This article covers how to create a deployment package from SecureX that includes the SC Umbrella Roaming software and OrgInfo.json file and then install it via script.
Additionally, we will also add the DART module, VPN/Core Module and the Cloud Management under the same deployment package.
As part of this configuration, we are going to hide the VPN UI; therefore, only the Umbrella module is visible to the user and for simplicity of the deployment, we are importing the Umbrella Root CA Certificate, all this by running a .bat script.
At the end once the deployment package is ready, you just need to run the script to have the Umbrella agent installed, the Root CA imported onto the machine and only the Umbrella UI visible.
Note: The configuration example here assumes you don't need the VPN UI for the VPN capabilities nor any other .xml profile like the VPN Client Profile.
- Admin Access to SecureX.
- Access to the Umbrella Dashboard.
- Admin rights on the PC you will install this on.
- If possible, restrict admin access to the user to the following path C:\ProgramData\Cisco\Cisco Secure Client, so they cannot remove/edit the profiles.
- Also you can think about restricting access to start/stop/restart services on the PC.
As of now, the deployment package is supported for Windows OS only.
- You can't push software from SecureX directly, it's not anything like an SCCM solution but instead just a tool for you to create a deployment package with every SC module/profile you need and then distribute it across the whole company using either a manual installation method or an automated like GPO, SCCM, In-tune, etc.
- There is no way create the deployment package to have only the Umbrella Module and not the VPN/Core one. All modules are core-dependent, meaning that to install any other module like Umbrella, Posture, NAM, etc, we need to also have installed the Core module.
- As this deployment package is created using SecureX, the Cloud Management module will always be deployed, we can't skip it.
- We cannot lock down services from SecureX directly, there is no timeline to support this yet.
If the lockdown option is required, consider using the "secure client .msi" file directly from the Cisco Software Download page, with the help of the Command-Line and Customization for Installation.
- Start by downloading the OrgInfo.json file from the dashboard.
This file is found once logged in to the dashboard under: "Deployments > Roaming Computers > Roaming Client > Download Module Profile".
- Log in to your SecureX account in order to create the deployment package.
Go to "Insights > Profiles > Umbrella", and upload the OrgInfo.json file downloaded on the previous step.
Go to "Insights > Deployment Management > Create New."
Cloud Management: define a profile if you already created one. If none is selected, a default profile will be generated and applied at the time of installation, in which default Cloud Management settings are used. Info about it can be found here.
Secure Endpoint: If you using Secure Endpoint (previously known as AMP), you can also make it part of the deployment package and have it installed along with the Umbrella module.
Choose a version:
- AnyConnect VPN (aka Core Module): define the version you want to use. For the purpose of this demo we will use the recommended one.
- Umbrella: toggle this setting on and select the profile we uploaded on step #1.
- Diagnostics and Reporting Tool: This is complelty optional but recommended to always have the DART on the machines since it will help troubleshoot any issues on the PC from any SC module you install.
Note: if you are using any other module, you can toggle it on and make it part of the installation package.
Name your Deployment Management package at the top under "Edit Name".
Click on Save.
Download your deployment package. For this lab we are using the Full Installer.
There are two different packages you can deploy:
Network Installer - A lightweight installer that contains only the cloud management client. When deploying the network installer, it fetches the rest of the installers configured on the deployment in the background.
Full installer - A bundle of all the installers and profiles that have been configured for a deployment, larger in size than the network installer. When the user installs a full installer, the cloud management client and all the packages from the deployment are installed.
- In order to hide the VPN UI as part of the installation script, create an .xml file and name it VPNDisable_ServiceProfile.xml and have the following content inside of it:
<?xml version="1.0" encoding="utf-8"?>
<!-- Cisco AnyConnect VPN Profile - This profile is a sample intended to allow for the disabling of VPN service
for those installations that do not require VPN support. -->
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
- (Optional) In order to install the Umbrella Root CA Certificate as part of the installation script, please download the Root CA from the Umbrella Dashboard under: "Deployments > Root Certificate > Cisco Root Certificate Authority > click on the download icon".
Place all the files on a centralized location where all the PC's have access to. The files needed in this case are:
- SecureX Deployment Management.
- Create the following .bat script to automate the installation:
# First command will install the Deployment Management created in SecureX.
# Second command will hide the VPN UI will the help of the .xml file created under step #4.
# Third command will add the Umbrella Root CA on the Trusted Root Certificate Authorities.
copy C:\<path_of_your_file>\VPNDisable_ServiceProfile.xml "C:\ProgramData\Cisco\Cisco Secure Client\VPN\Profile\VPNDisable_ServiceProfile.xml"
certutil -enterprise -f -v -AddStore "Root" <path_of_your_file>\Cisco_Umbrella_Root_CA.cer
- Run the .bat file as an admin using the PowerShell.
- We're all set. The SC with the Umbrella module has been installed.
- Verify the Root CA certificate has been installed on the machine using MMC:
- Verify the Umbrella Module is installed and this is the only one visible, without the VPN Core module.
- Check the installed software on the PC.
- On the Umbrella Dashboard, Deployments > Roaming Computers, verify the computer successfully registered to your ORG/Dashboard: