Issue's installing Cisco AnyConnect

Coreym1993
New Contributor

I am having issues deploying AnyConnect through JSS due to it installing all of the extras that come with it when we only need to install the VPN portion of the application. I am trying to find a way to have none of the extras when pushing this to our machines via policy.

16 REPLIES 16

BenL
New Contributor III

Did you package it with just the parts necessary and not the other parts, such as DART?

The way I've done it is a run a capture on what I want then a post script to kickstart the service. We use the VPN and DART only.

tdclark
Contributor

Check out the responses on this post...
https://www.jamf.com/jamf-nation/discussions/10847/deploying-anyconnect-without-the-web-security-module

I used parts of @pmcgurn 's script and it works perfectly.

seansb
New Contributor III

+1 for @tdclark 's thread, however, I would recommend the ChoiceChanges.xml approach as this scenario is exactly what it was designed for (selecting and de-selecting multiple options). The caveat being that jamf doesn't natively support inputting ChoiceChanges.xml (feature request here).

znilsson
Contributor II

Yeah, set your choicechanges.xml, create a package to install the AnyConnect installer and the choicechanges.xml into a temp directory (or wherever you want), then run this:

#!/bin/sh

/usr/sbin/installer -pkg /Library/Application Support/JAMF/CiscoApp/AnyConnect.pkg -target / -applyChoiceChangesXML /Library/Application Support/JAMF/CiscoApp/Choice.xml

rm -r /Library/Application Support/JAMF/CiscoApp/

maxmaxmaxmaxmax
New Contributor II

If its any help, this is how I do it...

  1. My policy caches the AnyConnect.pkg installer. This will be found in /Library/Application Support/JAMF/Waiting Room/
  2. I have a script in the same policy set to after that creates the choices XML in /var/tmp and runs installer -pkg "/Library/Application Support/JAMF/Waiting Room/AnyConnect.pkg" -applyChoiceChangesXML "/var/tmp/Custom_Install-AnyConnect.xml" -target /

This is a snippet of my script which creates the XML file. This will install AnyConnect and DART, so simply add the items you don't want or remove the ones you do based on the <string>feature</string> format...

#!/bin/sh

cat <<EOF > "/var/tmp/Custom_Install-AnyConnect.xml"
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
    <string>choice_websecurity</string>
    <string>choice_fireamp</string>
    <string>choice_posture</string>
    <string>choice_iseposture</string>
    <string>choice_nvm</string>
</array>
</plist>
EOF

k3vmo
Contributor

I don't yet have my Jamf server running -

Can I utilize something like this in AutoDMG to build my image? I've had to configure a system and make an image of - it - only because of the AnyConnect installer....

macbentosh
New Contributor III

This is what I use

#!/bin/bash 
/opt/cisco/anyconnect/bin/amp_uninstall.sh
/opt/cisco/anyconnect/bin/iseposture_uninstall.sh
/opt/cisco/anyconnect/bin/nvm_uninstall.sh
/opt/cisco/anyconnect/bin/umbrella_uninstall.sh
/opt/cisco/anyconnect/bin/websecurity_uninstall.sh

k3vmo
Contributor

@macbentosh You add this script in AutoDMG?

macbentosh
New Contributor III

@k3vmo I add it to JAMF Pro and run it after the package install.

MikeF
Contributor II

There is also an easy way to fix the pkg file to install just what you want. Here bis what i do. And this solution was posted by cosmo-slug

Expand the AnyConnect.pkg

Pkgutil --expand AnyConnect.pkg ~/Documents/AnyConnectVPN

then I opened the Distribution file inside of the expanded package and look for these type entries
<choices-outline> <line choice="choice_vpn"/>
Leave what you want and delete the ones you don't

After saving the Distribution file, I flattened the package.
pkgutil --flatten ~/Documents/AnyConnectVPN ~/Desktop/AnyConnect 4.7.00136.pkg

This way has been working for me for a while. @cosmo-slug posted this on JAMF but I could not locate the post.

DFree
New Contributor III

@MikeF Which "AnyConnect.pkg" are you using for 4.7? anyconnect-macos-4.7.00136-webdeploy-k9.pkg?

I just posted on another post...so a quick repost of my errors trying to use your method:
I couldn't open them with pkgutil either (pkgutil --verbose --expand <filename> <dir>). I get this error:
"Could not open package for expansion: anyconnect-macos-4.7.00136-webdeploy-k9.pkg"

I tried to chmod +777 the file to see if it was a permissions issue there, but no dice.

The md5 of my pkg file is: MD5 (anyconnect-macos-4.7.00136-webdeploy-k9.pkg) = 5b41987662967d64d98d02106955f4a7

Can you tell me if I'm using the right package file and if yes, do our MD5 hashes match?

merps
Contributor III

@dfriedlander you'll want to use the AnyConnect ”predeploy” package to push via jamf.

Webdeploy is the version installed automatically by the ASA.

DFree
New Contributor III

Okay, I consolidated the advice I got here into a step by step for those who read this post days, months, years from now.

  1. Download anyconnect-macos-4.7.00136-predeploy-k9.dmg from Cisco (or your vendor) and open it via installer (Double Click it in finder).
  2. Drag the AnyConnect.pkg file inside the .dmg to your Desktop (for simplicity) and then do @MikeF's steps (4-9 below):
  3. Open Terminal and cd ~/Desktop/
  4. Pkgutil --expand AnyConnect.pkg AnyConnectVPN
  5. cd AnyConnectVPN
  6. vi AnyConnectVPN/Distribution
  7. Look for <choices-outline> <line choice="choice_vpn"/> lines starting around line 8. Delete the ones you don't need. (arrow down to the line(s) and dd on the line(s) you don't want)
  8. :x to write/save/close the Distribution file
  9. pkgutil --flatten AnyConnectVPN AnyConnect_4.7.00136.pkg
  10. Cleanup the desktop.
  11. Upload that pkg file to JSS and go from there in however you want to deploy it.

Thanks to @MikeF and @merps

bsuggett
Contributor II

I highly suggest using this little puppy... Makes life so much easier!

installPKGfromDMG with extra parameters for supplying an xml answer file within your DMG container

Create your xml file, add it into your DMG next to your PKG... Supply parameters

dmgName="" # Required eg anyconnect.dmg
forcesuccessflag="" # Optional
useinstallerapp="" # Optional eg YES
allowUntrusted="" # Optional
applyChoiceChangesXMLFile="" # Optional eg myfileinsidethedmg.xml

Supplying parameter 5/forcesuccessflag with "YES" without quotes and case sensitive allows PKG exit code to be bypassed and returns a forced exit code of 0 to the JSS (if needed).

Supplying parameter 6/useinstallerapp with "YES" without quotes and case sensitive forces the use of macOS native installer binary to install the PKG.

Supplying parameter 7/allowUntrusted with "YES" without quotes and case sensitive allows to bypass an invalid or expired certificate embedded within the PKG.

Supplying parameter 8/applyChoiceChangesXMLFile with an XML filename allows the PKG to be supplied an xml answerfile. The xml file MUST be beside the PKG wrapped in your DMG.

Please take careful note, that parameters 7 (allowUntrusted) and 8 (applyChoiceChangesXMLFile) are dependent on parameter 6 (useinstallerapp) being YES. I've also added mpkg if no pkg is found within the DMG. Additionally all parameters will be parsed in the logs so one can see if, when, and where something went wrong.

taugust04
Valued Contributor

Just keep in mind that if you use the expand/flatten methodology I believe you lose the signed certificate that comes with the original package, and that depending on Mac security settings installing unsigned packages can sometimes be difficult.

I've used both and settled on the XML answer file method because it's easier. A lot easier editing the xml file and building a one time script to apply it rather then editing those packages from Cisco every few weeks or so when the latest AnyConnect is released.

ryanmccrone
New Contributor

Ted, how are you deploying updates? My office wants to deploy them using the web-deploy package from the ASA. Problem is that it asks for an admin username and password.