Jamf Nation Community

Thank you mlavine for the tip there... Was able to get it going per your suggestion by running an execute command one liner within a JSS policy "launchctl load /Library/LaunchDaemons/com.cisco.anyconnect.vpnagentd.plist".

Thank you and have a great new year!

-D.P.

Cisco AnyConnect already comes from Cisco in an Apple .pkg format. Is there a particular reason why you're re-packaging with Composer? If you use the package from Cisco, it does not require a reboot.

I was having a related problem getting Cisco AnyConnect VPN to install with just the VPN module and nothing else. I ended up using pkgutil to expand the package

pkgutil --expand AnyConnect.pkg ~/Documents/AnyConnectVPN

then I opened the Distribution file inside of the expanded package and deleted this:

<choices-outline> <line choice="choice_vpn"/>
<line choice="choice_websecurity"/> <line choice="choice_fireamp"/> <line choice="choice_dart"/> <line choice="choice_posture"/> <line choice="choice_iseposture"/> <line choice="choice_nvm"/> </choices-outline>

After saving the Distribution file, I flattened the package.

pkgutil --flatten ~/Documents/AnyConnectVPN ~/Desktop/CiscoVPN.pkg

Then I tested it to make sure that it only installed the VPN module and it worked.

Thanks cosmo-slug that worked for me and was by far the easiest solution! FYI Guys (--expand pkg-path dir-path) if that helps.

didn't even need to remove the distro file

This solution was very helpful. Thanks for contributing

Hey There,

Its not working for us, Can one help us. We are getting the as per the image.

Are you packaging all modules for Cisco AnyConnect or want to remove some modules while packaging?

One thing you may want to consider is to do this using the options built into the "installer" command. The "-showChoiceChangesXML" and "-applyChoiceChangesXML" options will allow you to install only the modules you want to install. Apple created these options for meta packages, which is what the AnyConnect package is, i.e. a package of packages.

There may be more detailed posts about this but here is a super short version:

This command will give you an XML file that you can edit that lists all of the sub packages. Paste the output into your favorite text editor and named it "Choices.xml" for the purposes of this brief guide:

installer -showChoiceChangesXML -pkg /path/to/AnyConnect.pkg

To pick what you want to install, modify the XML file by changing 0's (no) to 1's (yes) in the attributes with "selected" in the text. For example:

<key>attributeSetting</key>
<integer>1</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_vpn</string>

Once you have modified the XML file, feed it back to the installer package:

installer -applyChoiceChangesXML /path/to/Choices.xml -pkg /path/to/AnyConnect.pkg -target /

You can use Composer to create a package that does all of this, i.e. put Cisco's package in place and feed it the Choices.xml file with a postscript.

Want to remove some modules and need to apply our VPN snd umbrella profile.

Pkg is saved in Documents folder with name of AnyConnect.pkg

1. Expand the Cisco Package using the below command in Terminal
   pkgutil --expand ~/Documents/AnyConnect.pkg ~/Documents/AnyConnectVPN

2. Open the Distribution file inside of the expanded package and delete the line for module which you don't want to include in package and save the changes
   <choices-outline> <line choice="choice_vpn"/>
   <line choice="choice_websecurity"/>
   <line choice="choice_dart"/>
   <line choice="choice_posture"/> <line choice="choice_iseposture"/> <line choice="choice_fireamp"/>
   <line choice="choice_nvm"/>
   </choices-outline>

3. After saving the Distribution file, flatten the package using the below command
   pkgutil --flatten ~/Documents/AnyConnectVPN ~/Documents/CiscoVPN.pkg

4. Upload the CiscoVPN.pkg to Jamf Admin and push to Mac.

@EMNGNSH @expo2020

@bmarks actually gave you the easiest method for doing this, and this is how we do it. We deploy the entire AnyConnect package to /tmp and then call the installer binary to install using a choices.xml file. You can even deploy the profiles you need at the same time.

I have a folder structure that I use for creating my packages, thanks to someone in the Mac Admin community (can't remember where I got this):

Build the folder structure where you want files to be delivered in the ROOT folder, any preinstall or postinstall scripts in the scripts folder, and then use the Build.sh script (below) to build the package. Just open Terminal, navigate into the folder structure where the build script is, and execute. I have it setup to take two command line arguments: Package name and version:

#!/bin/bash
args=("$@")
pkgName="${args[0]}"

echo "Supply the package name and version: build.sh <pkgname> <version>"
# get date for package name
myDate=`date +%Y%m%d`

# Name of the package.
NAME="${pkgName}"

# Once installed the identifier is used as the filename for a receipt files in /var/db/receipts/.
IDENTIFIER="com.omnicom.$NAME"

# Package version number.
VERSION="${args[1]}"

# Remove any unwanted .DS_Store files.
find ROOT/ -name '*.DS_Store' -type f -delete

# Build package.
/usr/bin/pkgbuild 
    --root ROOT/ 
    --scripts scripts/ 
    --identifier "$IDENTIFIER" 
    --version "$VERSION" 
    "Output/$NAME-$VERSION-$myDate.pkg"

Back to AnyConnect... We have one business unit that uses the ISE Posture module, so we created a special package for them. We placed the ISE Posture config file, along with the VPN profile XML file, into /tmp along with the AnyConnect installer and the choices.xml file. We then use the following postinstall script as part of the package to do the work:

#!/bin/bash

anyChoice="/tmp/AnyConnectChoices.xml"
anyInstall="/tmp/AnyConnect.pkg"
vpn="/tmp/VPN_PROFILE.xml"
ise="/tmp/ISEPostureCFG.xml"

/usr/sbin/installer -applyChoiceChangesXML ${anyChoice} -pkg ${anyInstall} -target /
/bin/mv ${vpn} /opt/cisco/anyconnect/profile
/bin/mv ${ise} /opt/cisco/anyconnect/iseposture/

exit 0

That should give you a package that can be deployed straight from Jamf without having to mess with the vendor's install package.

Happy packaging!

Forgot one thing. There is a great blog post on using a choices.xml file for McAfee and AnyConnect where I got the info for doing this:

Using installer choices.xml to modify AnyConnect and McAfee deployments

@EMNGNSH Thank you . It works :-)

Hi All,

How do we block this prompt... Any any one suggest.

@sushanth.gopinath you need to authorize the kernel extension via an MDM config profile
run

codesign -dv --verbose=4 /Applications/Cisco/Cisco AnyConnect Secure Mobility Client.app

and find the teamid, copy it. in jamf, create a new config profile, select approved kernel extensions as payload. put in a display name, put in the team identifier, scope and deploy

@hdsreid: I tried this but still am getting the prompt.

Below is the screen shot of the pay load and let me know if I miss something.

@sushanth.gopinath try it without the additional approval, just the blanket approval for team id as so

this works on my machines, although we are not on Catalina outside of a few test users. got a couple questions for you:
does the inventory for the device you're deploying to have "user approved mdm" status?
do the profiles deploy and get installed on the machine at least?
are they scoped at computer level or user level?

This is working for me.

@hdsreid : If i create a package for CISCO extension using .mobileconfig, does the profile will appear in system preferences ? as we are not using APNS service for jamf.

@sushanth.gopinath You must install kernel extension profiles via push from User Approved MDM, and that requires APNS

@sushanth.gopinath do you have another MDM provider? given the cost of jamf, why would you not utilize mdm?