browse
Overview
This configuration guide covers the steps to provision the Secure Client Umbrella Roaming Security Module via MS Intune.
Pre-requisites
- Access to Umbrella Dashboard.
- Access to MS Intune Portal.
- Secure Client Umbrella Module Profile (orginfo.json).
- Secure Client Pre-deployment package for the version to be deployed.
- Microsoft Win32 Content Prep Tool.
The method used on this guide uses “Windows app (Win32)” option, so it is required to convert both the cisco-secure-client-win-5.0.05040-core-vpn-predeploy-k9.msi and cisco-secure-client-win-5.0.05040-umbrella-predeploy-k9.msi into “. intunewin” format.
Secure Client Core VPN Module and Secure Client Umbrella Module .msi conversion into .intunewin format steps
1. Access to your Umbrella Dashboard and download the Secure Client Umbrella Module Profile (orginfo.json) under “Deployments>Roaming Clients> Download> Download Module Profile”:
2. After unzipped, on the Secure Client pre-deployment package drop the Umbrella profile (orginfo.json) under “\cisco-secure-client-win-5.0.05040-predeploy-k9\Profiles\umbrella” path.
3. Download “Microsoft Win32 Content Prep Tool”.
4. Create a folder and drop the “IntuneWinAppUtil” application, also create an input and output folder in your machine:
5. On the “Intune_input” folder drop the Secure Client "VPN Core" and "Umbrella" .msi files. Also, copy/paste the "Profiles" folder and subfolders (cisco-secure-client-win-5.0.05040-core-vpn-predeploy-k9.msi and cisco-secure-client-win-5.0.05040-umbrella-predeploy-k9.msi, the Profiles subfolders is where you dropped the Umbrella profile on Step #2).
6. Then open the “IntuneWinAppUtil.exe” application and specify the “Intune_input” as your source folder, Secure Client Core VPN .msi as your source setup file, also specify the “Intune_output” as your output folder (here is where the application will generate the Secure Client Core VPN .intunewin file):
After this step is done, confirm the creation of the Secure Client Core VPN .intunewin file under the Intune_output folder:
7. Repeat the above step (Step #6), but this time for the Secure Client Umbrella Module (since we dropped the Umbrella Profile within the Profiles folder this will create the Secure Client Umbrella .intunewin file with the Umbrella profile embedded on it):
After this step is done, confirm the creation of the Secure Client Umbrella .intunewin file is also under the Intune_output folder:
Upload and configure the Secure Client Core VPN .intunewin file on the Intune Portal
1. Now you need to go access to your MS Intune Portal under “Home>Apps>Windows” and for Select app Type choose “Windows app (Win32)” then click “Select”:
2. Then you need to click on “Select app package file” and upload the Secure Client Core VPN .intunewin file, then click “OK”:
3. On this step specify the minimum information like “Publisher” and “Category” and click “Next”:
4. Specify the installation command parameters. You can use the default one or use the Secure Client supported parameters specified on the Secure Client Admin Guide from the respective version you are installing (for this example we are using passive mode and Disabled the VPN module so only Umbrella module is displayed on the Secure Client UI, also logging to vpninstall.log file), you also need to specify the Device Restart behavior and then click “Next” (ex. msiexec /i "cisco-secure-client-win-5.0.05040-core-vpn-predeploy-k9.msi" /passive PRE_DEPLOY_DISABLE_VPN=1 /lvx* vpninstall.log):
5. As part of the Requirements, you need to specify the OS architecture and Minimum OS running on the devices you want to push the Secure Client Core VPN (you can also specify other requirements if needed).
6. You can optionally configure detection rules to detect if the Secure Client Core VPN is already present on the device, with this option you can also detect if same or different Secure Client version is found. In this example we have configured the detection rule for any of the Secure Client Core VPN versions, specify the “Rule Type” as .msi:
7. On the Dependencies option we will not be configuring any for the Secure Client Core VPN so just click “Next”:
8. Optionally, you can configure Supersedense in order to update or replace an existing application on the device, it only applies to Win32 apps, for further information about Supersedense you can refer to the MS Intune documentation. In our example we are not specifying any application to be replaced so just click “Next”
9. Now we need to specify the assignments to specify the group/user we want to install the Secure Client VPN Core, due to the next steps we will follow on the next section, we do not need to assign it to any users/groups, so just click “Next”:
10. Review the configuration to make sure everything is good and click “Create”:
11. If you go back to MS Intune Portal under “Home>Apps>Windows” you will find the created AnyConnect Core VPN Win32 app:
Upload and configure the Secure Client Umbrella Module .intunewin file on the Intune Portal
1. We need to repeat the same process but this time for Secure Client Umbrella Module so in your MS Intune Portal go under “Home>Apps>Windows” and for Select app Type choose “Windows app (Win32)” then click “Select”:
2. Then you need to click on “Select app package file” and upload the Secure Client Umbrella VPN .intunewin file, then click “OK”:
3. On this step specify the minimum information like “Publisher” and “Category” and click “Next”:
4. Specify the installation command parameters. You can use the default one or use the Secure Client supported parameters specified on the Secure Client Admin Guide from the respective version you are installing (for this example we are just using passive mode and logging to umbrellainstall.log file), you also need to specify the Device Restart behavior and then click “Next” (ex. msiexec /i "cisco-secure-client-win-5.0.05040-umbrella-predeploy-k9.msi" /passive /lvx* umbrellainstall.log):
5. As part of the Requirements, you need to specify the OS architecture and Minimum OS running on the devices you want to push the Secure Client Umbrella (you can also specify other requirements if needed):
6. You can optionally configure detection rules to detect if the Secure Client Umbrella Module is already present on the device, with this option you can also detect if same or different Secure Client version is found. In this example we have configured the detection rule for any of the Secure Client Umbrella Module versions, specify the “Rule Type” as .msi
7. On the Dependencies option in this case, we will specify the Secure Client Core VPN module and also configure “Automatically Install” as Yes, so when the Secure Client Umbrella Module is about to be pushed by Intune, if the Secure Client Core VPN is not installed, it will automatically install it first and then the Secure Client Umbrella Module can be installed, then just click next “Next”:
8. Optionally, you can configure Supersedense in order to update or replace an existing application on the device, it only applies to Win32 apps, for further information about Supersedense you can refer to the MS Intune documentation. In our example we are not specifying any application to be replaced so just click “Next”:
9. Now we need to specify the Assignments to configure the group/user we want to install the Secure Client Umbrella Module (Secure Client VPN Core will also be installed due to the “Dependencies” Rule). In this example we are assigning a device group called “Intune Group” you can also specify other parameters for the installation, then click “Next”:
10. Review the configuration to make sure everything is good and click “Create”:
11. If you go back to MS Intune Portal under “Home>Apps>Windows” you will find the created Secure Client Umbrella Module Win32 app has been created and assigned, at this point we just need to wait for it to be pushed to the devices/users within the selected group:
Verification
1. You can review the successful installation by going under “Home>Apps>All Apps” and click on “Cisco Secure Client - Umbrella”:
2. Verify on the PC that both, the Secure Client "Core VPN" and "Umbrella" modules are installed but only the Umbrella module UI is visible: