Jamf Nation Community

For some reason, the idea of distributing a package that includes features I will never use bothers me.

I used to crack open the flat metapackage with pkgutil, remove the superfluous packages, and then modify the Distribution file to only point to the remaining packages, but I got tired of doing that every time so I wrote a python script that breaks it down and does all the work for me.

Unfortunately it relies on some of my custom libraries so I can't just copy/paste it here for you to use. I can maybe modify it to include the missing functions.

Hey @stevewood ,

Thanks for your help! That's the first time I've come across the page you shared, and it definitely helpful.

Though it still looks like I'm missing something. I threw the AnyConnect.pkg file, along with the XML file under /tmp. I modified the XML so that it should only install the VPN and Umbrella portions of the application:

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <array> <dict> <key>attributeSetting</key> <integer>1</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>choice_vpn</string> </dict> <dict> <key>attributeSetting</key> <integer>0</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>choice_websecurity</string> </dict> <dict> <key>attributeSetting</key> <integer>0</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>choice_fireamp</string> </dict> <dict> <key>attributeSetting</key> <integer>0</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>choice_dart</string> </dict> <dict> <key>attributeSetting</key> <integer>0</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>choice_posture</string> </dict> <dict> <key>attributeSetting</key> <integer>0</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>choice_iseposture</string> </dict> <dict> <key>attributeSetting</key> <integer>0</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>choice_nvm</string> </dict> <dict> <key>attributeSetting</key> <integer>1</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>choice_umbrella</string> </dict> </array> </plist>

And then copied over the little post install: (changing the variables, of course)

#!/bin/bash anyChoice="AnyConnectChoices.xml" anyInstall="AnyConnect.pkg" /usr/sbin/installer -applyChoiceChangesXML /tmp/${anyChoice} -pkg /tmp/${anyInstall} -target / exit 0

Upon testing the install, every component was installed. Am I a big dummy and miss something super simple?

I got the install to work by creating the choice.xml

What i do get now is the user is prompted to open the security Pref Pane and allow the app extension. Anyone know a way to automate that process so that it is a completely silent install?

I presume you are talking about the kernel extension warning. you need to create a profile for it and ensure it deploys to the devices. This will be useful . Like this example for McAfee.

Hi all, I am currently seeking how to customize the Cisco installer for Mac also so I can auto install it upon enrollment on my MacBook pros, that being said Its new to me and im struggling to understand some of it. Also a road block im hitting is, understanding how to have the user Cert from the Entradus- CA either pulled down or on the Mac and not stored in login keychain. Basically currently Pre MDM, my predecessors manually installed the user cert VPN wants to verify, I have yet to understand how to pull this cert down etc with JAMF.

Hey all- I hate to resurrect a year-old thread but I've been following the advice here and I am so close to packing the VPN-only module for my Self Service. If I run the following command locally AnyConnect installs exactly how I want it to:

sudo installer -applyChoiceChangesXML /Users/me/Desktop/choices.xml -pkg /Users/me/Desktop/AnyConnect.pkg -target /

But if I package everything and run the Self Service policy I get the following error when trying to download the XML:

Installing choices.xml...
Installation failed. The installer reported: installer: Error - the package path specified was invalid: '/Library/Application Support/JAMF/Downloads/choices.xml.pkg'.

Any idea what I'm doing wrong here? The AnyConnect.pkg installs fine, as does my XML which adds custom addresses to the VPN moduel... but not the choices.xml.

O, bearers of truth!
O, wreckers of dreams!
Come forth and exclaim
that all our great schemes
and policies drafted
shall all be for naught;
that packages crafted
shall wither and rot
when dread Catalina
enforces new rules
and notarization
makes all of us fools.

Does this mean... none of the above actually does the trick on 10.15?

I am packaging AnyConnect 4.8 for Catalina. This is the first version that will actually work correctly with 10.15. I am not doing any thing different than with previous versions.

Expand the anyconnect.pkg so you can modify the dist file

Pkgutil --expand AnyConnect.pkg ~/Documents/AnyConnectVPN

then I opened the Distribution file inside of the expanded package

This is what I wanted to install
<choices-outline> <line choice="choice_vpn"/>

<line choice="choice_dart"/>

<line choice="choice_posture"/>

</choices-outline>

Save the list file

Flatten the pkg and then you can install.

pkgutil --flatten ~/Documents/AnyConnectVPN ~/Desktop/AnyConnect.pkg

This works for us.

Dude. That is the answer. That is ALL we have to do. I don't understand why the XML with the post-install script is necessary in this case. ??? I removed all the modules I do not want installed (basically everything except VPN) and re-flattened the PKG. Uploaded, updated my policy, and bam. Thank you.

I am testing 4.8, and solution which @MikeF mentions - it works for me as well

I just repackaged 4.8.02042. All went fine the way I described.

This worked wonderfully! I have another question about this though. Is it possible to supply the server address, so that it automatically populates in the client, in the Distribution list or would that be under a .plist?

I know there is a way with the profiles on the install to do it but we are doing it a little differently. We end up with a xml file in this folder
/opt/cisco/anyconnect/profile/????.xml

After we set up a machine we package this file in composer and have it installed along with the AnyConnect package. We install AnyConnect and then drop in the profile xml file and the next time that anyconnect opens it reads that file and has all the server addresses. We have multiple access points worldwide and this works for that.

All you should have to do is make that first connection and then the xml file should be created for you. Just use that for the rest of the systems.

sorry, it looks like I had to initially cd to the correct directory (thought I tried it at first) and then was able to fix my error. Great tip none the less, thank you!

~~just came across @MikeF's method, however no matter what I try terminal outputs the error:

Could not open package for expansion: AnyConnect.pkg

I have it in the directory ~/Desktop/anyconnect
pkgutil --expand AnyConnect.pkg ~/Desktop/anyconnect
Could not open package for expansion: AnyConnect.pkg

any suggestions? this happens on v4.7.x and 4.8.x of anyconnect on 10.15.4~~

@walt not sure if the syntax is causing the error, but don't you need to state package name of source and target?

pkgutil --expand ~/Desktop/anyconnect/AnyConnect.pkg ~/Desktop/anyconnect/AnyConnect-expanded.pkg

Found out on Friday that 4.7 has a broken KEXT Team Identifier, fixed in 4.8. To see for yourself, run:

codesign -dr - /Applications/Cisco/Cisco AnyConnect Secure Mobility Client.app

If you have 4.7 installed, you'll get a long string; if you have 4.8 installed you'll get the Team Identifier.

Hi JamfNation,

Does Cisco anyconnect 4.8 Fix the Kernel extension pop ups in catalina?
or need to create a separate PPPC/Config for that

There is nothing for Cisco to fix. You need to deliver proper PPPC and Approved Kernel Extensions for AnyConnect and any other software that might use those controlled frameworks.

I try to deploy anyconnect-macos-4.9.04043. I do like below (copied from this post earlier) - but cisco is not installed after the package has run. Anyone had luck with this ?

*Expand the anyconnect.pkg so you can modify the dist file

Pkgutil --expand AnyConnect.pkg ~/Documents/AnyConnectVPN

then I opened the Distribution file inside of the expanded package

This is what I wanted to install
<choices-outline> <line choice="choice_vpn"/>

<line choice="choice_dart"/>

<line choice="choice_posture"/>

</choices-outline>

Save the list file

Flatten the pkg and then you can install.

pkgutil --flatten ~/Documents/AnyConnectVPN ~/Desktop/AnyConnect.pkg*

@jameson It works for me. I repackaged AnyConnect ver. 4.9.04043 this way with only VPN and DART modules

can you try and paste what you have in distrubtion file ? - something I must be missing, as this should be stright out of the box working. But the package install for me, but cisco is not installed - really strange behavior. So somehow seems to be an empty package I install

This is what I have for 4.9.03047

I am showing the only part of the distribution file i changed

choices-outline> <line choice="choice_vpn"/> <line choice="choice_websecurity"/> <line choice="choice_dart"/> <line choice="choice_posture"/> <line choice="choice_umbrella"/> </choices-outline>

These are the option i install if you do not want some of it just delete the lines you don't want.

I did not modify any thing else.

Just make sure to save the file and then flatten the package.

I will be making this up for the new release but not until after Thanksgiving.

OK - found the magic

So new week new try. Did reset my test machine, did redo all the pkgutil - created a new policy - and BAM - cisco showed up

Really strange for me as I did the exact last week. So removed cisco in application and imported the package in the originally policy. And then it was gone again! - it was installing without any error, but cisco folder did not show up in applications

I removed all settings in the originally policy and the package did not show up - and even the test policy did also not work anymore.

So my guess was that something must be stuck from the first install that worked. So found the magic command here
sudo pkgutil --forget com.cisco.pkg.anyconnect.vpn

This must be run if want to re-do installation. That was close to 1 day I spent on this silly issue, so nothing was wrong with my package, just that command must be run

As information (and maybe as reminder for me when I face the same problem again)
I first did as described above:

mounted the anyconnect-macos-4.9.06037-predeploy-k9.dmg and copied the AnyConnect.pkg to my Desktop
Then I expanded it with the command:

pkgutil --expand AnyConnect.pkg  pkg_dev/expand/AnyConnect

Now I deleted all pkgs inside I don't need (we only need the VPN installer) and edited the Distribution File by deleting or commenting out the not needed installation pkgs
After that I did:

pkgutil --flatten pkg_dev/expand/AnyConnect AnyConnect.pkg

I was able to install this pkg by double clicking it but JAMF was not able to install it for me
Error: pkg uses a deprecated pre-10.2 format
Also did not delete the not needed pkgs, same error

What was then working was just flatten the vpn_module.pkg

pkgutil --flatten pkg_dev/expand/AnyConnect/vpn_module.pkg Cisco AnyConnect 4.9.06037_VPNonly.pkg

Now the installation with JAMF was working.

Maybe this might be useful for someone else ;)
BR
Daniel

For the record, I tried using pkgutil to remove the VPN as we do not need it.. But it breaks the installation.

I am able to remove everything else, just not VPN.

Anyone else having this issue I am open to hearing any work arounds.

I was repacking version 4.10.06 today with only VPN and DART modules, everything was working fine, as usual. Tested, installed recombined package.