How to configure Cisco anyconnect-macos-4.10.04071-predeploy-k9 for deployment with AMP and other mo

Leo_JAMF_PRO
New Contributor III

How to configure Cisco anyconnect-macos-4.10.04071-predeploy-k9 for deployment with AMP and other modules (umbrella, DART, etc)

 

To deploy Cisco Anyconnect and its modules such as umbrella, DART & AMP know the following.

  1. All you need to do is deploy the latest anyconnect pkg, but you need to have it with a script that does something like this:

 

 

#!/bin/bash
/usr/sbin/installer -pkg /private/tmp/anyconnect-macos-4.10.04071-predeploy-k9.pkg -target / -applyChoiceChangesXML /private/tmp/choicesForAnyConnect.xml

 

 

2.  Put that script (you might need to edit it a bit once you update the version numbers etc) in composer like this, same file structure etc. private/tmp/(put your anyconnect installer here + choicesForAnyconnect.xml file). For your sources make sure to put in scripts a postinstall script like mentioned in step one (jamf nation doesnt seem to let me upload images/screenshots)

 

 

6 REPLIES 6

Leo_JAMF_PRO
New Contributor III

Leo_JAMF_PRO_0-1644593278004.png

3. Step 2 creates the install the anyconnect installer. The choicesForAnyConnect.xml lets anyconnect know what modules to go out and download. Make sure you have permissions set to 755 and owner:root, Group:wheel, while you have the private folder highlighted. Then export as a .pkg and add it to the deployment in Jamf.

Leo_JAMF_PRO_1-1644593352138.png

4. Lastly once Anyconnect see is in choicesForAnyConnect.xml that it wants specific modules (indicated in that file with a 1 or 0) it then looks for the config(xml) file for each module in a very particular location

Look here for the location to deploy all the xml files for each module, that xml file has the cloud URL to download the module so it downloads the latest: https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/gu...

If you it fails to install any particular module other than anyconnect, then perhaps that modules xml file is outdated, or not in the exact correct directory.I just used composer to drop those xml's in the correct directory, do not change the names of the xml files. So in the end jamf deployment is a bunch of pkgs that drop xmls in specific location and the anyconnect pkg with script and its down config file that decides which modules to download and install.

Leo_JAMF_PRO
New Contributor III

For some reason it would not let me upload screenshots in the initial post, so i did them as replys.

ha32zel
New Contributor II

I'm trying to follow your instructions here for the past 2 hrs..... but getting lost a bit. Newbie to jamf 

Dohadwalat
New Contributor II

the steps mentioned by Leo are correct. If like me, you need some more guidance, visit https://hcsonline.com/images/PDFs/Deploying_Cisco_AnyConnect.pdf

it is an excellent resource.

 

tlarue64
New Contributor II

try the following:

Expand the AnyConnect.pkg

"pkgutil --expand AnyConnect.pkg ~/tmp/AnyConnectVPN"

This will create a directory.  From terminal, vi the Distribution file in the AnyConnectVPN directory and look for these type entries (there should be 2 lines for each package)

<choices-outline> 

<line choice="choice_vpn"/>

Leave the packages that you want to install, delete the packages you don't want

Save the Distribution file

From terminal, back up a directory and then flatten the package.

"pkgutil --flatten ~/tmp/AnyConnectVPN ~/tmp/anyconnect-macos-4.10.version-predeploy-k9.pkg"

The package name MUST match the original Cisco distribution name or the license and key file check will fail