's about the stupidest thing I've ever seen. Especially since it installs just fine when manually typing sudo jamf policy into terminal. For posterity's sake here is what I ended up doing courtesy of your help.

    >Upload SecureClient pkg to JAMF

    >Create Script with the following text:

    echo "Adding empty Cisco Secure Client Duo File..."
    mkdir /Library/Application\\ Support/Duo
    mkdir /Library/Application\\ Support/Duo/Duo\\ Device\\ Health
    touch /Library/Application\\ Support/Duo/Duo\\ Device\\ Health/DisableMacOS11CertManagement

    >Create Policy with SecureClient pkg and "blank duo file" Script. Set Script to run Before.


    Forgot to add that I also created another Script to run After in the Policy with the following text:

    /Applications/Duo\\ Desktop.app/Contents/Library/LaunchServices/com.duosecurity.UninstallDuoDeviceHealth

    M
    Forum|alt.badge.img+16
    • McAwesome
    • Author
    • Honored Contributor
    • 329 replies
    • February 2, 2024
    jgaitherccu wrote:

    Forgot to add that I also created another Script to run After in the Policy with the following text:

    /Applications/Duo\\ Desktop.app/Contents/Library/LaunchServices/com.duosecurity.UninstallDuoDeviceHealth


    You should also be able to fix this by adding Duo specific stuff to your choices.xml file.

    J
    Forum|alt.badge.img+6
    • Jmardian
    • Contributor
    • 19 replies
    • February 2, 2024
    jgaitherccu wrote:

    ..............

    ..........

    .....

    .ffs

     

     

    That's about the stupidest thing I've ever seen. Especially since it installs just fine when manually typing sudo jamf policy into terminal. For posterity's sake here is what I ended up doing courtesy of your help.

    >Upload SecureClient pkg to JAMF

    >Create Script with the following text:

    echo "Adding empty Cisco Secure Client Duo File..."
    mkdir /Library/Application\\ Support/Duo
    mkdir /Library/Application\\ Support/Duo/Duo\\ Device\\ Health
    touch /Library/Application\\ Support/Duo/Duo\\ Device\\ Health/DisableMacOS11CertManagement

    >Create Policy with SecureClient pkg and "blank duo file" Script. Set Script to run Before.


    Agreed. I was so burnt out from deciphering what the hell was going on in the PKG that I was just happy to get the Umbrella portion working. This is the logical next step, just removing DUO from the equation entirely. 

    Reply


    Most helpful members this week

    Terms & ConditionsCookie settingsAccessibility statement

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings