browse
Introduction:
This is a step-by-step guide on how to deploy Cisco Secure Client to macOS devices via JAMF. It is done with the assumption that your macOS device is already Managed by JAMF. If you need to MDM your macOS device, please follow JAMF's documentation.
DISCLAIMER: This article is provided as-is as of 02-06-2024. Umbrella support does not guarantee these instructions will remain valid after this date and is subject to change based on updates from JAMF and Apple macOS.
Prerequisite:
Procedure
Crafting the Package (PKG):
1. Download the Cisco Secure Client disk image (DMG) from your Umbrella dashboard, under Deployments --> Roaming Computers --> top right: Roaming Client --> Pre-Deployment Package --> macOS.
2. Follow our documentation to craft your disk image (DMG) until you've reached Step 5. This is done so you can create the install_choices.xml to enable/disable the modules you need for your environment. Additionally, ACTransforms.xml can be used to optional hide the VPN module UI as the VPN module contains core services that the Umbrella module relies on in order to run correctly, so the VPN module must be deployed even if it's not used.
Your folder structure should look like this:
**Note: One way to verify the disk image has been crafted properly, is by double-clicking "csc-writeable.dmg" and verify ACTransforms.xml, install_choices.xml, and OrgInfo.json are still in its respective place. Keep this window open for the next step.
3. Navigate to Finder --> Go --> Go To Folder. Type /tmp and click on private > tmp. Drag the ACTransforms.xml, install_choices.xml, and OrgInfo.json into the private > tmp folder. If you cannot find this folder within Finder, you can launch a Terminal command and enter "cd / && open private/tmp" (without the quotes). This step is essential since the Volume drive may not always be mounted in your directory.
4. Launch JAMF Composer. If the "Choose a method to create your package:" window popups, click "Cancel" on the bottom left.
5. Drag install_choices.xml, OrgInfo.json, and Cisco Secure Client.pkg into JAMF Composer. Right click on the tmp folder and select "Create New Directory". Name it exactly Profiles and drag ACTransforms.xml inside of this folder. This will create the following directory (rename the sources into a unique name).
**Note: There is a known bug with JAMF Composer version 11.4.1 or later where you cannot see the files populating. If you run into this bug, you would need to downgrade your JAMF Composer to an earlier version. For additional information, please reach out to JAMF support.
These step to craft a package via JAMF Composer by converting the above disk image (DMG) to a package (PKG) are mandatory as JAMF Pro only accepts PKG.
6. Click on the tmp folder, then click on 3-dots on the bottom right of JAMF Composer and select "Apply Permissions to tmp and All Enclosed Items".
7. Under Sources, expand Scripts --> Add Shell Script --> postinstall. Delete all the contents inside the sample script and replace it with the following:
#!/bin/zsh
# Run the newly crafted PKG against install_choices.xml to install the selected modules
/usr/sbin/installer -pkg /private/tmp/Cisco\ Secure\ Client.pkg -applyChoiceChangesXML /private/tmp/install_choices.xml -target /
# Copy the OrgInfo.json to the respective folder path to enable the Umbrella protection
/bin/cp -f /private/tmp/OrgInfo.json /opt/cisco/secureclient/umbrella/
8. Click on your package name under sources which you will be prompt to save your script. Save your script and select "Build as PKG". Give your newly crafted package a unique name and save this package to your ~/Desktop for ease of access.
Uploading Your Newly Crafted Package (PKG):
9. Log into your JAMF Pro cloud instance. Navigate to Settings --> Computer management --> Packages --> New. Upload the PKG you've just created from JAMF Composer in the previous step. Give it a unique name, select your desired Category and click Save.
NOTE: If you do not have the option to upload a PKG here, ensure you have the following configured in JAMF:
- Navigate to Settings --> Server --> Cloud distribution point
- Navigate to Settings --> Global --> Cloud Services connection
Creating a Jamf Policy:
The Jamf Policy is what will be used to determine how and when the Cisco Secure Client with Umbrella module be pushed out. If you already have a pre-defined policy, you may use that instead and skip to Step 11 to add your newly crafted Cisco Secure Client.PKG within your existing policy.
10. Navigate to Computers --> Content Management --> Policies --> New. Give the policy a unique name and select your desired Category and Trigger events (ex. when this policy is executed). Optionally, you may also configure a custom command that can be execute under Custom. The command to execute and run this policy would look something like this:
sudo jamf policy -event <insert_custom_command>
11. Click on Packages --> Configure and select Add next to your Cisco Secure Client package.
12. Ensure under Distribution Point --> Each computer's default distribution point is selected.
13. Define your scope of devices and/or users and click Save.
Configuring a Silent Install of System Extension:
Next, we'll use JAMF to configure and allow Cisco Secure Client's required System Extensions in order for Cisco Secure Client with Umbrella module to run correctly without user interactions.
Cisco Secure Client Changes Related to macOS 11 (And Later)
14. Navigate to Computers --> Content Management --> Configuration Profiles --> New. Give it a unique name and select your Category and Distribution Method. Ensure Level is set to Computer Level.
15. Search for System Extensions --> Configure. Enter the following values:
- Display Name: Cisco Secure Client - System Extensions
- System Extension Types: Allowed System Extensions
- Team Identifier: DE8Y96K9QP
- Allowed System Extensions: Add --> com.cisco.anyconnect.macos.acsockext --> Save
16. Click the + sign next to "Allowed Team IDs and System Extensions" to add another System Extension. Then, enter the following values:
- Display Name: Cisco Secure Client - System Extensions
- System Extension Types: Allow System Extension Types
- Team Identifier: DE8Y96K9QP
- Allow System Extension Types: Network Extension
Configuring a Silent Install of Content Filter:
Subsequently, we'll be configuring a silent install for the Content Filter which correlates to the Cisco Secure Client with Umbrella module's Socket Filter.
17. Search for Content Filter. Enable and configure the following with its respective values:
- Filter Name: Cisco Secure Client - WebContentFilter
- Identifier: com.cisco.anyconnect.macos.acsock
- Socket Filter: Enabled
- Socket Filter Bundle Identifier: com.cisco.anyconnect.macos.acsockext
- Socket Filter Designed Requirement: anchor apple generic and identifier "com.cisco.anyconnect.macos.acsockext" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = DE8Y96K9QP)
18. Under Custom Data, click Add five times and enter the following values:
Key | Value |
AutoFilterEnabled | false |
FilterBrowsers | false |
FilterSockets | true |
FilterPackets | false |
FilterGrade | firewall |
Configuring Managed Login Items:
Furthermore, configuring the Managed Login Items for the Cisco Secure Client with Umbrella module will ensure the Cisco Secure Client launches upon device startup.
19. Search for Managed Login Items and configure the fields with the following the values:
- Rule Type: Bundle Identifier Prefix
- Rule Value: com.cisco.secureclient
- Team Identifier: DE8Y96K9QP
20. Navigate to Scope and define your scope of devices and/or users. The Cisco Secure Client with Umbrella module should be push out to your desired macOS devices when one of the Triggers you configured in Step 10 is activated. Alternatively, you can push this out through JAMF's Self Service portal.
NOTE: Even if a user tries to disable the DNS Proxy or Transparent Proxy in System Settings (Network --> Filter), it will automatically be re-enabled by default as the Content Filter is enabled via JAMF in Step 18 and cannot be disabled.
Additional Configuration (MacOS Firewall):
If you have the MacOS Firewall - "Block all incoming connections" enabled per our MacOS Cisco Secure Client / Umbrella fails to go protected- How to enable incoming connections KB, then you would need to also add the Cisco Secure Client and its components to its exception list.
1. Navigate to Computers --> Content Management --> Configuration Profiles. Select your Cisco Secure Client configuration profile and locate Security and Privacy.
2. Configure it with the following settings:
- Firewall: Enable - Control incoming connections for specific apps
App Name | Bundle ID |
Cisco Secure Client - Socket Extensions | com.cisco.anyconnect.macos.acsockext |
Cisco Secure Client | DE8Y96K9QP |
Cisco Secure Client - Content Filter | com.cisco.anyconnect.macos.acsock |
3. Click Save.
4. If you're prompted with Redistribution Options, select Distribute to All to immediately push out the changes to your desired macOS devices.
Deploying the Cisco Umbrella Root Certificate:
This step only applies to new deployments of Cisco Secure Client or devices that does not have the Cisco Umbrella Root Certificate deployed previously. If you're migrating over from the Umbrella Roaming Client or Cisco AnyConnect 4.10 client, and/or have deployed the Cisco Umbrella Root Certificate already in the past, you may skip this section.
1. Navigate to your Umbrella dashboard, under Policies --> Root Certificate, download the Cisco Umbrella Root Certificate.
2. In JAMF, navigate to Computers --> Configuration Profiles --> Cisco Secure Client --> Edit. Search for Certificate --> Configure. Give it a unique name.
3. Under Select Certificate Option, select Upload and upload the Cisco Umbrella Root Certificate you've downloaded previously in Step 1. Ensure you DO NOT configure a password here and click Save.
4. If you're prompted with Redistribution Options, select Distribute to All to immediately push out the changes to your desired macOS devices.
Verify:
You may verify Cisco Secure Client with Umbrella module is working by either browsing to https://policy-debug.checkumbrella.com or by running the following command:
dig txt debug.opendns.com
Either output should contain unique and relevant information to your Umbrella organization such as your OrgID.
Workaround for MacOS 14.3
If you're running MacOS 14.3 (or later) with Cisco Secure Client with Umbrella module 5.1.X, you may run into an issue with "The VPN client agent was unable to create the interprocess communication depot."
1. To address this issue, in JAMF browse to Settings --> Computer Management --> Scripts --> New. Give it a unique name and define your category. Then, navigate to the Script tab and add the following:
#!/bin/bash
# Create variables with the folder path and Cisco Secure Client app services
app_name="Cisco Secure Client - AnyConnect VPN Service.app"
app_path="/opt/cisco/secureclient/bin/$app_name"
# Checks if the Cisco Secure Client services is already running
app_process=$(pgrep -fl "$app_name")
# If not launch the Cisco Secure Client app services via "open -a" command
if [ -z "$app_process" ]; then
open -a "$app_path"
else
exit 0
fi
2. Under Options, ensure the Priority is set to After.
This bash script will check if the Cisco Secure Client - AnyConnect VPN service.app is running via returning an expected output with the Process ID from pgrep -fl. If it returns an empty output, then we can confirm the Cisco Secure Client - AnyConnect VPN service.app is not running and the script will execute to launch the Cisco Secure Client core services that is required in order for the Umbrella module to run correctly.