Overview
Deployment of the Umbrella Roaming Security Module involves these components:
- Installation of the AnyConnect Core Module
- Installation of the Umbrella Roaming Security Module
- Installation of the Diagnostic and Reporting Tool (DART) Module
- Installation of the Umbrella Profile (OrgInfo.json)

Existing AnyConnect Users:
This article focuses on how to pre-deploy Umbrella using a CLI method. It is also possible to deploy the Umbrella module & profile to existing AnyConnect users by adding configuration to the VPN head-end. For more information on that method read the Umbrella documentation.
There are some scenarios where you may wish to "pre-deploy" the Umbrella module:
- You are using AC VPN but want the Umbrella module to be available before the VPN is connected for the first time.
- You want to deploy the Umbrella module as a standalone module, and will not be connecting to VPN.
- You want to make use of advanced installation options (e.g. service lockdown).
Pre-deploying Umbrella module (VPN + Umbrella + DART)
The steps are as follows:
-
- Download the Umbrella roaming security module profile from your Umbrella Dashboard. Deployments>Roaming Computers>Roaming Clients
- The downloaded filename of the module profile is Orginfo.json
- Download the Umbrella Roaming Security Module from one of the locations below.
- Extract the downloaded AnyConnect Client and find the version number.
- Update the MSI commands below with the version number from your download, then run in the CMD Prompt.
- MSI commands
-
msiexec /package anyconnect-win-X.X.XXXXX-core-vpn-predeploy-k9.msi /passive /lvx* vpninstall.log
msiexec /package anyconnect-win-X.X.XXXXX-umbrella-predeploy-k9.msi /passive /lvx* umbrellainstall.log
msiexec /package anyconnect-win-X.X.XXXXX-dart-predeploy-k9.msi /norestart /passive /lvx* anyconnect-win-X.X.XXXXX-dart-predeploy-k9-install-datestamp.log - Example if your downloaded version 4.10.05095
-
msiexec /package anyconnect-win-4.10.05095-core-vpn-predeploy-k9.msi /passive /lvx* vpninstall.log
msiexec /package anyconnect-win-4.10.05095-umbrella-predeploy-k9.msi /passive /lvx* umbrellainstall.log
msiexec /package anyconnect-win-4.10.05095-dart-predeploy-k9.msi /norestart /passive /lvx* anyconnect-win-4.10.05095-dart-predeploy-k9-install-datestamp.log
- Then copy the Orginfo.json file to the directory below.
-
%ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Umbrella\
-
- Download the Umbrella roaming security module profile from your Umbrella Dashboard. Deployments>Roaming Computers>Roaming Clients
Standalone Umbrella module (No VPN)
If you wish to deploy Umbrella as a standalone application and disable the VPN functionality, follow the same steps as the installation above but add the PRE_DEPLOY_DISABLE_VPN=1 parameter when installing the AnyConnect MSI. This will install only the core components of AnyConnect required for Umbrella to function, and will completely hide the VPN functionality.
-
- Download the relevant 'Pre-Deployment' installer from software.cisco.com
- Add the Umbrella installation MSI files and module profile (OrgInfo.json) to your installation package as follows. This file can be obtained from your Umbrella Dashboard in 'Deployments > Roaming Computers > Add'
anyconnect-win-X.X.XXXXX-core-vpn-predeploy-k9.msi
anyconnect-win-X.X.XXXXX-umbrella-predeploy-k9.msi
anyconnect-win-X.X.XXXXX-dart-predeploy-k9.msi
\Profiles\umbrella\OrgInfo.json - Alternatively, the OrgInfo.json can be pre-copied to this location:
%ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Umbrella\OrgInfo.json
- Add the Umbrella installation MSI files and module profile (OrgInfo.json) to your installation package as follows. This file can be obtained from your Umbrella Dashboard in 'Deployments > Roaming Computers > Add'
- Run the AnyConnect Core VPN MSI, the Umbrella MSI, and the DART MSI with the PRE_DEPLOY_DISABLE_VPN=1 property:
msiexec /package anyconnect-win-X.X.XXXXX-core-vpn-predeploy-k9.msi /passive PRE_DEPLOY_DISABLE_VPN=1 /lvx* vpninstall.log
msiexec /package anyconnect-win-X.X.XXXXX-umbrella-predeploy-k9.msi /passive PRE_DEPLOY_DISABLE_VPN=1 /lvx* umbrellainstall.log
msiexec /package anyconnect-win-X.X.XXXXX-dart-predeploy-k9.msi /norestart /passive PRE_DEPLOY_DISABLE_VPN=1 /lvx* anyconnect-win-X.X.XXXXX-dart-predeploy-k9-install-datestamp.log
- Download the relevant 'Pre-Deployment' installer from software.cisco.com
Setting MSI properties during installation
msiexec /package <MSI> /passive LOCKDOWN=1 /lvx*
msiexec /package <MSI> /passive ARPSYSTEMCOMPONENT=1 /lvx*
Alternatively these MSI settings could be configured by supplying customized installer transform files (.mst files). For more information see: Configure AnyConnect Lockdown.
Profile Troubleshooting
The common error "Profile is missing" indicates that the Umbrella module is installed but the profile (OrgInfo.json) is not. This means the Umbrella module cannot register with Umbrella or enable protection.
To resolve this for an existing installation simply add the profile here:
%ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Umbrella\OrgInfo.json
To correct the error for future installations, ensure this profile is properly embedded within the deployment package:
\Profiles\umbrella\OrgInfo.json
Comments
0 comments
Article is closed for comments.