Jamf Nation Community

jorrig · ‎10-23-2023

Has anyone begun migrating Cisco Umbrella client to Cisco Secure client yet?

I have Cisco Umbrella client distributed with Jamf Pro, now it is announced as EOL in 2024, with Cisco Secure client as the new client.

Is there someone out there that has tried migrating? Looking for caveats or something worth thinking about before getting hands on upgrading my workflows and enrollment profiles.

junjishimazaki · ‎10-23-2023

If you're talking about upgrading your current user's client software why not use Cisco ISE to do that? I'm assuming you're using Cisco ISE to manage your VPN.

jorrig · ‎10-23-2023

No, I am not using Cisco ISE, not using any VPN. Just using Umbrella client to redirect internet traffic through Umbrella DNS.

Have distributed the client that goes EOL and some policy settings, now I am looking for best practices on how to migrate Umbrella client to Cisco Secure client instead. Like is a complete removal preferred before adding the new client or how should it be done...

mariopena · ‎11-02-2023

I'm in the same boat as you. I've tested the dmg and manually placed the json file in the correct directory and it looks like the new install removes the old install without issues. I'm just trying to figure out how to automate the whole thing. Kinda new to JAMF so I'm still learning.

jorrig · ‎11-03-2023

Just done some quick testing with manual installation, do not like that I cannot opt out for the VPN client. It would be better to have the option or a separate package that only have the umbrella stuff in the install.

Thinking about running the old working client for a couple of month and test Jamf Safe Internet meanwhile, maybe it turns out well so that will be the option instead of Umbrella.

dstranathan · ‎12-15-2023

I'm in the exact same situation. Only use Umbrella - not any other Cisco service.

I just found out today that Umbrella is EOL. Should I be in panic mode? We have until March or April 2024 correct?

Glad I found this post!

shiftybird · ‎12-17-2023

the umbrella roaming client is going to be announced eol in april. end of support is april 2025. you should have plenty of time to get clients updated.

shiftybird · ‎11-08-2023

i'm in the process of migrating. you can hide the vpn client from the application using the ACTranforms.xml included in the installer dmg. you can also use an installer choice xml to only install the necessary modules - vpn and umbrella. the annoying thing that i'm finding is that the client launches the gui window on every log in. i want to prevent that from happening for specific sets of users.

mariopena · ‎11-13-2023

Do you happen to have the instructions on how to use the ACTransforms.xml? I tried to do the choice.xml instructions from umbrella and got lost somewhere in the middle LOL. Sorry I'm still learning JAMF and doing a lot of this Mac stuff....

shiftybird · ‎11-13-2023

You just need to remove the comments from the .xml cisco provided within the .dmg

<Transforms>
<DisableVPN>true</DisableVPN>
<DisableCustomerExperienceFeedback>true</DisableCustomerExperienceFeedback>
</Transforms>

The xml file needs to be included in the "Profiles" folder (located within the same directory as the installer pkg) when you run the install. it will auto-detect the xml and hide the VPN pane within secure client. You can also use a choice file (see below) to install only the modules you want; you'll need to point the installer to use your choice xml:

/usr/sbin/installer -applyChoiceChangesXML /path/to/choice_file.xml -pkg /path/to/Cisco\ Secure\ Client.pkg -target /

here's an example of the choice xml i use to install only the vpn and umbrella modules:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
	<dict>
		<key>attributeSetting</key>
		<true/>
		<key>choiceAttribute</key>
		<string>visible</string>
		<key>choiceIdentifier</key>
		<string>choice_anyconnect_vpn</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<false/>
		<key>choiceAttribute</key>
		<string>enabled</string>
		<key>choiceIdentifier</key>
		<string>choice_anyconnect_vpn</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<integer>1</integer>
		<key>choiceAttribute</key>
		<string>selected</string>
		<key>choiceIdentifier</key>
		<string>choice_anyconnect_vpn</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<true/>
		<key>choiceAttribute</key>
		<string>visible</string>
		<key>choiceIdentifier</key>
		<string>choice_fireamp</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<false/>
		<key>choiceAttribute</key>
		<string>enabled</string>
		<key>choiceIdentifier</key>
		<string>choice_fireamp</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<integer>0</integer>
		<key>choiceAttribute</key>
		<string>selected</string>
		<key>choiceIdentifier</key>
		<string>choice_fireamp</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<true/>
		<key>choiceAttribute</key>
		<string>visible</string>
		<key>choiceIdentifier</key>
		<string>choice_dart</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<false/>
		<key>choiceAttribute</key>
		<string>enabled</string>
		<key>choiceIdentifier</key>
		<string>choice_dart</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<integer>0</integer>
		<key>choiceAttribute</key>
		<string>selected</string>
		<key>choiceIdentifier</key>
		<string>choice_dart</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<true/>
		<key>choiceAttribute</key>
		<string>visible</string>
		<key>choiceIdentifier</key>
		<string>choice_secure_firewall_posture</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<false/>
		<key>choiceAttribute</key>
		<string>enabled</string>
		<key>choiceIdentifier</key>
		<string>choice_secure_firewall_posture</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<integer>0</integer>
		<key>choiceAttribute</key>
		<string>selected</string>
		<key>choiceIdentifier</key>
		<string>choice_secure_firewall_posture</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<true/>
		<key>choiceAttribute</key>
		<string>visible</string>
		<key>choiceIdentifier</key>
		<string>choice_iseposture</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<false/>
		<key>choiceAttribute</key>
		<string>enabled</string>
		<key>choiceIdentifier</key>
		<string>choice_iseposture</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<integer>0</integer>
		<key>choiceAttribute</key>
		<string>selected</string>
		<key>choiceIdentifier</key>
		<string>choice_iseposture</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<true/>
		<key>choiceAttribute</key>
		<string>visible</string>
		<key>choiceIdentifier</key>
		<string>choice_nvm</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<false/>
		<key>choiceAttribute</key>
		<string>enabled</string>
		<key>choiceIdentifier</key>
		<string>choice_nvm</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<integer>0</integer>
		<key>choiceAttribute</key>
		<string>selected</string>
		<key>choiceIdentifier</key>
		<string>choice_nvm</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<true/>
		<key>choiceAttribute</key>
		<string>visible</string>
		<key>choiceIdentifier</key>
		<string>choice_secure_umbrella</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<false/>
		<key>choiceAttribute</key>
		<string>enabled</string>
		<key>choiceIdentifier</key>
		<string>choice_secure_umbrella</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<integer>1</integer>
		<key>choiceAttribute</key>
		<string>selected</string>
		<key>choiceIdentifier</key>
		<string>choice_secure_umbrella</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<true/>
		<key>choiceAttribute</key>
		<string>visible</string>
		<key>choiceIdentifier</key>
		<string>choice_thousandeyes</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<false/>
		<key>choiceAttribute</key>
		<string>enabled</string>
		<key>choiceIdentifier</key>
		<string>choice_thousandeyes</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<integer>0</integer>
		<key>choiceAttribute</key>
		<string>selected</string>
		<key>choiceIdentifier</key>
		<string>choice_thousandeyes</string>
	</dict>
</array>
</plist>

all of this is available in cisco's deployment article here: https://docs.umbrella.com/umbrella-user-guide/docs/customize-macos-installation-of-cisco-secure-clie...

wolfhead · ‎12-06-2023

Have you been successful in building a package? I've gone through their instructions and can perform a single installation...although I will say that the VPN stays visible even with that xml edited correctly, but I cannot find a method which will create a distributable PKG using the custom settings?

shiftybird · ‎12-06-2023

yes. the ACTranforms.xml file works for me, it hides the VPN module from view.

I've also been successful in creating a deployment package. in my deployment package i install the secure client pkg and the supporting files (any necessary configuration files, the ACTransforms.xml and install choices xml file) to a temp directory, then use a post install script to install the package with the required options and then cleans up the temp directory/files.

wolfhead · ‎12-06-2023

Yes I finally got it to work using a similar method.. just needs some tweaking but more complex than it needs to be regardless.

Starlord · ‎01-29-2024

I am also in the process of creating a Jamf installation package for Cisco Secure Client v5.1.1.42. Did you use Composer to creation the installation package and if so, please provide me with the steps you used. Below is information received from Jamf Support which does not address use of the .pkg and associated folders which are required for the orginfo.json and other files.

We will be able to use the "Cisco Secure Client.pkg" from within the DMG we got from Cisco but we still need to package the XML file so we will need to actually do the installation on the mac on which we installed Composer. Once the installation is complete and the XML file is installed to its correct location, we can follow the steps below to package it.

1. Open the Composer application
2. Open Finder and navigate to the XML file's installed location
3. Drag and drop the file from that location into the Sources column on the left side of Composer
4. Select the newly created source, then select the top object that appears to the right.
5. Along the bottom of the Composer window, set the Owner to "root" and the Group to "wheel"
6. Click the " ... " in the circle in the bottom right and select the second option, to "Apply Owner and Group to All Enclosed Items"
7. Click "Build as DMG" along the top of the Composer window, select a place in which to save the package
8. Upload the package in Jamf Pro Settings > Computer Management > Packages > New
9. (Optional) Under the Options tab for the package, select the "Fill user templates (FUT)" and "Fill existing user home directories (FEU)", click Save
10. Add the package to a Policy to be deployed, on the end user's mac the file should install to the same location from which it was packaged

Now we can upload our newly created DMG for the XML file and the "Cisco Secure Client.pkg" to Jamf Pro and try deploying both of those in a Policy. Remember, when deploying these two packages we do not need to use the script.

shiftybird · ‎01-30-2024

you can use composer (or any other packaging utility). you'll need to drop the pkg and any config files to a temp location on the client, then use a post install script to kick off the install.

Lessardrp · ‎03-12-2024

Can anyone speak to whether or not a client install is really required for this if the VPN option is not desired? In other words, could a Jamf profile be created with the DNS proxy payload and direct endpoints to go through Umbrella? Thanks.

Lessardrp · ‎03-12-2024

For those not wanting to pursue the VPN service, this is what I'm getting at in my above post:

https://docs.umbrella.com/deployment-umbrella/docs/point-your-dns-to-cisco

Seems you could just have a configuration profile for the DNS settings in Jamf and have no client app to worry about.

shiftybird · ‎03-12-2024

i think that option is fine if the device never leaves your network, as devices roam, umbrella won't know the originating network and which policies to apply, no?

Lessardrp · ‎03-12-2024

Agency specific policies wouldn't apply. I'm considering it as a free level of protection for now though until we pick a budgeted full featured endpoint protection solution as it's a lot better than nothing at all.

Lessardrp · ‎03-20-2024

I have this in place on some test devices and it works fine. Get the protection of intelligent DNS filtering but it doesn't have agency level policies or reporting.

Starlord · ‎03-13-2024

I was able to resolve my issue with the help of Jamf Support. I provided them the installation package created and they made some adjustments from their end along with assisting in the creation of a Configuration Profile. I am able to successfully deploy Cisco Secure Connect v5.1.1.42 with suppressing the VPN option and only making the Umbrella option visible to staff.

mojo21221 · ‎03-15-2024

Would you mind sharing your Configuration Profiles associated with the Umbrella Only option? I was able to make the package and deploy, however I wasnt sure if everything from https://support.umbrella.com/hc/en-us/articles/23515921165844-How-to-deploy-Cisco-Secure-Client-via-... was necessary.

Starlord · ‎03-15-2024

Unfortunately I am unable to share the Configuration Profile with you due to confidential information contained within this mobile config file. The URL you provided did not provide sufficient information in order to resolve this on my own and reached out to Jamf Support. I worked with Doeneah McIntyre so please reference her name as she should recall the Cisco Secure Client ticket.

Jamf Nation Community

Migrating Cisco Umbrella to Cisco Secure client with Jamf Pro