Installing Components of Cisco AnyConnect 4.7

landon_Starr
Contributor

Hi all,

I've seen various threads on this, some dating back to years ago, and I was hoping to get some concrete suggestions on the most efficient way to go about this.

We're wanting to deploy only the VPN, Umbrella, and AMP portions of AnyConnect, along with their respective config files from our organization. I've seen seen mention of using the Packages app, as well as Pacifist, but going that route leads to the com.apple.installer issue. I've tried a myriad of different things, but I can't seem to get it setup without issue.

Any insight is greatly appreciated!

28 REPLIES 28

stevewood
Honored Contributor II

@landon_Starr using a Choices.xml file is your best bet. You can check out this blog post:

Using installer choices.xml to modify AnyConnect and McAfee deployments

That's what we do. I package the AnyConnect installer direct from Cisco, along with the Choices.xml file and a postinstall script. I drop the PKG file and the XML into /tmp and then the postinstall script installs them:

#!/bin/bash

anyChoice="All-AnyConnectChoices.xml"
anyInstall="AnyConnect_4.7.00136.pkg"

/usr/sbin/installer -applyChoiceChangesXML /tmp/${anyChoice} -pkg /tmp/${anyInstall} -target /

exit 0

Could take it a step further and instead of a postinstall use a script in a policy set to After with Parameter 4 and 5 set to the name of the package and the XML file. That would make it more universal (the script that is) so that it could be used for other apps like Office or anything else you only want pieces from.

Hope that makes sense.

primalcurve
New Contributor III

For some reason, the idea of distributing a package that includes features I will never use bothers me.

I used to crack open the flat metapackage with pkgutil, remove the superfluous packages, and then modify the Distribution file to only point to the remaining packages, but I got tired of doing that every time so I wrote a python script that breaks it down and does all the work for me.

Unfortunately it relies on some of my custom libraries so I can't just copy/paste it here for you to use. I can maybe modify it to include the missing functions.

landon_Starr
Contributor

Hey @stevewood ,

Thanks for your help! That's the first time I've come across the page you shared, and it definitely helpful.

Though it still looks like I'm missing something. I threw the AnyConnect.pkg file, along with the XML file under /tmp. I modified the XML so that it should only install the VPN and Umbrella portions of the application:
a0702e23276c4d189756203c11d2eabe

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <array> <dict> <key>attributeSetting</key> <integer>1</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>choice_vpn</string> </dict> <dict> <key>attributeSetting</key> <integer>0</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>choice_websecurity</string> </dict> <dict> <key>attributeSetting</key> <integer>0</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>choice_fireamp</string> </dict> <dict> <key>attributeSetting</key> <integer>0</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>choice_dart</string> </dict> <dict> <key>attributeSetting</key> <integer>0</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>choice_posture</string> </dict> <dict> <key>attributeSetting</key> <integer>0</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>choice_iseposture</string> </dict> <dict> <key>attributeSetting</key> <integer>0</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>choice_nvm</string> </dict> <dict> <key>attributeSetting</key> <integer>1</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>choice_umbrella</string> </dict> </array> </plist>

And then copied over the little post install: (changing the variables, of course)

#!/bin/bash anyChoice="AnyConnectChoices.xml" anyInstall="AnyConnect.pkg" /usr/sbin/installer -applyChoiceChangesXML /tmp/${anyChoice} -pkg /tmp/${anyInstall} -target / exit 0

Upon testing the install, every component was installed. Am I a big dummy and miss something super simple?

rob_c28
New Contributor

I got the install to work by creating the choice.xml

What i do get now is the user is prompted to open the security Pref Pane and allow the app extension. Anyone know a way to automate that process so that it is a completely silent install?

marklamont
Contributor III

I presume you are talking about the kernel extension warning. you need to create a profile for it and ensure it deploys to the devices. This will be useful . Like this example for McAfee.eba89b74c77c4f19a6789c722cfe1cd7

Stubakka
Contributor II

Hi all, I am currently seeking how to customize the Cisco installer for Mac also so I can auto install it upon enrollment on my MacBook pros, that being said Its new to me and im struggling to understand some of it. Also a road block im hitting is, understanding how to have the user Cert from the Entradus- CA either pulled down or on the Mac and not stored in login keychain. Basically currently Pre MDM, my predecessors manually installed the user cert VPN wants to verify, I have yet to understand how to pull this cert down etc with JAMF.

derek_ritchison
Contributor

Hey all- I hate to resurrect a year-old thread but I've been following the advice here and I am so close to packing the VPN-only module for my Self Service. If I run the following command locally AnyConnect installs exactly how I want it to:

sudo installer -applyChoiceChangesXML /Users/me/Desktop/choices.xml -pkg /Users/me/Desktop/AnyConnect.pkg -target /

But if I package everything and run the Self Service policy I get the following error when trying to download the XML:

Installing choices.xml...
Installation failed. The installer reported: installer: Error - the package path specified was invalid: '/Library/Application Support/JAMF/Downloads/choices.xml.pkg'.

Any idea what I'm doing wrong here? The AnyConnect.pkg installs fine, as does my XML which adds custom addresses to the VPN moduel... but not the choices.xml.

bradtchapman
Valued Contributor

O, bearers of truth!
O, wreckers of dreams!
Come forth and exclaim
that all our great schemes
and policies drafted
shall all be for naught;
that packages crafted
shall wither and rot
when dread Catalina
enforces new rules
and notarization
makes all of us fools.

derek_ritchison
Contributor

Does this mean... none of the above actually does the trick on 10.15?

MikeF
Contributor II

I am packaging AnyConnect 4.8 for Catalina. This is the first version that will actually work correctly with 10.15. I am not doing any thing different than with previous versions.

Expand the anyconnect.pkg so you can modify the dist file

Pkgutil --expand AnyConnect.pkg ~/Documents/AnyConnectVPN

then I opened the Distribution file inside of the expanded package

This is what I wanted to install
<choices-outline> <line choice="choice_vpn"/>

<line choice="choice_dart"/>

<line choice="choice_posture"/>

</choices-outline>

Save the list file

Flatten the pkg and then you can install.

pkgutil --flatten ~/Documents/AnyConnectVPN ~/Desktop/AnyConnect.pkg

This works for us.

derek_ritchison
Contributor

Dude. That is the answer. That is ALL we have to do. I don't understand why the XML with the post-install script is necessary in this case. ??? I removed all the modules I do not want installed (basically everything except VPN) and re-flattened the PKG. Uploaded, updated my policy, and bam. Thank you.

mhasman
Valued Contributor

I am testing 4.8, and solution which @MikeF mentions - it works for me as well

MikeF
Contributor II

I just repackaged 4.8.02042. All went fine the way I described.

mvetrone
New Contributor

This worked wonderfully! I have another question about this though. Is it possible to supply the server address, so that it automatically populates in the client, in the Distribution list or would that be under a .plist?

MikeF
Contributor II

I know there is a way with the profiles on the install to do it but we are doing it a little differently. We end up with a xml file in this folder
/opt/cisco/anyconnect/profile/????.xml

After we set up a machine we package this file in composer and have it installed along with the AnyConnect package. We install AnyConnect and then drop in the profile xml file and the next time that anyconnect opens it reads that file and has all the server addresses. We have multiple access points worldwide and this works for that.

All you should have to do is make that first connection and then the xml file should be created for you. Just use that for the rest of the systems.

walt
Contributor III

sorry, it looks like I had to initially cd to the correct directory (thought I tried it at first) and then was able to fix my error. Great tip none the less, thank you!

~~just came across @MikeF's method, however no matter what I try terminal outputs the error:

Could not open package for expansion: AnyConnect.pkg

I have it in the directory ~/Desktop/anyconnect
pkgutil --expand AnyConnect.pkg ~/Desktop/anyconnect
Could not open package for expansion: AnyConnect.pkg

any suggestions? this happens on v4.7.x and 4.8.x of anyconnect on 10.15.4~~

donmontalvo
Esteemed Contributor II

@walt not sure if the syntax is causing the error, but don't you need to state package name of source and target?

pkgutil --expand ~/Desktop/anyconnect/AnyConnect.pkg ~/Desktop/anyconnect/AnyConnect-expanded.pkg

Found out on Friday that 4.7 has a broken KEXT Team Identifier, fixed in 4.8. To see for yourself, run:

codesign -dr - /Applications/Cisco/Cisco AnyConnect Secure Mobility Client.app

If you have 4.7 installed, you'll get a long string; if you have 4.8 installed you'll get the Team Identifier.

--
https://donmontalvo.com

Rohitds14
New Contributor III

Hi JamfNation,

Does Cisco anyconnect 4.8 Fix the Kernel extension pop ups in catalina?
or need to create a separate PPPC/Config for that

iJake
Valued Contributor

There is nothing for Cisco to fix. You need to deliver proper PPPC and Approved Kernel Extensions for AnyConnect and any other software that might use those controlled frameworks.

jameson
Contributor II

I try to deploy anyconnect-macos-4.9.04043. I do like below (copied from this post earlier) - but cisco is not installed after the package has run. Anyone had luck with this ?

*Expand the anyconnect.pkg so you can modify the dist file

Pkgutil --expand AnyConnect.pkg ~/Documents/AnyConnectVPN

then I opened the Distribution file inside of the expanded package

This is what I wanted to install
<choices-outline> <line choice="choice_vpn"/>

<line choice="choice_dart"/>

<line choice="choice_posture"/>

</choices-outline>

Save the list file

Flatten the pkg and then you can install.

pkgutil --flatten ~/Documents/AnyConnectVPN ~/Desktop/AnyConnect.pkg*

mhasman
Valued Contributor

@jameson It works for me. I repackaged AnyConnect ver. 4.9.04043 this way with only VPN and DART modules

jameson
Contributor II

can you try and paste what you have in distrubtion file ? - something I must be missing, as this should be stright out of the box working. But the package install for me, but cisco is not installed - really strange behavior. So somehow seems to be an empty package I install

MikeF
Contributor II

This is what I have for 4.9.03047

I am showing the only part of the distribution file i changed

choices-outline> <line choice="choice_vpn"/> <line choice="choice_websecurity"/> <line choice="choice_dart"/> <line choice="choice_posture"/> <line choice="choice_umbrella"/> </choices-outline>

These are the option i install if you do not want some of it just delete the lines you don't want.

I did not modify any thing else.

Just make sure to save the file and then flatten the package.

I will be making this up for the new release but not until after Thanksgiving.

jameson
Contributor II

OK - found the magic

So new week new try. Did reset my test machine, did redo all the pkgutil - created a new policy - and BAM - cisco showed up

Really strange for me as I did the exact last week. So removed cisco in application and imported the package in the originally policy. And then it was gone again! - it was installing without any error, but cisco folder did not show up in applications

I removed all settings in the originally policy and the package did not show up - and even the test policy did also not work anymore.

So my guess was that something must be stuck from the first install that worked. So found the magic command here
sudo pkgutil --forget com.cisco.pkg.anyconnect.vpn

This must be run if want to re-do installation. That was close to 1 day I spent on this silly issue, so nothing was wrong with my package, just that command must be run

dpratl
Contributor II

As information (and maybe as reminder for me when I face the same problem again)
I first did as described above:

mounted the anyconnect-macos-4.9.06037-predeploy-k9.dmg and copied the AnyConnect.pkg to my Desktop
Then I expanded it with the command:

pkgutil --expand AnyConnect.pkg  pkg_dev/expand/AnyConnect

Now I deleted all pkgs inside I don't need (we only need the VPN installer) and edited the Distribution File by deleting or commenting out the not needed installation pkgs
After that I did:

pkgutil --flatten pkg_dev/expand/AnyConnect AnyConnect.pkg

I was able to install this pkg by double clicking it but JAMF was not able to install it for me
Error: pkg uses a deprecated pre-10.2 format
Also did not delete the not needed pkgs, same error

What was then working was just flatten the vpn_module.pkg

pkgutil --flatten pkg_dev/expand/AnyConnect/vpn_module.pkg Cisco AnyConnect 4.9.06037_VPNonly.pkg

Now the installation with JAMF was working.

Maybe this might be useful for someone else 😉
BR
Daniel

EddyLara
New Contributor II

Hello dptratl how do you add the profile and choice into the package?

I currently have the latest version of anyconnect packages this way.

I have found that changing the name of the package to any thing other that AnyConnect.pkg that is created by the process and it will fail to install. Create the package and after that renaming will work.

I would not delete any thing from the package. I don't and it works. only change you make is editing the distribution file. 

 

Also there have been questions on the profiles in this PKG. I do not include these but rather place the correct xml file in the /opt directory location for profiles. You just package this with composer from a working system. It will install the profile. After that our concentrators will send any update's. 

Hi @EddyLara,

 

We provide the profile and connection nodes with a seperate pkg which installs the edited AnyConnectProfile.xml to the path /opt/cisco/anyconnect/profile/

 

I hope that helps.

BR
Daniel