Deploying AnyConnect without the Web Security Module

bmarks
Contributor II

Might anyone have any experience deploying AnyConnect 3.1+ using Cisco's installer but without the Web Security module?

Cisco mentions something in their documentation regarding a configuration file for the installer named ACTtransforms.xml but I cannot find any examples of this file, nor any info for how to create one. I have tried searching and have found no additional info. There is a script that can be run after the installation that will remove this module, but I'd prefer for it never to be installed in the first place.

1 ACCEPTED SOLUTION

nicktong
New Contributor III

@bmarks][/url][/url][/url

I would use Apple Installer's ChoiceChangesXML.

To disable default installation of the WebSecurity module, make a ChoiceChangesXML file that deselects the websecurity choice:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
    <dict>
        <key>attributeSetting</key>
        <integer>0</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_websecurity</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>1</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_vpn</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>1</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_dart</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>1</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_posture</string>
    </dict>
</array>
</plist>

While the vpn, dart, and posture choices are selected above, their dictionaries may be omitted entirely if not deselecting them – installer will just use the defaults, which is to install those bits.

Then, run the installer specifying the ChoiceChangesXML:

sudo installer -pkg AnyConnect.pkg -target / -applyChoiceChangesXML someChoiceChanges.plist

If there's a plan on running a GUI installer, you can also optionally "gray-out" or disable a choice; or make it invisible altogether using the enabled and visible choiceIdentifiers. To see all the options, run:

installer -showChoiceChangesXML -pkg AnyConnect.pkg

As for ACTtransforms.xml, it is useful for deploying customized AnyConnect installations via ASA. The Adaptive Security Device Manager (ASDM) ingests the file to enable the ASAs to deploy AnyConnect with the options specified. Examples are in the AnyConnect downloads area once logged-in to cisco.com with a CCO account.

View solution in original post

32 REPLIES 32

nicktong
New Contributor III

@bmarks][/url][/url][/url

I would use Apple Installer's ChoiceChangesXML.

To disable default installation of the WebSecurity module, make a ChoiceChangesXML file that deselects the websecurity choice:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
    <dict>
        <key>attributeSetting</key>
        <integer>0</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_websecurity</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>1</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_vpn</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>1</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_dart</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>1</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_posture</string>
    </dict>
</array>
</plist>

While the vpn, dart, and posture choices are selected above, their dictionaries may be omitted entirely if not deselecting them – installer will just use the defaults, which is to install those bits.

Then, run the installer specifying the ChoiceChangesXML:

sudo installer -pkg AnyConnect.pkg -target / -applyChoiceChangesXML someChoiceChanges.plist

If there's a plan on running a GUI installer, you can also optionally "gray-out" or disable a choice; or make it invisible altogether using the enabled and visible choiceIdentifiers. To see all the options, run:

installer -showChoiceChangesXML -pkg AnyConnect.pkg

As for ACTtransforms.xml, it is useful for deploying customized AnyConnect installations via ASA. The Adaptive Security Device Manager (ASDM) ingests the file to enable the ASAs to deploy AnyConnect with the options specified. Examples are in the AnyConnect downloads area once logged-in to cisco.com with a CCO account.

bmarks
Contributor II

This info is great. Thanks. I had actually started to go in this direction as well, so this is very helpful.

jrserapio
Contributor

This method worked for me as well. Thanks @nicktong!

laurendc
New Contributor

@nicktong Thank you for the answer and the explanation! I wish I found this post when I was working on my own deployment a little while ago! Got it to work anyway but would rather leverage this instead. Will have to take another look at the package.

jrserapio
Contributor

@nicktong
Hey Nick, had a followup question for you. Not to de-rail this thread, my question is about uninstalling Anyconnect from a script.
Basically I had installed anyconnect the unclean way. Ive scripted this and it works well, other than when i run the uninstall anyconnect binary, it requires user intervention. Do you happen to know a way to get this to uninstall with no user intervention.
Here is my script.

#!/bin/bash

#First check to see if previous version exists on the machine
if [ -d /Applications/Cisco/Cisco AnyConnect Secure Mobility Client.app/ ]; 

then 

#uninstall the Cisco client and 
./Applications/Cisco/Uninstall AnyConnect.app/Contents/MacOS/Uninstall AnyConnect 
sleep 30
echo "uninstall completed"

#the /opt/ folder containing the Cisco Anyconnect preferences
rm -R /opt/cisco
sleep 10
echo "folder removed"

else

echo "Does Not Exist on this machine"

fi
#Install Anyconnect without the Web Security Module
#This is done by creating the ChoiceChanges.plist file, then "caching" it along with the installer.
#Next you have to install the package from command line, so you can add a switch that will take the Choices from the file and apply them to the install.

installer -pkg /Users/Shared/Anyconnect/AnyConnect.pkg -target / -applyChoiceChangesXML /Users/Shared/Anyconnect/acChoiceChanges.plist

Thanks.

nkalister
Valued Contributor

I just grabbed the vpn.pkg and dart.pkg's out of the standard Cisco mpkg.
I only run those two installers to install anyconnect, works great, and simpler than dealing with choice changes files.
Of course, learning how to deal with choice changes files is a good thing! Comes in handy in many situations.

guidotti
Contributor II

That's what I do, also.
We only use the VPN piece.

jhbush
Valued Contributor II

@bmarks I use this Cisco script I found to remove the web security portion.

#!/bin/sh

INSTPREFIX="/opt/cisco/anyconnect"
BINDIR="${INSTPREFIX}/bin"
PLUGINSDIR="${BINDIR}/plugins"
LIBDIR="${INSTPREFIX}/lib"
PROFILESDIR="${INSTPREFIX}/websecurity"
ACMANIFESTDAT="${INSTPREFIX}/VPNManifest.dat"
WEBSECMANIFEST="ACManifestWebSecurity.xml"
UNINSTALLLOG="/tmp/websecurity-uninstall.log"

ANYCONNECT_WEBSECURITY_PACKAGE_ID=com.cisco.pkg.anyconnect.websecurity

# Array of files to remove
FILELIST=("${INSTPREFIX}/${WEBSECMANIFEST}" 
          "${BINDIR}/acwebsecagent" 
          "${BINDIR}/websecurity_uninstall.sh" 
          "${LIBDIR}/libboost_filesystem.dylib" 
          "${LIBDIR}/libboost_system.dylib" 
          "${LIBDIR}/libboost_thread.dylib" 
          "${LIBDIR}/libboost_date_time.dylib" 
          "${INSTPREFIX}/libacwebsecapi.dylib" 
          "${INSTPREFIX}/libacwebsecctrl.dylib")

echo "Uninstalling Cisco AnyConnect Web Security Module..."
echo "Uninstalling Cisco AnyConnect Web Security Module..." > ${UNINSTALLLOG}
echo `whoami` "invoked $0 from " `pwd` " at " `date` >> ${UNINSTALLLOG}

# Check for root privileges
if [ `whoami` != "root" ]; then
  echo "Sorry, you need super user privileges to run this script."
  echo "Sorry, you need super user privileges to run this script." >> ${UNINSTALLLOG}
  exit 1
fi

# update the VPNManifest.dat; if no entries remain in the .dat file then
# this tool will delete the file - DO NOT blindly delete VPNManifest.dat by
# adding it to the FILELIST above - allow this tool to delete the file if needed
if [ -f "${BINDIR}/manifesttool" ]; then
  echo "${BINDIR}/manifesttool -x ${INSTPREFIX} ${INSTPREFIX}/${WEBSECMANIFEST}" >> ${UNINSTALLLOG}
  ${BINDIR}/manifesttool -x ${INSTPREFIX} ${INSTPREFIX}/${WEBSECMANIFEST}
fi

# check the existence of the manifest file - if it does not exist, remove the manifesttool
if [ ! -f ${ACMANIFESTDAT} ] && [ -f ${BINDIR}/manifesttool ]; then
  echo "Removing ${BINDIR}/manifesttool" >> ${UNINSTALLLOG}
  rm -f ${BINDIR}/manifesttool
fi

# move the plugins to a different folder to stop the websec agent and then remove
# these plugins once websec agent is stopped. 
echo "Moving plugins from ${PLUGINSDIR}" >> ${UNINSTALLLOG}
mv -f ${PLUGINSDIR}/libacwebsecapi.dylib ${INSTPREFIX} 2>&1 >/dev/null
echo "mv -f ${PLUGINSDIR}/libacwebsecapi.dylib ${INSTPREFIX}" >> ${UNINSTALLLOG}
mv -f ${PLUGINSDIR}/libacwebsecctrl.dylib ${INSTPREFIX} 2>&1 >/dev/null
echo "mv -f ${PLUGINSDIR}/libacwebsecctrl.dylib ${INSTPREFIX}" >> ${UNINSTALLLOG}

# wait for 2 seconds for the websecagent to exit
sleep 2

# ensure that the websec agent is not running
WEBSECPROC=`ps -A -o pid,command | grep '(${BINDIR}/acwebsecagent)' | egrep -v 'grep|websecurity_uninstall' | cut -c 1-5`
if [ ! "x${WEBSECPROC}" = "x" ] ; then
    echo Killing `ps -A -o pid,command -p ${WEBSECPROC} | grep ${WEBSECPROC} | egrep -v 'ps|grep'` >> ${UNINSTALLLOG}
    kill -TERM ${WEBSECPROC} >> ${UNINSTALLLOG} 2>&1
fi

# Remove only those files that we know we installed
INDEX=0
while [ $INDEX -lt ${#FILELIST[@]} ]; do
  echo "rm -rf "${FILELIST[${INDEX}]}"" >> ${UNINSTALLLOG}
  rm -rf "${FILELIST[${INDEX}]}"
  let "INDEX = $INDEX + 1"
done

# Remove the plugins directory if it is empty
if [ -d ${PLUGINSDIR} ]; then
  if [ ! -z `find "${PLUGINSDIR}" -prune -empty` ] ; then
    echo "rm -df "${PLUGINSDIR}"" >> ${UNINSTALLLOG}
    rm -df "${PLUGINSDIR}" >> ${UNINSTALLLOG} 2>&1
  fi    
fi

# Remove the bin directory if it is empty
if [ -d ${BINDIR} ]; then
  if [ ! -z `find "${BINDIR}" -prune -empty` ] ; then
    echo "rm -df "${BINDIR}"" >> ${UNINSTALLLOG}
    rm -df "${BINDIR}" >> ${UNINSTALLLOG} 2>&1
  fi    
fi

# Remove the bin directory if it is empty
if [ -d ${LIBDIR} ]; then
  if [ ! -z `find "${LIBDIR}" -prune -empty` ] ; then
    echo "rm -df "${LIBDIR}"" >> ${UNINSTALLLOG}
    rm -df "${LIBDIR}" >> ${UNINSTALLLOG} 2>&1
  fi
fi

# Remove the profiles directory
# During an upgrade, the profiles will be moved and restored by
# preupgrade and postupgrade scripts.

if [ -d ${PROFILESDIR} ]; then
    echo "rm -rf "${PROFILESDIR}"" >> ${UNINSTALLLOG}
    rm -rf "${PROFILESDIR}" >> ${UNINSTALLLOG} 2>&1
fi

# remove installer receipt
pkgutil --forget ${ANYCONNECT_WEBSECURITY_PACKAGE_ID} >> ${UNINSTALLLOG} 2>&1

echo "Successfully removed Cisco AnyConnect Web Security Module from the system." >> ${UNINSTALLLOG}
echo "Successfully removed Cisco AnyConnect Web Security Module from the system."

exit 0

tthurman
Contributor III

@nkalister

Had a question about the mpkg you use. My VPN team said they only have the dmg or an individual pkg. No mpkg. Is there a particular place you to download it? I'm assuming from the ASDM but I don't have access to it (They do.)

Regards,
TJ

colincorbin
New Contributor II

I used the Pacifist app (https://www.charlessoft.com) to extract the vpn module from the .mpkg

There is an Extract Subpackages option in the File menu.

Regards

CC

merps
Contributor III

Slightly off topic here, but I was trying to use the method in the answer to list the available options for Citrix Receiver 12.

installer -showChoiceChangesXML -pkg ~/Desktop/Install Citrix Receiver.pkg

Problem: When running this on 10.10.5 I got this error:

installer: Cannot install on volume (null) because it is disabled.

Solution: Add the target flag to the command above:

installer -showChoiceChangesXML -pkg ~/Desktop/Install Citrix Receiver.pkg -target /

It appears that some .pkg files need the target flag, while others will list the selection options without it. Hopefully this helps someone.

tthurman
Contributor III

@colincorbin

I use something similar in terminal to create a folder of the pkg. It's called "pkgutil." You can use it to expand a .pkg.

However, for some reason the vpn_module.pkg won't allow me to open it. Do I have to do something with these modules?

--TJ

colincorbin
New Contributor II

Hi TJ,

I didn't make any alteration to the vpn_module in the AnyConnect mpkg before extracting it as a pkg with Pacifist.

As Apple say, "it just worked"

Although Pacifist is shareware, you can trial it for free to see if it does what you need.

CC

tthurman
Contributor III

For some reason, that worked perfectly.

I might request a license for this application. I appreciate your help, sir.

Thank you!

Regards,
TJ

tthurman
Contributor III

I am still searching for a good way to extract the modules manually.

Does anyone have a way to do this via terminal?

Regards,
TJ

asegura
Contributor

This is what I'm running.

!/bin/bash

sudo /opt/cisco/anyconnect/bin/websecurity_uninstall.sh
sudo /opt/cisco/anyconnect/bin/dart_uninstall.sh

pmcgurn
New Contributor III

I wrote a script for AnyConnect 4.3 to just remove the plugins we don't want. We leave DART in place, as TAC typically wants DART logs for any weird issues. The client runs fine, with just removing the dylib plugin files.

Written for 4.3.00748

#!/bin/bash

#This script is a workaround for AnyConnect 4.x, due to Cisco not providing a mechanism to 
# programmatically omit unwanted plugins.  It is intended to run post-install

echo "Beginning removal of AnyConnect plugins"

#remove ISE plugin
echo "Removing ISE plugin"
rm -rf /opt/cisco/anyconnect/bin/plugins/libaciseapi.dylib
rm -rf /opt/cisco/anyconnect/bin/plugins/libaciseshim.dylib

#remove AMP plugin
echo "Removing AMP plugin"
rm -rf /opt/cisco/anyconnect/bin/plugins/libacampctrl.dylib
rm -rf /opt/cisco/anyconnect/bin/plugins/libacampshim.dylib

#remove Web Security plugin
echo "Removing Web Security plugin"
rm -rf /opt/cisco/anyconnect/bin/plugins/libacwebsecapi.dylib
rm -rf /opt/cisco/anyconnect/bin/plugins/libacwebsecctrl.dylib

#Remove Network Visibility Monitor plugin
echo "Removing NVM plugin"
rm -rf /opt/cisco/anyconnect/bin/plugins/libacnvmctrl.dylib

echo "Finished removing AnyConnect plugins"

exit 0

Nmangal
New Contributor III

@tthurman Try the below command in Terminal to expand the AnyConnect Package

pkgutil --expand ~/Documents/AnyConnect.pkg ~/Documents/AnyConnectVPN

I have saved the package file in Documents folder with the name of AnyConnect.pkg

tcandela
Valued Contributor II

What version are you installing

Nmangal
New Contributor III

Cisco AnyConnect 4.5

tcandela
Valued Contributor II

It looks like with Cisco AnyConnect 4.5.03040 there are a bunch of other utilities that get installed

-- VPN === this is definitely needed but the ones below have the checkbox active for unchecking, but with the choicesXML file we can have them unselected during installation

-- web security
-- AMP Enabler
-- Diagnostics and Reporting Tool
-- Posture
-- ISE Posture
-- Network Visibility
-- Umbrella Roaming Security

tthurman
Contributor III

@nmangal

I totally wrote a script a long time ago that rips the AnyConnect PKG apart and puts each module back together in their own PKG.

Anyone need that?

#!/bin/sh

#This allows for a file input.
AnyConnectLoc="$1"

if [[ $AnyConnectLoc = "" ]]
then
    echo "No Input File Given."
    exit 1
fi

#Get Version from Second Argument.
ModuleVersion="$2"

if [[ $ModuleVersion = "" ]]
then
    echo "No Version Not Provided."
    exit 1
fi

#Where the AnyConnect Full Pkg gets expanded to.
OutputDir=~/Desktop/AnyConnect

if [[ -a $OutputDir ]]
then
    echo "Output Directory already exists. Please delete $OutputDir first."
    exit 1
else
    sudo pkgutil --expand "$AnyConnectLoc" $OutputDir

    sudo mkdir $OutputDir/Expanded/
    sudo mkdir $OutputDir/Finished/
fi

#Get all Modules from the expanded directory.
AllModules=($(ls $OutputDir | grep ".pkg")) 


for pkg in ${AllModules[@]}
do
    echo $OutputDir/$pkg
    cp -R $OutputDir/$pkg $OutputDir/Expanded/

    pkgName=$(echo $pkg | awk -F'_' '{print $1}')
    pkgExt=".pkg"

    pkgNameFull="AnyConnect_$pkgName-$ModuleVersion$pkgExt"

    echo $pkgNameFull

    sudo pkgutil --flatten $OutputDir/Expanded/$pkg $OutputDir/Finished/$pkgNameFull
done

axel12garciar
New Contributor II

Honestly I just install the entire pkg and just selectively uninstall what i don't want to keep... seemed easier at the time.

#!/bin/sh
#Uninstall Web Security Module
/opt/cisco/anyconnect/bin/websecurity_uninstall.sh
#
#Uninstall Network Visibility Module
/opt/cisco/anyconnect/bin/nvm_uninstall.sh
#
#Uninstall ISE Posture Module
/opt/cisco/anyconnect/bin/iseposture_uninstall.sh
#
#Uninstall AMP Module
/opt/cisco/anyconnect/bin/amp_uninstall.sh
#
#restarts the Cisco client if it was open to remove the security modules 
Cisco=`pgrep -f Cisco`
if [ $Cisco -eq $null ]
then
    open "/Applications/Cisco/Cisco AnyConnect Secure Mobility Client.app"/ &
else
    Kill $Cisco
    sleep 3
    open "/Applications/Cisco/Cisco AnyConnect Secure Mobility Client.app"/ &
fi

canopimp
New Contributor III

@tthurman Thank you for the script. I have been fighting with this for a week now. Your script works like a champ!!

slundy
New Contributor III

@tthurman Tried the script but I get the usual "the operation couldn't be completed. (com.apple.installer.pagecontroller error -1.). Working with v4.6 of AnyConnect.

bsuggett
Contributor II

I highly suggest using this little puppy... Makes life so much easier!

installPKGfromDMG with extra parameters for supplying an xml answer file within your DMG container

Create your xml file, add it into your DMG next to your PKG... Create a policy to cache the DMG, add this script (after priority) and supply parameters

dmgName="" # Required eg anyconnect.dmg
forcesuccessflag="" # Optional
useinstallerapp="" # Optional eg YES
allowUntrusted="" # Optional
applyChoiceChangesXMLFile="" # Optional eg myfileinsidethedmg.xml

Supplying parameter 5/forcesuccessflag with "YES" without quotes and case sensitive allows PKG exit code to be bypassed and returns a forced exit code of 0 to the JSS (if needed).

Supplying parameter 6/useinstallerapp with "YES" without quotes and case sensitive forces the use of macOS native installer binary to install the PKG.

Supplying parameter 7/allowUntrusted with "YES" without quotes and case sensitive allows to bypass an invalid or expired certificate embedded within the PKG.

Supplying parameter 8/applyChoiceChangesXMLFile with an XML filename allows the PKG to be supplied an xml answerfile. The xml file MUST be beside the PKG wrapped in your DMG.

Please take careful note, that parameters 7 (allowUntrusted) and 8 (applyChoiceChangesXMLFile) are dependent on parameter 6 (useinstallerapp) being YES. I've also added mpkg if no pkg is found within the DMG. Additionally all parameters will be parsed in the logs so one can see if, when, and where something went wrong.

d_williams
New Contributor

For anyone that is still trying to get just the VPN package out of the AnyConnect DMG, it's as simple as following these steps:

  1. Download AnyConnect DMG from Cisco.
  2. Extract AnyConnect.pkg from DMG to your Desktop.
  3. Run the following commands in Terminal:
mkdir AnyConnectVPN
pkgutil --expand AnyConnect.pkg AnyConnect
cp -r AnyConnect/vpn_module.pkg ./
cp -r vpn_module.pkg/* AnyConnectVPN/
pkgutil --flatten AnyConnectVPN AnyConnectVPN.pkg
rm -r ./AnyConnect.pkg ./AnyConnect ./AnyConnectVPN ./vpn_module.pkg

That should remove the VPN module from the Cisco AnyConnect PKG and turn it into a stand-alone deployable PKG that installs with no errors like it does when you try to install just the vpn_module.pkg.

BK74
New Contributor II

This still works on 4.8 btw, thanks it was driving me spare.

machattan
New Contributor II

@d.williams Your steps Worked Great! I just packaged the 4.10 client. Thank you! If we wanted to include the .xml file with the connect-to sites on it, where would we place that in this? Or is this even possible?

iJake
Valued Contributor

I'd advise using Choices XML rather than repackaging our installer. This is how I do it for us internally: https://www.jamf.com/jamf-nation/discussions/23198/cisco-anyconnect-4-4#responseChild140881

machattan
New Contributor II

@iJake Just curios... if we only wanted the VPN component from the install list, is there any reason why we can't just use the WebDeploy version of the 4.10 AnyConnect installer? anyconnect-macos-4.10.01075-webdeploy-k9.pkg

iJake
Valued Contributor

That installer is meant to be delivered by the headend for autoupdates. I've never tried to use it standalone so can't say for sure but likely you'd be advised against it officially.