Installing Cisco AnyConnect 4.5 Issues

k84
New Contributor III

Hi, I'm using Composer to install the new VPN client, I go through the motions untick everything apart from VPN and then finish the installation and it launches with no issues, after I closed it and re-opened it on 4 different occassions.
We deployed VPN certificates which we tested and are working fine, on older versions and the 4.5 on the test machine.

So now the package is in Casper Admin, created a policy for it to be installed as a
Self Service method, it successfully installs the pkg but when launching the applications I keep getting different errors on various test machines.

Any ideas on this?

Thanks

3d83ddd1a5a0461ea067d2bf58dece5b

e3dfa7c2ffb7460b81bec2cf11505dfa

fafe34f3c5bc4d2db86a5a1da3c57194

19 REPLIES 19

mm2270
Legendary Contributor II

You shouldn't need to do a Composer capture for AnyConnect. It's likely messing up the deployment using it like that. See if you can get access to the full pkg installer. Ask whoever manages your VPN stuff or has access to Cisco AC installers to get you the Mac installer for core VPN.
This file name below is for the previous 4.4.x version, but the 4.5 one should be similar in nature. This installs just the core VPN components. This is what I'm using, along with the DART webdeploy installer.

anyconnect-macos-4.4.02039-core-vpn-webdeploy-k9.pkg

Hope that helps.

MikeF
Contributor II

installing any connect is pretty easy with the supplied pkg file. If you don't want all the components you just need to modify the distribution file.

I found this which was posted by cosmo-slug
I was having a related problem getting Cisco AnyConnect VPN to install with just the VPN module and nothing else. I ended up using pkgutil to expand the package

Pkgutil --expand AnyConnect.pkg ~/Documents/AnyConnectVPN

then I opened the Distribution file inside of the expanded package and deleted the line choices for what I did not want installed

After saving the Distribution file, I flattened the package.
pkgutil --flatten ~/Documents/AnyConnectVPN ~/Desktop/CiscoVPN.pkg

This has worked for me on the last 2 versions. We are up to 4.6 now.

marklamont
Contributor III

@k84 excellent article here on using choices.xml based on anyconnect. works well as it's what I based my package on.
you can then bundle the installer and choices.xml in a package, using composer if you want, and install with a postinstall script in this package.

k84
New Contributor III

Hi Guys

@MikeF just tried to expand the package which is newly provided pkg by the networks team but I am having no such luck.

I have renamed the pkg and tried to expand that way but no luck and using the existing name it came with.
Have I done something wrong?

0063dc9383ca4e43886675a59f36d53b

MikeF
Contributor II

I just went back and tried this again and it worked properly for me.

pkgutil --expand /Volumes/AnyConnect 4.5.05030/AnyConnect.pkg ~/Documents/AnyConnectVPN

MichaelH
New Contributor III

We run the Anyconnect straight from the DMG and apply a choices xml to the install then copy across the profile file separately

cd /Users/Shared/CiscoAnyConnect_V1
hdiutil attach anyconnect-macosx-i386-4.3.02039-k9.dmg
cd "/Volumes/AnyConnect 4.3.02039/"
sudo installer -applyChoiceChangesXML /Users/Shared/CiscoAnyConnect_V1/Choices.xml -allowUntrusted -verboseR -dumplog -pkg AnyConnect.pkg -target /
hdiutil detach "/Volumes/AnyConnect 4.3.02039/" -force
sudo rsync -av /Users/Shared/CiscoAnyConnect_V1/applemac_profile.xml /opt/cisco/anyconnect/profile/

k84
New Contributor III

It appears the pkg that I got was corrupt as I got an ex colleague to test in his environment and got the same issue as me. So I managed to get v4.4.0.04030 and worked perfectly when running the pkgutil commands.

So I followed all steps as advised. for some odd reason I am still getting the issue below. To be on the safe side I copied a working XML server config from /opt/anyconnect/profile, created that into a PKG, so now my policy runs the anyconnect pkg and then the XML server config but I am still getting that message.

Any ideas where I could have gone worng

e96b322b7ceb430b90e0c578efeab64d

MikeF
Contributor II

All we did was delete out the lines in the distribution and it installed properly. We do put a profile.xml file on but that is just to configure where it will make the connection to. If we don't put this on the user has to enter this the first time he connect. And then it just is downloaded from the concentrator. And this is in a separate package we make with composer. To just put the xml file in the correct folder.

jameson
Contributor II

Anyone has some input how to skip these "OS X want to makes changes" to keychain. I have to enter password 3 times, before I get rid of this popup
Also when installing in software I must approve the software vendor in security settings, before installation will finish

ooshnoo
Valued Contributor

For the former, look into setting up certificate matching on your Cisco ASA and use an xml profile with your client with the corresponding settings.

For the latter...easy...use a config profile populated with approved kernel extensions.

jameson
Contributor II

@ooshnoo Thanks for the info - kernel extension was easy 🙂
But about the XML stuff, I have tried to search in the discussions but struggle to find something on steps that is needed and what needs to be done, so users don´t get all these keychain prompts

JustCallMeAJ
New Contributor III

The only way we've managed to get rid of the keychain prompt is to add AnyConnect to the access control of the system keychain. But this is a manual process on each machine. Some machines it wasn't necessary as after the first time they launched any connect and entered their passwords it never happened again (but most it does).
If anyone can come up with a more automatic way then I'll be happy to try it.

DFree
New Contributor III

-deleted-

bsuggett
Contributor II

I highly suggest using this little puppy... Makes life so much easier!

installPKGfromDMG with extra parameters for supplying an xml answer file within your DMG container

Create your xml file, add it into your DMG next to your PKG... Supply parameters

dmgName="" # Required eg anyconnect.dmg
forcesuccessflag="" # Optional
useinstallerapp="" # Optional eg YES
allowUntrusted="" # Optional
applyChoiceChangesXMLFile="" # Optional eg myfileinsidethedmg.xml

Supplying parameter 5/forcesuccessflag with "YES" without quotes and case sensitive allows PKG exit code to be bypassed and returns a forced exit code of 0 to the JSS (if needed).

Supplying parameter 6/useinstallerapp with "YES" without quotes and case sensitive forces the use of macOS native installer binary to install the PKG.

Supplying parameter 7/allowUntrusted with "YES" without quotes and case sensitive allows to bypass an invalid or expired certificate embedded within the PKG.

Supplying parameter 8/applyChoiceChangesXMLFile with an XML filename allows the PKG to be supplied an xml answerfile. The xml file MUST be beside the PKG wrapped in your DMG.

Please take careful note, that parameters 7 (allowUntrusted) and 8 (applyChoiceChangesXMLFile) are dependent on parameter 6 (useinstallerapp) being YES. I've also added mpkg if no pkg is found within the DMG. Additionally all parameters will be parsed in the logs so one can see if, when, and where something went wrong.

KSchroeder
Contributor

For the keychain prompts, these come up because AnyConnect by default looks at the system keychain for certs to authenticate to the VPN. There is an option your VPN admin can set to tell it (as part of the profile in /opt) to only use/evaluate the user keychain (assuming you're using user-based X.509 certs). You can also just click Deny x3 on that prompt versus authenticating, since it isn't going to find what it wants there anyway (assuming user certs anyway).

jameson
Contributor II

After some changes in the Profile on the Cisco ASA I got rid of many of the prompts, as it now only looks in the login keychain for user certififcate, where it before locked through everything
However, one prompt I cannot get rid of and don´t know exactly where it comes from

The prompt say Cisco Anyconnet secure mobility clientwant to access key "configuration profiles" in your keychain.

Is it possible to get rid of this? If I look in the keychain I cannot even find something called configuration profiles key, but somehow it must be there. Anyone has some knowledge?

jameson
Contributor II

Are someone able to help on this "configuration profiles" in your keychain ? - I cannot find the reason if is is anyconnect profile issue or it is a fix that must be done on a client

joscline
New Contributor II

In the certificate payload check "enable access to all applications". That will allow 3rd party apps to utilize the certificate without user prompts.

bjhobbs
New Contributor II

How are you guys getting past the whole Cisco Apple security message that you have to allow the app to install from the security and privacy screen?