Jamf Nation Community

Stubakka · ‎10-23-2013

It's me again!

I wanted to know if anyone has a quick way to modify the Cisco anyconnect installer pkg to include the default VPN server info so the user does not need to add this themselves and pretty much makes it a zero configuration install.

I do have composer 8.52 I think. I tried it yesterday however did not have success due to it not working when it opened after installing or not being sure if I was modifying the correct file in the pkg anyconnectprofile.xsd I think was the name.

haircut · ‎10-23-2013

No need to modify the installer, just repackage using Composer and include a configured ".anyconnect" file in the users' home directories.

.anyconnect is a simple XML file. The keys I change are DefaultHostName (my VPN server hostname) and DefaultGroup to reflect my environment.

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectPreferences>
<DefaultUser></DefaultUser>
<DefaultSecondUser></DefaultSecondUser>
<ClientCertificateThumbprint></ClientCertificateThumbprint>
<ServerCertificateThumbprint></ServerCertificateThumbprint>
<DefaultHostName>VPN_SERVER_ADDRESS</DefaultHostName>
<DefaultHostAddress></DefaultHostAddress>
<DefaultGroup>GROUPNAME</DefaultGroup>
<ProxyHost></ProxyHost>
<ProxyPort></ProxyPort>
<SDITokenType>none</SDITokenType>
<ControllablePreferences></ControllablePreferences>
</AnyConnectPreferences>

Leaving DefaultUser blank will prompt the user for their username the first time they connect, but should remember it after that.

Then just fill home directories and templates when you deploy.

Kumarasinghe · ‎10-23-2013

This is how we do it;

To get the server address automatically we package the new.xml (this file usually called new.xml or any name which will set by network engineers, so use the name specified on your environment) file which holds the server details. For maore details see the admin guides below.

AnyConnect v3.0
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac0...
AnyConnect v3.1
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac0...

Install Cisco AnyConnect client on a test machine and configure your server details.

Open /opt/cisco/anyconnect/profile/new.xml from TextWrangler and delete all except <ServerList> fields as below; (some versions had the new.xml location is /opt/cisco/vpn/profile/new.xml so if the file is not in the above location please have a look in this location).

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">


<ServerList>
    <HostEntry>
        <HostName>myvpn.server.com</HostName>
        <HostAddress>myvpn.server.com</HostAddress>
    </HostEntry>
</ServerList>
</AnyConnectProfile>

Do the permission change; ``` sudo chown -R root:wheel /opt/cisco/anyconnect/profile/new.xml ```
Drag /opt/cisco/anyconnect/profile/new.xml into Composer and see the correct permissions are set (root:wheel 664).
Package the new.xml file and upload it to Casper Admin - Make sure you install this config package after installing VPN.pkg (set Priority correctly. e.g. 10 for vpn installer and 11 for the config pkg).

Stubakka · ‎10-25-2013

ty so much i will try this today, just trying to streamline the user experence

Stubakka · ‎10-29-2013

Well I tried to change the file using composer, i changed the hostname and host address in the file to reflect our environment, when i compose the package, it instals everything seems ok but when i open the any connect file it says something like, component missing or not present, strange, I'm using a known good source, not sure why its happening really, the only file i modified is the profile.

Stubakka · ‎10-29-2013

This brings me to another question, how do you guys easily just open files in .pkgs and edit them without having to go thur to much trouble?

mm2270 · ‎10-29-2013

@Gabriel.Duff][/url][/url][/url
There are a few ways -

With Composer:
Drag the .pkg (or even .dmg) file into Composer's sidebar. Once it shows up, click on the Convert to Source button located in the interface and let it convert the package into a Composer source.
Some caveats with this approach are that, one, it doesn't work correctly with all packages. I've run into some that don't convert properly. Two, the way Composer works is that it runs any scripts contained in the package while converting. Generally this is OK, but be careful! Some scripts can be damaging to your system unless run in the context of an actual install procedure. so you take a slight risk using this method.

With Pacifist:
for packages that I suspect may have scripts in them that I don't want running on my Mac, I use Pacifist to open and examine the contents. You can see the payload (where it will drop files) as well as view any scripts and other files in it pretty easily. You can't use it with a DMG, but then again, you typically would just mount the DMG to see its contents anyway.
http://www.charlessoft.com

With Terminal and pkgutil:
Finally, you can expand a package installer in Terminal with the pkgutil command. Viw the man page and you'll se you can do something like-

pkgutil --expand /path/to/source/install.pkg /path/to/output/folder/

where /path/to/output/folder/ is where you want to package contents to expand to. It doesn't give you the nice representation you get with either Composer or Pacifist though, so this method may not always suit what you want to do. This also only works against flat packages, not the old bundle style packages.

Kumarasinghe · ‎10-29-2013

Is this AnyConnect v3.0 or 3.1?
I just found out that If the version is 3.1, the new.xml file is located in /opt/cisco/anyconnect/profile/new.xml

Jamf Nation Community

Modifying Cisco Anyconnect installer