browse

This configuration guide outlines the steps to provision the Secure Client Umbrella Roaming Security Module via Kandji.

Disclaimer: This article is provided as-is as of 03/03/2025, Umbrella support does not guarantee these instructions will remain valid after this date and is subject to change based on updates from Kandji.

Pre-requisites

Access to Umbrella Dashboard.
Access to Kandji Portal.
Secure Client Umbrella Module Profile (orginfo.json).
Secure Client Pre-deployment package for the version to be deployed.

This guide utilizes the .zip deployment method within Kandji, along with a post-install script.

Prepping your .zip installer

1. Access your Umbrella Dashboard and download the Secure Client Umbrella Module Profile (orginfo.json) by navigating to 'Deployments > Roaming Clients > Download > Download Module Profile.'

2. You can also download the latest version of the macOS installer by selecting the Pre-Deployment Package.

3. We can now configure our .dmg file for deployment by changing the installer image to a writable version. This can be done using Disk Utility or the Terminal application as follows:

hdiutil convert <source dmg> -format UDRW -o <output dmg>

4. Open the newly converted .dmg file and navigate to the 'Profiles' folder. Then, in the Umbrella folder, place the OrgInfo.json file you downloaded from your dashboard.

4.1. To optionally hide the VPN module, edit the ACTransforms.xml file. Update the <DisableVPN> element to true and remove the comment tags .

5. Next, create a new file named install_choices.xml. This file will specify which modules you wish to install.

Run the below command to generate the file:

installer -pkg /volumes/Cisco\ Secure\ Client\ <version>/Cisco\ Secure\ Client.pkg -showChoiceChangesXML > ~/Downloads/install_choices.xml

To skip a module, define the module with 0.
To install a module, define the module with 1.

This file needs to be located in the same folder as the modified .dmg file. Your folder structure should resemble the following:

In the example below, the install_choices.xml file includes the Core VPN, Umbrella, and DART modules, each set to 1 , indicating they are included in the Secure Client installation

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_anyconnect_vpn</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_anyconnect_vpn</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>1</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_anyconnect_vpn</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_fireamp</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_fireamp</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_fireamp</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_dart</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_dart</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>1</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_dart</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_secure_firewall_posture</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_secure_firewall_posture</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_secure_firewall_posture</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_iseposture</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_iseposture</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_iseposture</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_nvm</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_nvm</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_nvm</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_secure_umbrella</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_secure_umbrella</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>1</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_secure_umbrella</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_thousandeyes</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_thousandeyes</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_thousandeyes</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_duo</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_duo</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_duo</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_zta</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_zta</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_zta</string>
</dict>
</array>
</plist>

6. We now change the installer image to a read-only version using either Disk Utility or the Terminal application as follows:

hdiutil convert <source dmg> -format UDRO -o <output dmg>

7. The final step in preparing the Umbrella installation is to convert the installation folder into a .zip file, which will be ready to upload to the Kandji Dashboard.

Kanji Dashboard Changes

1. For macOS 13 (and later) and Secure Client 5.1, the VPN Agent requires user approval before being launched by the OS. To automate this approval process or prevent users from disabling the Login Items owned by the Secure Client, you must deploy an MDM profile with attributes configured for Managed Login Items.

Bundle Identifier Prefix: com.cisco.secureclient
Team Identifier: DE8Y96K9QP

These can be created by following the Kandji guide: Configure the Login & Background Items Library Item, which uses the bundle identifier: com.cisco.secureclient.

2. The Cisco Secure Client uses a network system extension on macOS 11 (and later), bundled into an application named 'Cisco Secure Client - Socket Filter.' Next, you need to have Kandji install this using the identifiers provided below:

Team Identifier: DE8Y96K9QP
Bundle Identifier: com.cisco.anyconnect.macos.acsockext
System Extension Type: NetworkExtension

These identifiers can be set up by following the Kandji guide: System Extensions - Overview and Guide

3. The Cisco Secure Client must be deployed as a Custom App, which can be done by following the Kandji guide: Deploying Custom Apps When you reach the 'Add & Configure' stage, make the following adjustments for deployment:

Choose Package Type: Choose 'ZIP file'.
Upload Installer: Upload the .zip file configured earlier in step 7.
- If you choose a .zip file type, you'll have an additional field to define an unzip location. (Default location is /var/tmp/)
Post-Install Script: Provide a script to be executed after the package is run.
- Update <Filename.zip> to the name used in step 7 earlier.
- Update <Folder Name> that is used to contain the .dmg file and the install_choices.xml file
- Update <Output dmg file.dmg> to the name declared in step 5 earlier.

Example Script

#!/bin/bash

# Optional extract the ZIP file. (Kandji extracts to /var/tmp by default)
#unzip "/var/tmp/Cisco Secure Client 5-1-7-80.zip" -d /var/tmp/

# Mount the DMG.
hdiutil attach "/var/tmp/<Folder Name>/<Output dmg file.dmg>"

# Run the installer with our xml choices file.
installer -pkg "/Volumes/Cisco Secure Client 5.1.7.80/Cisco Secure Client.pkg" -applyChoiceChangesXML "/var/tmp/<Folder Name>/install_choices.xml" -target /

# Check installer exit code.
if [ $? -ne 0 ]; then
echo "Error: Installation failed."
# Add any necessary cleanup or rollback actions here
exit 1
fi

# Unmount the DMG.
hdiutil detach "Cisco Secure Client 5.1.7.80"

# Remove the temp files & folders.
rm -rf /var/tmp/<Folder Name>
rm -f /var/tmp/<Filename.zip>

exit 0

If you experience deployment issues related to deploying the Cisco Secure Client, you can contact the TAC team as outlined here: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html.

For deployment issues related to the Umbrella Module, please log a support ticket with the Umbrella Support Team.

End of Life for Umbrella Roaming Client

Cisco Secure Client with Umbrella Module for Kandji RMM (MacOS)

browse

This configuration guide outlines the steps to provision the Secure Client Umbrella Roaming Security Module via Kandji.

Pre-requisites

Prepping your .zip installer

Kanji Dashboard Changes

End of Life for Umbrella Roaming Client

browse

This configuration guide outlines the steps to provision the Secure Client Umbrella Roaming Security Module via Kandji.

Pre-requisites

Prepping your .zip installer

Kanji Dashboard Changes

Related articles