Cisco VPN AnyConnect client packaging issues

dpinai
New Contributor III

I am trying to package the latest version of Cisco AnyConnect 4.2.01035 but ran into a reboot required issue. Basically once created in Composer, the client opens up to an error "The VPN Service is not available. Exiting". A reboot fixes this but making this inconvenient to our end-user base as we will need to force them to reboot each time. Does anyone know of a method to avoid the reboot? I have already tried rebooting post installation while in Composer and completed the process of creating the package after the reboot through Composer but no luck there. It seems that the client might be looking for some certificate potentially created during a reboot in order for it to properly function.

Any help in either how to properly package this and to avoid a reboot or with Cisco AnyConnect will be extremely appreciated!

3e069a723ad449379ea050ae3101cdb2

24 REPLIES 24

mlavine
Contributor

You probably have to start the service in a postinstall script included in the pkg. Check for installed Launch Daemons and Launch Agents and write a script that starts those daemons/agents and it should work without a reboot.

davepinai
New Contributor

Thank you mlavine for the tip there... Was able to get it going per your suggestion by running an execute command one liner within a JSS policy "launchctl load /Library/LaunchDaemons/com.cisco.anyconnect.vpnagentd.plist".

Thank you and have a great new year!

-D.P.

taugust04
Valued Contributor

Cisco AnyConnect already comes from Cisco in an Apple .pkg format. Is there a particular reason why you're re-packaging with Composer? If you use the package from Cisco, it does not require a reboot.

cosmo-slug
New Contributor

I was having a related problem getting Cisco AnyConnect VPN to install with just the VPN module and nothing else. I ended up using pkgutil to expand the package

pkgutil --expand AnyConnect.pkg ~/Documents/AnyConnectVPN

then I opened the Distribution file inside of the expanded package and deleted this:

<choices-outline> <line choice="choice_vpn"/>
<line choice="choice_websecurity"/> <line choice="choice_fireamp"/> <line choice="choice_dart"/> <line choice="choice_posture"/> <line choice="choice_iseposture"/> <line choice="choice_nvm"/> </choices-outline>

After saving the Distribution file, I flattened the package.

pkgutil --flatten ~/Documents/AnyConnectVPN ~/Desktop/CiscoVPN.pkg

Then I tested it to make sure that it only installed the VPN module and it worked.

Aquiax
New Contributor

Thanks cosmo-slug that worked for me and was by far the easiest solution! FYI Guys (--expand pkg-path dir-path) if that helps.

mjurczyk
New Contributor

didn't even need to remove the distro file

juliusr
New Contributor II

This solution was very helpful. Thanks for contributing

expo2020
New Contributor III

Hey There,

Its not working for us, Can one help us. We are getting the as per the image.

Nmangal
New Contributor III

Are you packaging all modules for Cisco AnyConnect or want to remove some modules while packaging?

bmarks
Contributor II

One thing you may want to consider is to do this using the options built into the "installer" command. The "-showChoiceChangesXML" and "-applyChoiceChangesXML" options will allow you to install only the modules you want to install. Apple created these options for meta packages, which is what the AnyConnect package is, i.e. a package of packages.

There may be more detailed posts about this but here is a super short version:

This command will give you an XML file that you can edit that lists all of the sub packages. Paste the output into your favorite text editor and named it "Choices.xml" for the purposes of this brief guide:

installer -showChoiceChangesXML -pkg /path/to/AnyConnect.pkg

To pick what you want to install, modify the XML file by changing 0's (no) to 1's (yes) in the attributes with "selected" in the text. For example:

<key>attributeSetting</key>
<integer>1</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_vpn</string>

Once you have modified the XML file, feed it back to the installer package:

installer -applyChoiceChangesXML /path/to/Choices.xml -pkg /path/to/AnyConnect.pkg -target /

You can use Composer to create a package that does all of this, i.e. put Cisco's package in place and feed it the Choices.xml file with a postscript.

expo2020
New Contributor III

Want to remove some modules and need to apply our VPN snd umbrella profile.

Nmangal
New Contributor III

Pkg is saved in Documents folder with name of AnyConnect.pkg

  1. Expand the Cisco Package using the below command in Terminal
    pkgutil --expand ~/Documents/AnyConnect.pkg ~/Documents/AnyConnectVPN

  2. Open the Distribution file inside of the expanded package and delete the line for module which you don't want to include in package and save the changes
    <choices-outline> <line choice="choice_vpn"/>
    <line choice="choice_websecurity"/>
    <line choice="choice_dart"/>
    <line choice="choice_posture"/> <line choice="choice_iseposture"/> <line choice="choice_fireamp"/>
    <line choice="choice_nvm"/>
    </choices-outline>

  3. After saving the Distribution file, flatten the package using the below command
    pkgutil --flatten ~/Documents/AnyConnectVPN ~/Documents/CiscoVPN.pkg

  4. Upload the CiscoVPN.pkg to Jamf Admin and push to Mac.

stevewood
Honored Contributor II

@EMNGNSH @expo2020

@bmarks actually gave you the easiest method for doing this, and this is how we do it. We deploy the entire AnyConnect package to /tmp and then call the installer binary to install using a choices.xml file. You can even deploy the profiles you need at the same time.

I have a folder structure that I use for creating my packages, thanks to someone in the Mac Admin community (can't remember where I got this):

fef2a5e5d5744dc694ed7ed9ed96ca0e

Build the folder structure where you want files to be delivered in the ROOT folder, any preinstall or postinstall scripts in the scripts folder, and then use the Build.sh script (below) to build the package. Just open Terminal, navigate into the folder structure where the build script is, and execute. I have it setup to take two command line arguments: Package name and version:

#!/bin/bash
args=("$@")
pkgName="${args[0]}"

echo "Supply the package name and version: build.sh <pkgname> <version>"
# get date for package name
myDate=`date +%Y%m%d`

# Name of the package.
NAME="${pkgName}"

# Once installed the identifier is used as the filename for a receipt files in /var/db/receipts/.
IDENTIFIER="com.omnicom.$NAME"

# Package version number.
VERSION="${args[1]}"

# Remove any unwanted .DS_Store files.
find ROOT/ -name '*.DS_Store' -type f -delete

# Build package.
/usr/bin/pkgbuild 
    --root ROOT/ 
    --scripts scripts/ 
    --identifier "$IDENTIFIER" 
    --version "$VERSION" 
    "Output/$NAME-$VERSION-$myDate.pkg"

Back to AnyConnect... We have one business unit that uses the ISE Posture module, so we created a special package for them. We placed the ISE Posture config file, along with the VPN profile XML file, into /tmp along with the AnyConnect installer and the choices.xml file. We then use the following postinstall script as part of the package to do the work:

#!/bin/bash

anyChoice="/tmp/AnyConnectChoices.xml"
anyInstall="/tmp/AnyConnect.pkg"
vpn="/tmp/VPN_PROFILE.xml"
ise="/tmp/ISEPostureCFG.xml"

/usr/sbin/installer -applyChoiceChangesXML ${anyChoice} -pkg ${anyInstall} -target /
/bin/mv ${vpn} /opt/cisco/anyconnect/profile
/bin/mv ${ise} /opt/cisco/anyconnect/iseposture/

exit 0

That should give you a package that can be deployed straight from Jamf without having to mess with the vendor's install package.

Happy packaging!

stevewood
Honored Contributor II

Forgot one thing. There is a great blog post on using a choices.xml file for McAfee and AnyConnect where I got the info for doing this:

Using installer choices.xml to modify AnyConnect and McAfee deployments

gsabari
New Contributor III

@EMNGNSH Thank you . It works 🙂

SGN
New Contributor III

Hi All,

How do we block this prompt... Any any one suggest.

SGN
New Contributor III

20329c836e1746fe8cfcffc23a391a81

hdsreid
Contributor III

@sushanth.gopinath you need to authorize the kernel extension via an MDM config profile
run

codesign -dv --verbose=4 /Applications/Cisco/Cisco AnyConnect Secure Mobility Client.app

and find the teamid, copy it. in jamf, create a new config profile, select approved kernel extensions as payload. put in a display name, put in the team identifier, scope and deploy

SGN
New Contributor III

@hdsreid: I tried this but still am getting the prompt.

Below is the screen shot of the pay load and let me know if I miss something.

b942458e50114de69e791f61f2542ab7

hdsreid
Contributor III

@sushanth.gopinath try it without the additional approval, just the blanket approval for team id as so
cbd0e72c349d489283f8440d8d1bbe40

this works on my machines, although we are not on Catalina outside of a few test users. got a couple questions for you:
does the inventory for the device you're deploying to have "user approved mdm" status?
do the profiles deploy and get installed on the machine at least?
are they scoped at computer level or user level?

Nmangal
New Contributor III

This is working for me.
24628c2fbaf241568a9de35e0a9bf999

SGN
New Contributor III

@hdsreid : If i create a package for CISCO extension using .mobileconfig, does the profile will appear in system preferences ? as we are not using APNS service for jamf.

sdagley
Honored Contributor II

@sushanth.gopinath You must install kernel extension profiles via push from User Approved MDM, and that requires APNS

hdsreid
Contributor III

@sushanth.gopinath do you have another MDM provider? given the cost of jamf, why would you not utilize mdm?