Jamf Nation Community

rtarson · ‎02-26-2025

I saw a couple of articles online to install Cisco Secure Client via jamf. However it was mostly for VPN and umbrella and when taking dmg from xdr into composer it proved to be less then helpful. No matter what it did not like to be manipulated. I have created a deployment script using full installer dmg for anyone that runs into this who also is using Cisco XDR. I am open to suggestions on the script but this got the job done and cleanly. Make sure you setup a configuration profile for background processes.

First thing is go in to Cisco XDR download both Full installers for AMD and ARM. Then upload the DMG files in to Jamf

Next Create the Script using this bash script. It uses the jamf waitingroom cache applications.

#!/bin/bash
# Author: Ryan Tarson
# Cisco Secure Client DMG Installer Script for Jamf (Flexible for Both Architectures)
#
# This script installs Cisco Secure Client for macOS using a pre-deploy DMG that 
# contains a single package:
#   com.cisco.secureclient.cloudmanagement_bootstrap-signed.pkg
#
# Parameters:
#   $4 = Example DMG file name for Intel (e.g., "csc-deploy-full-XDR Default Deployment for macOS - amd64.dmg")
#   $5 = Example DMG file name for Apple Silicon (e.g., "csc-deploy-full-XDR Default Deployment for macOS - arm64.dmg")
#   $6 = Mounted DMG volume name (e.g., "UniefiedConnector")
#

### Variables ###
arch=$(uname -m)
if [ "$arch" = "arm64" ]; then
    dmgName="$5"
else
    dmgName="$4"
fi
mountVolume="$6"
waitingRoomDMG="/Library/Application Support/JAMF/Waiting Room/$dmgName"

### Logging Function ###
log() {
    jamf log "$1"
}

log "Starting Cisco Secure Client installation from DMG."
log "Detected architecture: $arch"
log "Using DMG: $waitingRoomDMG"
log "Expected mounted volume: $mountVolume"

### Mount the DMG ###
log "Mounting DMG: $waitingRoomDMG"
hdiutil attach "$waitingRoomDMG" -nobrowse
sleep 5

### Verify mount ###
if [ ! -d "/Volumes/$mountVolume" ]; then
    log "Mount failed: /Volumes/$mountVolume not found."
    exit 1
fi

### Locate the package ###
pkgPath="/Volumes/$mountVolume/com.cisco.secureclient.cloudmanagement_bootstrap-signed.pkg"
if [ ! -f "$pkgPath" ]; then
    log "Package not found at expected path: $pkgPath"
    hdiutil detach "/Volumes/$mountVolume" -quiet
    exit 1
fi
log "Found package: $pkgPath"

### Install the package ###
log "Installing package..."
installer -pkg "$pkgPath" -target /
installStatus=$?
if [ $installStatus -eq 0 ]; then
    log "Installation succeeded."
else
    log "Installation failed with exit code $installStatus."
    hdiutil detach "/Volumes/$mountVolume" -quiet
    exit $installStatus
fi

### Unmount the DMG ###
log "Unmounting DMG..."
hdiutil detach "/Volumes/$mountVolume" -quiet
sleep 5

### Clean up the DMG file from the Waiting Room ###
rm "$waitingRoomDMG"
log "Removed DMG file from Waiting Room."

log "Cisco Secure Client installation completed successfully."
exit 0

Create a policy for the Cisco XDR installer and add the 2 dmgs to the packages and set them to cache

Then add the script to the policy and enter the information matching the dmg file name and the name of the mount.

DMH2000 · ‎02-28-2025

Good article @rtarson! We are just now testing XDR, seems to make things more simple. We noticed you can't just pull the package from the dmg and run it or use it as is. If you open the package in composer, you won't see any install files, just scripts. I guess the dmg holds all the information.

My question is why not just use the amd version and let Rosetta control it. We have Rosetta installed on all arm machines. I followed this Github article RTOUTON_Rosetta_Script. I built this script when we got our first M1 MacBooks around 2021.

rtarson · ‎02-28-2025

I would go in that direction but we are a k-12 we only have macs for certain subjects. So only around 100 mac devices we just got budget passed to replace all with brand new Apple Silicone chipset. So reality we wont really need to support AMD since the applications we use and being all intel based macs are gone just dont need to support legacy.

DMH2000 · ‎03-06-2025

@rtarson After looking at how Cisco packaged the DMG, I went with your script and instructions. This was easy to set up. Your post was very timely for me, as we are now in the testing phase and have both amd & arm machines, so they get the correct app for the architecture. I wanted to give a shout out to you!

Jamf Nation Community

Deployment for Cisco Secure Client XDR (Working Script)