browse
Overview
Secure Client contains a number of optional security modules including Umbrella. This article describes the installation process for Cisco Secure Client and how to choose the desired modules. Note that at minimum both the Core VPN module* and Umbrella module must be installed.
*VPN functionality can be optionally disabled during installation but the module must still be installed.
Manual Installation
During manual installation the user can simply select the desired modules* during the installation wizard.
* Umbrella must be selected. If "Core & AnyConnect VPN" is disabled then VPN functionality is disabled but the Core VPN module itself is still installed because it provides underlying drivers for Umbrella.
Windows unattended Installation
On Windows the pre-deployment package contains different MSI files for each module. Therefore, simply install the desired MSI files (Core + Umbrella)
Details in the article Cisco Secure Client (Windows) - Automated deployment tutorial
Mac OSX unattended Installation
When run in an unattended way the pre-deployment package for Mac OSX installs all Secure Client modules. When deployed via automation tools it is likely that other Secure Client modules will be installed which may be unwanted. In this scenario, the pre-deployment package must be extracted and customised on MAC endpoints so as to only install the desired modules.
Overview
The instructions comprise of these main steps:
- Creating a writeable .dmg package
- Create an install_choices.xml which will be used during installation to control which modules are installed
- Add a custom ACTransforms.xml file to the package which disables the VPN functionality
- Add your Umbrella profile (OrgInfo.json) to the package which allows the client to register
- Convert the package back to a read-only DMG
- Install the package via CLI, supplying the custom install_choices.xml file
Step 1. Convert the .dmg Package
Convert the .dmg package from a read-only state to read-write, with the use of Disk Utility or hdiutil as shown in the image.
hdiutil convert cisco-secure-client-macos-<version>-predeploy-k9.dmg -format UDRW -o csc-writeable.dmg
Step 2. Run the Converted File
Run the converted file csc-writeable.dmg in order to mount the DMG image. This will create a volume with the writeable contents of the DMG.
Step 3. Generate the install_choices.xml file
The install_choices.xml file configures which modules will be installed and can be supplied as an installation argument for CLI and scripted installations. The attached install_choices.xml configures only the required modules (Umbrella + VPN).
You can optionally generate and configure your own install_choices.xml file (instead of using the one attached) by using the following command:
installer -pkg /volumes/Cisco\ Secure\ Client\ <version>/Cisco\ Secure\ Client.pkg -showChoiceChangesXML > ~/Downloads/install_choices.xml
Step 4. Extract the Install Options
The extracted install_choices.xml file can be changed to enable the desired module. The example below will enable the required Umbrella+VPN modules.
Note:
The above xml file installs the VPN(which will be hidden later), Umbrella Roaming Security and DART modules by setting the integer value to 1 and setting the rest to 0.
Step 5. Make changes to the ACTransforms.xml file to hide the VPN functionality
To hide the VPN module edit the ACTransforms.xml:
/Volumes/Cisco\ Secure\ Client\ <version>/Profiles/ACTransforms.xml
Under the profiles folder, ACTransforms.xml file needs to have the line <disablevpn>true</disablevpn> uncommented.
Contents of ACTransforms.xml file:
<!-- Optional AnyConnect installer settings are provided below. Uncomment the setting(s) to perform optional action(s) at install time. -->
<Transforms>
<!-- <DisableVPN>true</DisableVPN> -->
<!-- <DisableCustomerExperienceFeedback>true</DisableCustomerExperienceFeedback> -->
</Transforms>
Step 6. Install the Umbrella profile
Download your Umbrella module profile (OrgInfo.json) from the Umbrella Dashboard (Deployments > Roaming Computers > Downloads). This profile must be provisioned for the client to register with your Umbrella Dashboard and function. Including it in the installation package prevents you having to deploy it as a post install task.
Save the profile to /Volumes/Cisco\ Secure\ Client\ <version>/Profiles/umbrella/OrgInfo.json
Step 7. Convert the package back to read only
Eject the DMG volume and use hdiutil to convert it to 'read only'. The read only package can then be distributed to end users.
diskutil eject Cisco\ Secure\ Client\ <version>
hdiutil convert csc-writeable.dmg -format UDRO -o csc-readable.dmg
Step 8. Install Secure Client supplying the install_choices.xml
The DMG file can be executed as normal (interactively) or pushed out via scripted/automated installation task.
- In a script, attach the DMG package.
- Use installer to install Cisco Secure Client.pkg. It's important to also supply our install_choices.xml within the -applyChoiceChangesXML argument. This controls which modules are installed.