Help

Trying to create smart group to detect Anyconnect ISE Compliance Module version

SMR1
Contributor III

Posted on ‎12-20-2023 03:14 PM

I'm trying to create a smart group to check to see if the anyconnect compliance module is a specific version. Our network group is in the process of updating our ISE Compliance on the backend. We're assisting with providing devices so it can be done in waves. On the windows side of things, they have he ability to grab the compliance module version to verify. I'd like to do the same for the Mac side, so when it's updated on the backend, we can confirm it's running the correct version. I've went through the different criteria's and can't seem to find one that fits it. Just checking to see if anybody has any ideas on gathering this info to be able to verify it.

0 Kudos
4 REPLIES 4

Nicholaus
Contributor

Posted on ‎12-20-2023 10:48 PM

Are you talking about the "ISE Posture" component? If so, it mirrors the installed AnyConnect version.

You can create a Smart Computer Group with the following:

Criteria: Application Title > Operator: Has > Value: Cisco AnyConnect Secure Mobility Client.app
AND
Criteria: Application Version > Operator: Is > Value: Whatever version you want to check for

0 Kudos

SMR1
Contributor III

Posted on ‎12-21-2023 07:13 AM

Correct, I'm talking about the ISE Posture component. I created the smart group, but it's not grabbing any devices. We currently have around 16 devices that have the new compliant module.

0 Kudos

Nicholaus
Contributor
In response to SMR1

Posted on ‎12-21-2023 11:45 AM

Have those devices have had an update inventory (sudo jamf recon) run on them since the update?

There's another way you can pull information like this and create groups from the data. The example below is using AnyConnect VPN because that's what I have to test with, so you would just change the application path to match ISE Posture:

1. Create a Computer Extension Attribute with Name = Something meaningful because it will be the criteria for the smart group, Data Type = String, Inventory Display = Your choice, Input Type = Script
2. Paste the following script and save the extension attribute: 

#!/bin/sh

result=$( /usr/bin/defaults read "/Applications/Cisco/Cisco AnyConnect Secure Mobility Client.app/Contents/Info.plist" CFBundleVersion )

echo "<result>$result</result>"

3. Update Inventory on the devices that you want to check
4. Create a Smart Computer Group with: Criteria = Whatever you named the extension attribute, Operator = Is, Value = The version you want to check for

0 Kudos

SMR1
Contributor III

Posted on ‎12-21-2023 01:17 PM

I was able to get it to work by creating an extension attribute using the below script and then creating a smart group.

 

#!/bin/bash
# Extract version attribute from the XML file using awk
version=$(awk -F'"' '/<file /{print $2}' /opt/cisco/anyconnect/ACManifestISECompliance.xml)
echo $version

0 Kudos