browse
Disclaimer: This article is provided "as-is" as of 6th June 2025. Umbrella Support does not guarantee that these instructions will remain valid after this date, as they are subject to change based on updates from third-party providers.
Step 1 - Customizing your installation file
You will need a copy of your Pre-deployment Package MacOS installer and your module profile (Orginfo.json) from your dashboard.
Follow the steps in the Customize macOS Installation of Cisco Secure Client guide up to step 5. Once the install_choices.xml file is generated and modified to suit your installation preferences, copy this file to the following location: "/Volumes/Cisco\ Secure\ Client\ <version>\". Afterward, proceed with the guide finishing on step 7.1.
Example file path: "/Volumes/Cisco Secure Client 5.1.8.122/install_choices.xml"
We should now have the following:
- A csc-readable.dmg file (this is the file that will be used for deployment).
- The folder structure within the .dmg file should appear as shown below. Please note that the install_choices.xml file is located under the Profiles folder, not the Feedback folder:
Step 2 - Packaging the file for Intune
Intune is unable to deploy the .dmg file as a package. Therefore, we need to use a third-party tool, such as "Packages for Mac," to repackage the .dmg file into a .pkg file.
1. Download and install the packages app from: https://packages.macupdate.com.
2. Run the Package.app.
3. Upon opening the app, you will be presented with a choice between "Distribution" and "RAW." Select "RAW," then click "Next."
4. Name your project (e.g. CiscoSecureClientUmbrellaDeploy) and set a project directory. This directory will be where the final package is saved, which we will upload to Intune. Then, select "Create."
5. Select the "Payload" tab, then navigate to Users > Shared. Press the "+" button and add the csc-readable.dmg file that we created earlier in "Step 1 - Customizing Your Installation File."
Note. "Users\Shared" is where our package will extract the csc-readable.dmg file to.
6. Once the file is added to your chosen location, select "Build" > "Build." This will generate a .pkg file in the project directory you set earlier. This .pkg file is the one you need to upload to Intune.
Step 3 - Deploying the file via Intune
1. In Intune, navigate to Apps | macOS | macOS | macOS apps, and click "Create." You will then be prompted to select the app type. Choose "macOS App (PKG)."
2. App Information: Select a file – Select the .pkg file that was exported from the packages.app
earlier.
- Name the file, provide a description of what the .pkg file does, set the publisher as "Cisco," and assign yourself as the owner.
3. Program:
- Leave pre-install empty.
- Post install – Enter the script you wish to run. This script will execute the .dmg file that the .pkg file has placed in the Users/Shared directory on the macOS device.
Install Script
#!/bin/bash
#Mount the DMG.
cd /volumes/'macintosh hd'/users/shared/
hdiutil attach csc-readable.dmg
#Run the installer with our xml choices file.
sudo installer -pkg "/Volumes/Cisco Secure Client <version>/Cisco Secure Client.pkg" -applyChoiceChangesXML "/Volumes/Cisco Secure Client <version>/install_choices.xml" -target /
#Check installer exit code.
if [ $? -ne 0 ]; then
echo "Error: Installation failed."
#Add any necessary cleanup or rollback actions here
exit 1
fi
#Unmount the DMG.
hdiutil detach "/Volumes/Cisco Secure Client 5.1.8.122"
exit 0
- IMPORTANT NOTE: Replace <version> with the version of Cisco Secure Client you are installing for both -pkg and -applyChoiceChangesXML.
sudo installer -pkg "/Volumes/Cisco Secure Client 5.1.8.122/Cisco Secure Client.pkg" -applyChoiceChangesXML "/Volumes/Cisco Secure Client 5.1.8.122/install_choices.xml" -target /
4. Requirements: Minimum operating system you will allow this to run on.
5. Detection rule: This script will continue to re-run if Intune does not detect the app installed on the device.
6. Scope Tag: Leave empty for this deployment.
7. Assignments: Add a group or users or devices you wish to deploy to.
8. Review + Create.
Step 4 - Set Up the Correct Extension Permission & Login Settings
The Cisco Secure Client requires additional settings to be configured as outlined in our documentation: Cisco Secure Client (including AnyConnect) Administrator Guide, Release 5.1
1. Managed Login Items:
-
Devices | macOS > Configuration > Create > New policy > Settings Catalog > Configuration settings > Login> Configure Instance.
- Comment: Cisco Secure Client
- Rule Type: Bundle Identifier Prefix
- Rule Value: com.cisco.secureclient
- Team Identifier: DE8Y96K9QP
2. MDM Configuration Profile for Cisco Secure Client System and Kernel Extension Approval:
- You can copy the sample MDM Configuration Profile (XML code) from the Administrator Guide or modify your existing MDM Profile Configuration. Then, follow the Microsoft guide to Create a profile with custom settings in Intune.
Summary
The .pkg file you create in Packages.app does not directly install the software. Instead, it deploys your configured files to the macOS device. The process flows as follows:
1. CiscoUmbrellaDeploy.pkg places the csc-readable.dmg file onto the macOS device, storing it in HD > Users > Shared.
2. The post-install Intune script runs to open the csc-readable.dmg. This .dmg file will mount a drive called Cisco Secure Client <version> on the endpoint.
3. Once the Cisco Secure Client <version> image is mounted, the script will execute the Cisco Secure Client.pkg using the install_choices.xml file that was added to the .dmg file. This process will place the OrgInfo.json file in Macintosh HD > Library > Application Support > Cisco > Cisco Secure Client > Umbrella and apply your configuration choices.
4. Once the installation is complete, the script will dismount the drive.
5. Intune configuration policies for the login item and configuration profile will then run, granting the necessary permissions to secure the client.