browse
Overview
Deployment of the Umbrella Roaming Security Module involves these components:
- Installation of the AnyConnect Core Module
- Installation of the Umbrella Roaming Security Module
- Installation of the Diagnostic and Reporting Tool (DART) Module
- Installation of the Umbrella Profile (OrgInfo.json)

Existing AnyConnect Users:
This article focuses on how to pre-deploy Umbrella using a CLI method. It is also possible to deploy the Umbrella module & profile to existing AnyConnect users by adding configuration to the VPN head-end. For more information on that method read the Umbrella documentation.
There are some scenarios where you may wish to "pre-deploy" the Umbrella module:
- You are using AC VPN but want the Umbrella module to be available before the VPN is connected for the first time.
- You want to deploy the Umbrella module as a standalone module, and will not be connecting to VPN.
- You want to make use of advanced installation options (e.g. service lockdown).
Pre-deploying Umbrella module (VPN + Umbrella + DART)
Builiding the deployment package
-
- Download the Umbrella roaming security module profile from your Umbrella Dashboard. Deployments>Roaming Computers>Roaming Clients
- The downloaded filename of the module profile is Orginfo.json
- Download the Umbrella Roaming Security Module from one of the locations below.
- Extract the downloaded AnyConnect Client and find the version number.
- Add your OrgInfo.json file within the 'Profiles' folder in the same directory as the installer. This step is crucial for the Umbrella module to register automatically after installation. The folder structure should look as follows.
anyconnect-win-X.X.XXXXX-core-vpn-predeploy-k9.msi anyconnect-win-X.X.XXXXX-umbrella-predeploy-k9.msi anyconnect-win-X.X.XXXXX-dart-predeploy-k9.msi \Profiles\umbrella\OrgInfo.json
- Download the Umbrella roaming security module profile from your Umbrella Dashboard. Deployments>Roaming Computers>Roaming Clients
Installing the package
- Update the MSI commands below with the version number from your download, then run in the CMD Prompt.
- MSI commands
msiexec /package anyconnect-win-X.X.XXXXX-core-vpn-predeploy-k9.msi /norestart /passive /lvx* vpninstall.log
msiexec /package anyconnect-win-X.X.XXXXX-umbrella-predeploy-k9.msi /norestart /passive /lvx* umbrellainstall.log
msiexec /package anyconnect-win-X.X.XXXXX-dart-predeploy-k9.msi /norestart /passive /lvx* dartinstall.log - Example if your downloaded version 4.10.05095
msiexec /package anyconnect-win-4.10.05095-core-vpn-predeploy-k9.msi /norestart /passive /lvx* vpninstall.log
msiexec /package anyconnect-win-4.10.05095-umbrella-predeploy-k9.msi /norestart /passive /lvx* umbrellainstall.log
msiexec /package anyconnect-win-4.10.05095-dart-predeploy-k9.msi /norestart /passive /lvx* dartinstall.log
- MSI commands
Standalone Umbrella module (No VPN)
If you wish to deploy Umbrella as a standalone application and disable the VPN functionality, follow the same steps for Building the deployment package as above.
Installing the package
When running the installation add the PRE_DEPLOY_DISABLE_VPN=1 parameter when installing the AnyConnect MSI. This will install only the core components of AnyConnect required for Umbrella to function, and will completely hide the VPN functionality.
-
- Run AnyConnect Core VPN MSI with the PRE_DEPLOY_DISABLE_VPN=1 property, as well as Umbrella MSI and DART MSI.
msiexec /package anyconnect-win-X.X.XXXXX-core-vpn-predeploy-k9.msi /norestart /passive PRE_DEPLOY_DISABLE_VPN=1 /lvx* vpninstall.log
msiexec /package anyconnect-win-X.X.XXXXX-umbrella-predeploy-k9.msi /norestart /passive /lvx* umbrellainstall.log
msiexec /package anyconnect-win-X.X.XXXXX-dart-predeploy-k9.msi /norestart /passive /lvx* dartinstall.log
- Run AnyConnect Core VPN MSI with the PRE_DEPLOY_DISABLE_VPN=1 property, as well as Umbrella MSI and DART MSI.
Setting MSI properties during installation
msiexec /package <MSI> /passive LOCKDOWN=1 /lvx*
msiexec /package <MSI> /passive ARPSYSTEMCOMPONENT=1 /lvx*
Alternatively these MSI settings could be configured by supplying customized installer transform files (.mst files). For more information see: Configure AnyConnect Lockdown.
Profile Troubleshooting
The common error "Profile is missing" indicates that the Umbrella module is installed but the profile (OrgInfo.json) is not. This means the Umbrella module cannot register with Umbrella or enable protection.
To resolve this for an existing installation simply add the profile here:
%ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Umbrella\OrgInfo.json
To correct the error for future installations, ensure this profile is properly embedded within the deployment package:
\Profiles\umbrella\OrgInfo.json