@bmarks][/url][/url][/url

I would use Apple Installer's ChoiceChangesXML.

To disable default installation of the WebSecurity module, make a ChoiceChangesXML file that deselects the websecurity choice:

1<?xml version="1.0" encoding="UTF-8"?>
2<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
3<plist version="1.0">
4<array>
5    <dict>
6        <key>attributeSetting</key>
7        <integer>0</integer>
8        <key>choiceAttribute</key>
9        <string>selected</string>
10        <key>choiceIdentifier</key>
11        <string>choice_websecurity</string>
12    </dict>
13    <dict>
14        <key>attributeSetting</key>
15        <integer>1</integer>
16        <key>choiceAttribute</key>
17        <string>selected</string>
18        <key>choiceIdentifier</key>
19        <string>choice_vpn</string>
20    </dict>
21    <dict>
22        <key>attributeSetting</key>
23        <integer>1</integer>
24        <key>choiceAttribute</key>
25        <string>selected</string>
26        <key>choiceIdentifier</key>
27        <string>choice_dart</string>
28    </dict>
29    <dict>
30        <key>attributeSetting</key>
31        <integer>1</integer>
32        <key>choiceAttribute</key>
33        <string>selected</string>
34        <key>choiceIdentifier</key>
35        <string>choice_posture</string>
36    </dict>
37</array>
38</plist>

While the vpn, dart, and posture choices are selected above, their dictionaries may be omitted entirely if not deselecting them – installer will just use the defaults, which is to install those bits.

Then, run the installer specifying the ChoiceChangesXML:

1sudo installer -pkg AnyConnect.pkg -target / -applyChoiceChangesXML someChoiceChanges.plist

If there's a plan on running a GUI installer, you can also optionally "gray-out" or disable a choice; or make it invisible altogether using the enabled and visible choiceIdentifiers. To see all the options, run:

1installer -showChoiceChangesXML -pkg AnyConnect.pkg

As for ACTtransforms.xml, it is useful for deploying customized AnyConnect installations via ASA. The Adaptive Security Device Manager (ASDM) ingests the file to enable the ASAs to deploy AnyConnect with the options specified. Examples are in the AnyConnect downloads area once logged-in to cisco.com with a CCO account.

This info is great. Thanks. I had actually started to go in this direction as well, so this is very helpful.

This method worked for me as well. Thanks @nicktong!

@nicktong Thank you for the answer and the explanation! I wish I found this post when I was working on my own deployment a little while ago! Got it to work anyway but would rather leverage this instead. Will have to take another look at the package.

@nicktong
Hey Nick, had a followup question for you. Not to de-rail this thread, my question is about uninstalling Anyconnect from a script.
Basically I had installed anyconnect the unclean way. Ive scripted this and it works well, other than when i run the uninstall anyconnect binary, it requires user intervention. Do you happen to know a way to get this to uninstall with no user intervention.
Here is my script.

1#!/bin/bash
2
3#First check to see if previous version exists on the machine
4if [ -d /Applications/Cisco/Cisco AnyConnect Secure Mobility Client.app/ ]; 
5
6then 
7
8#uninstall the Cisco client and 
9./Applications/Cisco/Uninstall AnyConnect.app/Contents/MacOS/Uninstall AnyConnect 
10sleep 30
11echo "uninstall completed"
12
13#the /opt/ folder containing the Cisco Anyconnect preferences
14rm -R /opt/cisco
15sleep 10
16echo "folder removed"
17
18else
19
20echo "Does Not Exist on this machine"
21
22fi
23#Install Anyconnect without the Web Security Module
24#This is done by creating the ChoiceChanges.plist file, then "caching" it along with the installer.
25#Next you have to install the package from command line, so you can add a switch that will take the Choices from the file and apply them to the install.
26
27installer -pkg /Users/Shared/Anyconnect/AnyConnect.pkg -target / -applyChoiceChangesXML /Users/Shared/Anyconnect/acChoiceChanges.plist

Thanks.

I just grabbed the vpn.pkg and dart.pkg's out of the standard Cisco mpkg.
I only run those two installers to install anyconnect, works great, and simpler than dealing with choice changes files.
Of course, learning how to deal with choice changes files is a good thing! Comes in handy in many situations.

That's what I do, also.
We only use the VPN piece.

@bmarks I use this Cisco script I found to remove the web security portion.

1#!/bin/sh
2
3INSTPREFIX="/opt/cisco/anyconnect"
4BINDIR="${INSTPREFIX}/bin"
5PLUGINSDIR="${BINDIR}/plugins"
6LIBDIR="${INSTPREFIX}/lib"
7PROFILESDIR="${INSTPREFIX}/websecurity"
8ACMANIFESTDAT="${INSTPREFIX}/VPNManifest.dat"
9WEBSECMANIFEST="ACManifestWebSecurity.xml"
10UNINSTALLLOG="/tmp/websecurity-uninstall.log"
11
12ANYCONNECT_WEBSECURITY_PACKAGE_ID=com.cisco.pkg.anyconnect.websecurity
13
14# Array of files to remove
15FILELIST=("${INSTPREFIX}/${WEBSECMANIFEST}" 
16          "${BINDIR}/acwebsecagent" 
17          "${BINDIR}/websecurity_uninstall.sh" 
18          "${LIBDIR}/libboost_filesystem.dylib" 
19          "${LIBDIR}/libboost_system.dylib" 
20          "${LIBDIR}/libboost_thread.dylib" 
21          "${LIBDIR}/libboost_date_time.dylib" 
22          "${INSTPREFIX}/libacwebsecapi.dylib" 
23          "${INSTPREFIX}/libacwebsecctrl.dylib")
24
25echo "Uninstalling Cisco AnyConnect Web Security Module..."
26echo "Uninstalling Cisco AnyConnect Web Security Module..." > ${UNINSTALLLOG}
27echo `whoami` "invoked $0 from " `pwd` " at " `date` >> ${UNINSTALLLOG}
28
29# Check for root privileges
30if [ `whoami` != "root" ]; then
31  echo "Sorry, you need super user privileges to run this script."
32  echo "Sorry, you need super user privileges to run this script." >> ${UNINSTALLLOG}
33  exit 1
34fi
35
36# update the VPNManifest.dat; if no entries remain in the .dat file then
37# this tool will delete the file - DO NOT blindly delete VPNManifest.dat by
38# adding it to the FILELIST above - allow this tool to delete the file if needed
39if [ -f "${BINDIR}/manifesttool" ]; then
40  echo "${BINDIR}/manifesttool -x ${INSTPREFIX} ${INSTPREFIX}/${WEBSECMANIFEST}" >> ${UNINSTALLLOG}
41  ${BINDIR}/manifesttool -x ${INSTPREFIX} ${INSTPREFIX}/${WEBSECMANIFEST}
42fi
43
44# check the existence of the manifest file - if it does not exist, remove the manifesttool
45if [ ! -f ${ACMANIFESTDAT} ] && [ -f ${BINDIR}/manifesttool ]; then
46  echo "Removing ${BINDIR}/manifesttool" >> ${UNINSTALLLOG}
47  rm -f ${BINDIR}/manifesttool
48fi
49
50# move the plugins to a different folder to stop the websec agent and then remove
51# these plugins once websec agent is stopped. 
52echo "Moving plugins from ${PLUGINSDIR}" >> ${UNINSTALLLOG}
53mv -f ${PLUGINSDIR}/libacwebsecapi.dylib ${INSTPREFIX} 2>&1 >/dev/null
54echo "mv -f ${PLUGINSDIR}/libacwebsecapi.dylib ${INSTPREFIX}" >> ${UNINSTALLLOG}
55mv -f ${PLUGINSDIR}/libacwebsecctrl.dylib ${INSTPREFIX} 2>&1 >/dev/null
56echo "mv -f ${PLUGINSDIR}/libacwebsecctrl.dylib ${INSTPREFIX}" >> ${UNINSTALLLOG}
57
58# wait for 2 seconds for the websecagent to exit
59sleep 2
60
61# ensure that the websec agent is not running
62WEBSECPROC=`ps -A -o pid,command | grep '(${BINDIR}/acwebsecagent)' | egrep -v 'grep|websecurity_uninstall' | cut -c 1-5`
63if [ ! "x${WEBSECPROC}" = "x" ] ; then
64    echo Killing `ps -A -o pid,command -p ${WEBSECPROC} | grep ${WEBSECPROC} | egrep -v 'ps|grep'` >> ${UNINSTALLLOG}
65    kill -TERM ${WEBSECPROC} >> ${UNINSTALLLOG} 2>&1
66fi
67
68# Remove only those files that we know we installed
69INDEX=0
70while [ $INDEX -lt ${#FILELIST[@]} ]; do
71  echo "rm -rf "${FILELIST[${INDEX}]}"" >> ${UNINSTALLLOG}
72  rm -rf "${FILELIST[${INDEX}]}"
73  let "INDEX = $INDEX + 1"
74done
75
76# Remove the plugins directory if it is empty
77if [ -d ${PLUGINSDIR} ]; then
78  if [ ! -z `find "${PLUGINSDIR}" -prune -empty` ] ; then
79    echo "rm -df "${PLUGINSDIR}"" >> ${UNINSTALLLOG}
80    rm -df "${PLUGINSDIR}" >> ${UNINSTALLLOG} 2>&1
81  fi    
82fi
83
84# Remove the bin directory if it is empty
85if [ -d ${BINDIR} ]; then
86  if [ ! -z `find "${BINDIR}" -prune -empty` ] ; then
87    echo "rm -df "${BINDIR}"" >> ${UNINSTALLLOG}
88    rm -df "${BINDIR}" >> ${UNINSTALLLOG} 2>&1
89  fi    
90fi
91
92# Remove the bin directory if it is empty
93if [ -d ${LIBDIR} ]; then
94  if [ ! -z `find "${LIBDIR}" -prune -empty` ] ; then
95    echo "rm -df "${LIBDIR}"" >> ${UNINSTALLLOG}
96    rm -df "${LIBDIR}" >> ${UNINSTALLLOG} 2>&1
97  fi
98fi
99
100# Remove the profiles directory
101# During an upgrade, the profiles will be moved and restored by
102# preupgrade and postupgrade scripts.
103
104if [ -d ${PROFILESDIR} ]; then
105    echo "rm -rf "${PROFILESDIR}"" >> ${UNINSTALLLOG}
106    rm -rf "${PROFILESDIR}" >> ${UNINSTALLLOG} 2>&1
107fi
108
109# remove installer receipt
110pkgutil --forget ${ANYCONNECT_WEBSECURITY_PACKAGE_ID} >> ${UNINSTALLLOG} 2>&1
111
112echo "Successfully removed Cisco AnyConnect Web Security Module from the system." >> ${UNINSTALLLOG}
113echo "Successfully removed Cisco AnyConnect Web Security Module from the system."
114
115exit 0

@nkalister

Had a question about the mpkg you use. My VPN team said they only have the dmg or an individual pkg. No mpkg. Is there a particular place you to download it? I'm assuming from the ASDM but I don't have access to it (They do.)

Regards,
TJ

I used the Pacifist app (https://www.charlessoft.com) to extract the vpn module from the .mpkg

There is an Extract Subpackages option in the File menu.

Regards

CC

Slightly off topic here, but I was trying to use the method in the answer to list the available options for Citrix Receiver 12.

1installer -showChoiceChangesXML -pkg ~/Desktop/Install Citrix Receiver.pkg

Problem: When running this on 10.10.5 I got this error:

1installer: Cannot install on volume (null) because it is disabled.

Solution: Add the target flag to the command above:

1installer -showChoiceChangesXML -pkg ~/Desktop/Install Citrix Receiver.pkg -target /

It appears that some .pkg files need the target flag, while others will list the selection options without it. Hopefully this helps someone.

@colincorbin

I use something similar in terminal to create a folder of the pkg. It's called "pkgutil." You can use it to expand a .pkg.

However, for some reason the vpn_module.pkg won't allow me to open it. Do I have to do something with these modules?

--TJ

Hi TJ,

I didn't make any alteration to the vpn_module in the AnyConnect mpkg before extracting it as a pkg with Pacifist.

As Apple say, "it just worked"

Although Pacifist is shareware, you can trial it for free to see if it does what you need.

CC

For some reason, that worked perfectly.

I might request a license for this application. I appreciate your help, sir.

Thank you!

Regards,
TJ

I am still searching for a good way to extract the modules manually.

Does anyone have a way to do this via terminal?

Regards,
TJ

This is what I'm running.

!/bin/bash

sudo /opt/cisco/anyconnect/bin/websecurity_uninstall.sh
sudo /opt/cisco/anyconnect/bin/dart_uninstall.sh

I wrote a script for AnyConnect 4.3 to just remove the plugins we don't want. We leave DART in place, as TAC typically wants DART logs for any weird issues. The client runs fine, with just removing the dylib plugin files.

Written for 4.3.00748

1#!/bin/bash
2
3#This script is a workaround for AnyConnect 4.x, due to Cisco not providing a mechanism to 
4# programmatically omit unwanted plugins.  It is intended to run post-install
5
6echo "Beginning removal of AnyConnect plugins"
7
8#remove ISE plugin
9echo "Removing ISE plugin"
10rm -rf /opt/cisco/anyconnect/bin/plugins/libaciseapi.dylib
11rm -rf /opt/cisco/anyconnect/bin/plugins/libaciseshim.dylib
12
13#remove AMP plugin
14echo "Removing AMP plugin"
15rm -rf /opt/cisco/anyconnect/bin/plugins/libacampctrl.dylib
16rm -rf /opt/cisco/anyconnect/bin/plugins/libacampshim.dylib
17
18#remove Web Security plugin
19echo "Removing Web Security plugin"
20rm -rf /opt/cisco/anyconnect/bin/plugins/libacwebsecapi.dylib
21rm -rf /opt/cisco/anyconnect/bin/plugins/libacwebsecctrl.dylib
22
23#Remove Network Visibility Monitor plugin
24echo "Removing NVM plugin"
25rm -rf /opt/cisco/anyconnect/bin/plugins/libacnvmctrl.dylib
26
27echo "Finished removing AnyConnect plugins"
28
29exit 0

@tthurman Try the below command in Terminal to expand the AnyConnect Package

pkgutil --expand ~/Documents/AnyConnect.pkg ~/Documents/AnyConnectVPN

I have saved the package file in Documents folder with the name of AnyConnect.pkg

What version are you installing

Cisco AnyConnect 4.5

It looks like with Cisco AnyConnect 4.5.03040 there are a bunch of other utilities that get installed

-- VPN === this is definitely needed but the ones below have the checkbox active for unchecking, but with the choicesXML file we can have them unselected during installation

-- web security
-- AMP Enabler
-- Diagnostics and Reporting Tool
-- Posture
-- ISE Posture
-- Network Visibility
-- Umbrella Roaming Security

@nmangal

I totally wrote a script a long time ago that rips the AnyConnect PKG apart and puts each module back together in their own PKG.

Anyone need that?

1#!/bin/sh
2
3#This allows for a file input.
4AnyConnectLoc="$1"
5
6if [[ $AnyConnectLoc = "" ]]
7then
8    echo "No Input File Given."
9    exit 1
10fi
11
12#Get Version from Second Argument.
13ModuleVersion="$2"
14
15if [[ $ModuleVersion = "" ]]
16then
17    echo "No Version Not Provided."
18    exit 1
19fi
20
21#Where the AnyConnect Full Pkg gets expanded to.
22OutputDir=~/Desktop/AnyConnect
23
24if [[ -a $OutputDir ]]
25then
26    echo "Output Directory already exists. Please delete $OutputDir first."
27    exit 1
28else
29    sudo pkgutil --expand "$AnyConnectLoc" $OutputDir
30
31    sudo mkdir $OutputDir/Expanded/
32    sudo mkdir $OutputDir/Finished/
33fi
34
35#Get all Modules from the expanded directory.
36AllModules=($(ls $OutputDir | grep ".pkg")) 
37
38
39for pkg in ${AllModules[@]}
40do
41    echo $OutputDir/$pkg
42    cp -R $OutputDir/$pkg $OutputDir/Expanded/
43
44    pkgName=$(echo $pkg | awk -F'_' '{print $1}')
45    pkgExt=".pkg"
46
47    pkgNameFull="AnyConnect_$pkgName-$ModuleVersion$pkgExt"
48
49    echo $pkgNameFull
50
51    sudo pkgutil --flatten $OutputDir/Expanded/$pkg $OutputDir/Finished/$pkgNameFull
52done

Honestly I just install the entire pkg and just selectively uninstall what i don't want to keep... seemed easier at the time.

1#!/bin/sh
2#Uninstall Web Security Module
3/opt/cisco/anyconnect/bin/websecurity_uninstall.sh
4#
5#Uninstall Network Visibility Module
6/opt/cisco/anyconnect/bin/nvm_uninstall.sh
7#
8#Uninstall ISE Posture Module
9/opt/cisco/anyconnect/bin/iseposture_uninstall.sh
10#
11#Uninstall AMP Module
12/opt/cisco/anyconnect/bin/amp_uninstall.sh
13#
14#restarts the Cisco client if it was open to remove the security modules 
15Cisco=`pgrep -f Cisco`
16if [ $Cisco -eq $null ]
17then
18    open "/Applications/Cisco/Cisco AnyConnect Secure Mobility Client.app"/ &
19else
20    Kill $Cisco
21    sleep 3
22    open "/Applications/Cisco/Cisco AnyConnect Secure Mobility Client.app"/ &
23fi

@tthurman Thank you for the script. I have been fighting with this for a week now. Your script works like a champ!!

@tthurman Tried the script but I get the usual "the operation couldn't be completed. (com.apple.installer.pagecontroller error -1.). Working with v4.6 of AnyConnect.