This article describes the custom installation process for Anyconnect web security module on both MAC and Windows.
There are 2 deployment types for Anyconnect, one is a webdeploy based installation which is automatically installed by a Cisco Firewall or Router, and a pre-deploy installation, which requires user intervention.
In this scenario, the pre-deploy installation is customised on MAC endpoints to only install the selected modules.
Note: Any Anyconnect feature module (Web security, AMP, Umbrella, posture etc) installation requires vpn module installation. However, the Anyconnect vpn window can be hidden on the user machine and only the specific feature modules can be made visible to the users.
Step 1. Convert the .dmg Package
Convert the .dmg package from a read-only state to read-write, with the use of Disk Utility or hdiutil as shown in the image.
hdiutil convert anyconnect-macos-4.10.01075-predeploy-k9.dmg -format UDRW -o anyconnect-macos-4.10.01075-predeploy-k9-rw.dmg
Step 2. Run the Converted File
Run the converted file anyconnect-macos-4.10.01075-predeploy-k9-rw.dmg in order to initiate the installation process.
Step 3. Generate the Installer.xml file
This example is intended to send all the installer options to a text file called vpn_install_choices.xml, which will be created in the Downloads folder. For example:
Step 4. Extract the Install Options
The code presented, is an XML code from the vpn_install_choices.xml file, it contains the necessary code to custom install all the Anyconnect modules:
The above xml file installs the VPN(which will be hidden later), Umbrella Roaming Security and DART modules by setting the integer value to 1 and setting the rest to 0.
Step 5. Make changes to the ACTransforms.xml file to hide the VPN module
Under the profiles folder, ACTransforms.xml file needs to have the line <disablevpn>true</disablevpn> uncommented.
Contents of ACTransforms.xml file:
<!-- Optional AnyConnect installer settings are provided below. Uncomment the setting(s) to perform optional action(s) at install time. -->
<!-- <DisableVPN>true</DisableVPN> -->
<!-- <DisableCustomerExperienceFeedback>true</DisableCustomerExperienceFeedback> -->
Step 6. Copy the vpn_install_choices.xml and install Anyconnect
You can install the Anyconnect using command line as shown below or use this as a DMG package to be pushed out to the clients for installation.
Copy the vpn_install_choices.xml file to the Anyconnect DMG bundle and then install the Anyconnect client, based on the XML vpn_install_choices.xml file. As shown in the image:
Details in the article AnyConnect Roaming Security Module: Pre-Deployment Tips