I am having issues deploying AnyConnect through JSS due to it installing all of the extras that come with it when we only need to install the VPN portion of the application. I am trying to find a way to have none of the extras when pushing this to our machines via policy.
Yeah, set your choicechanges.xml, create a package to install the AnyConnect installer and the choicechanges.xml into a temp directory (or wherever you want), then run this:
#!/bin/sh /usr/sbin/installer -pkg /Library/Application Support/JAMF/CiscoApp/AnyConnect.pkg -target / -applyChoiceChangesXML /Library/Application Support/JAMF/CiscoApp/Choice.xml rm -r /Library/Application Support/JAMF/CiscoApp/
If its any help, this is how I do it...
This is a snippet of my script which creates the XML file. This will install AnyConnect and DART, so simply add the items you don't want or remove the ones you do based on the <string>feature</string> format...
#!/bin/sh cat <<EOF > "/var/tmp/Custom_Install-AnyConnect.xml" <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <array> <string>choice_websecurity</string> <string>choice_fireamp</string> <string>choice_posture</string> <string>choice_iseposture</string> <string>choice_nvm</string> </array> </plist> EOF
There is also an easy way to fix the pkg file to install just what you want. Here bis what i do. And this solution was posted by cosmo-slug
Expand the AnyConnect.pkg
Pkgutil --expand AnyConnect.pkg ~/Documents/AnyConnectVPN
then I opened the Distribution file inside of the expanded package and look for these type entries
<choices-outline> <line choice="choice_vpn"/>
Leave what you want and delete the ones you don't
After saving the Distribution file, I flattened the package.
pkgutil --flatten ~/Documents/AnyConnectVPN ~/Desktop/AnyConnect 4.7.00136.pkg
This way has been working for me for a while. @cosmo-slug posted this on JAMF but I could not locate the post.
@MikeF Which "AnyConnect.pkg" are you using for 4.7? anyconnect-macos-4.7.00136-webdeploy-k9.pkg?
I just posted on another post...so a quick repost of my errors trying to use your method:
I couldn't open them with pkgutil either (pkgutil --verbose --expand <filename> <dir>). I get this error:
"Could not open package for expansion: anyconnect-macos-4.7.00136-webdeploy-k9.pkg"
I tried to chmod +777 the file to see if it was a permissions issue there, but no dice.
The md5 of my pkg file is: MD5 (anyconnect-macos-4.7.00136-webdeploy-k9.pkg) = 5b41987662967d64d98d02106955f4a7
Can you tell me if I'm using the right package file and if yes, do our MD5 hashes match?
Okay, I consolidated the advice I got here into a step by step for those who read this post days, months, years from now.
I highly suggest using this little puppy... Makes life so much easier!
Create your xml file, add it into your DMG next to your PKG... Supply parameters
dmgName="" # Required eg anyconnect.dmg
forcesuccessflag="" # Optional
useinstallerapp="" # Optional eg YES
allowUntrusted="" # Optional
applyChoiceChangesXMLFile="" # Optional eg myfileinsidethedmg.xml
Supplying parameter 5/forcesuccessflag with "YES" without quotes and case sensitive allows PKG exit code to be bypassed and returns a forced exit code of 0 to the JSS (if needed).
Supplying parameter 6/useinstallerapp with "YES" without quotes and case sensitive forces the use of macOS native installer binary to install the PKG.
Supplying parameter 7/allowUntrusted with "YES" without quotes and case sensitive allows to bypass an invalid or expired certificate embedded within the PKG.
Supplying parameter 8/applyChoiceChangesXMLFile with an XML filename allows the PKG to be supplied an xml answerfile. The xml file MUST be beside the PKG wrapped in your DMG.
Please take careful note, that parameters 7 (allowUntrusted) and 8 (applyChoiceChangesXMLFile) are dependent on parameter 6 (useinstallerapp) being YES. I've also added mpkg if no pkg is found within the DMG. Additionally all parameters will be parsed in the logs so one can see if, when, and where something went wrong.
Just keep in mind that if you use the expand/flatten methodology I believe you lose the signed certificate that comes with the original package, and that depending on Mac security settings installing unsigned packages can sometimes be difficult.
I've used both and settled on the XML answer file method because it's easier. A lot easier editing the xml file and building a one time script to apply it rather then editing those packages from Cisco every few weeks or so when the latest AnyConnect is released.