AnyConnect Umbrella Roaming Security Module Provisioning via MS Intune

Overview

This configuration guide covers the steps  to provision the AnyConnect Umbrella Roaming  Security Module via MS Intune.

Pre-requisites

• Access to Umbrella Dashboard
• Access to MS Intune Portal
• AnyConnect Umbrella Module Profile (orginfo.json)
• AnyConnect Pre-deployment package for the version to be deployed
• Microsoft Win32 Content Prep Tool

The method used on this guide uses “Windows app (Win32)” option, so it is required to convert both the anyconnect-win-4.10.03104-core-vpn-predeploy-k9.msi and anyconnect-win-4.10.03104-umbrella-predeploy-k9.msi into “. intunewin” format.

AnyConnect Core VPN Module and AnyConnect Umbrella Module .msi conversion into .intunewin format steps

1. Access to your Umbrella Dashboard and download the AnyConnect Umbrella Module Profile (orginfo.json) under “Deployments>Roaming Clients> Download> Download Module Profile”:
2. After unzipped, on the AnyConnect pre-deployment package drop the Umbrella profile (orginfo.json) under “anyconnect-win-4.10.03104-predeploy-k9\Profiles\umbrella” path:
3. Download “Microsoft Win32 Content Prep Tool”
4. Create a folder and drop the “IntuneWinAppUtil” application, also create an input and output folder in your machine:
5. On the “Intune_input” folder drop the AnyConnect VPN Core, Umbrella .msi files, and copy/paste the Profiles folder and subfolders (anyconnect-win-4.10.03104-core-vpn-predeploy-k9.msi and anyconnect-win-4.10.03104-umbrella-predeploy-k9.msi, the Profiles subfolders is where you dropped the Umbrella profile on Step.2):
6. Then open the “IntuneWinAppUtil.exe” application and specify the “Intune_input” as your source folder, AnyConnect Core VPN .msi as your source setup file, also specify the “Intune_output” as your output folder (here is where the application will generate the AnyConnect Core VPN .intunewin file):
7. Repeat the above step (Step.6), but this time for the AnyConnect Umbrella Module (since we dropped the Umbrella Profile within the Profiles folder this will create the AnyConnect Umbrella .intunewin file with the Umbrella profile embedded on it):

Upload and configure the AnyConnect Core VPN .intunewin file on the Intune Portal

1. Now you need to go access to your MS Intune Portal under “Home>Apps>Windows” and for Select app Type choose “Windows app (Win32)” then click “Select”:
2. Then you need to click on “Select app package file” and upload the AnyConnect Core VPN .intunewin file, then click “OK”:
3. On this step specify the minimum information like “Publisher” and “Category” and click “Next”:
4. 
5. Specify the installation command parameters. You can use the default one or use the AnyConnect supported parameters specified on the AnyConnect Admin Guide from the respective version you are installing (for this example we are using passive mode and Disabled the VPN module so only Umbrella module is displayed on the AnyConnect UI, also logging to vpninstall.log file), you also need to specify the Device Restart behavior and then click “Next” (ex. msiexec /i "anyconnect-win-4.10.3104-core-vpn-predeploy-k9.msi" /passive PRE_DEPLOY_DISABLE_VPN=1 /lvx* vpninstall.log):
6. As part of the Requirements, you need to specify the OS architecture and Minimum OS running on the devices you want to push the AnyConnect Core VPN (you can also specify other requirements if needed):
7. You can optionally configure detection rules to detect if the AnyConnect Core VPN is already present on the device, with this option you can also detect if same or different AnyConnect version is found. In this example we have configured the detection rule for any of the AnyConnect Core VPN versions, specify the “Rule Type” as .msi:
8. On the Dependencies option we will not be configuring any for the AnyConnect Core VPN so just click “Next”:
9. Optionally, you can configure Supersedense in order to update or replace an existing application on the device, it only applies to Win32 apps, for further information about Supersedense you can refer to the MS Intune documentation. In our example we are not specifying any application to be replaced so just click “Next”:
10. Now we need to specify the assignments to specify the group/user we want to install the AnyConnect VPN Core, due to the next steps we will follow on the next section, we do not need to assign it to any users/groups, so just click “Next”:
11. Review the configuration to make sure everything is good and click “Create”:
12. If you go back to MS Intune Portal under “Home>Apps>Windows” you will find the created AnyConnect Core VPN Win32 app:

Upload and configure the AnyConnect Umbrella Module  .intunewin file on the Intune Portal

1. We need to repeat the same process but this time for AnyConnect Umbrella Module so in your MS Intune Portal go under “Home>Apps>Windows” and for Select app Type choose “Windows app (Win32)” then click “Select”:
2. Then you need to click on “Select app package file” and upload the AnyConnect Umbrella VPN .intunewin file, then click “OK”:
3. On this step specify the minimum information like “Publisher” and “Category” and click “Next”:
4. Specify the installation command parameters. You can use the default one or use the AnyConnect supported parameters specified on the AnyConnect Admin Guide from the respective version you are installing (for this example we are just using passive mode and logging to umbrellainstall.log file), you also need to specify the Device Restart behavior and then click “Next” (ex. msiexec /i "anyconnect-win-4.10.3104-umbrella-predeploy-k9.msi" /passive /lvx* umbrellainstall.log):
5. As part of the Requirements, you need to specify the OS architecture and Minimum OS running on the devices you want to push the AnyConnect Core VPN (you can also specify other requirements if needed):
6. You can optionally configure detection rules to detect if the AnyConnect Umbrella Module is already present on the device, with this option you can also detect if same or different AnyConnect version is found. In this example we have configured the detection rule for any of the AnyConnect Umbrella Module versions, specify the “Rule Type” as .msi :
7. On the Dependencies option in this case, we will specify the AnyConnect Core VPN module and also configure “Automatically Install” as Yes, so when the AnyConnect Umbrella Module is about to be pushed by Intune, if the AnyConnect Core VPN is not installed, it will automatically install it first and then the AnyConnect Umbrella Module can be installed, then just click next “Next”:
8. Optionally, you can configure Supersedense in order to update or replace an existing application on the device, it only applies to Win32 apps, for further information about Supersedense you can refer to the MS Intune documentation. In our example we are not specifying any application to be replaced so just click “Next”:
9. Now we need to specify the Assignments to configure the group/user we want to install the AnyConnect Umbrella Module (AnyConnect VPN Core will also be installed due to the “Dependencies” Rule). In this example we are assigning a device group called “Device Group” you can also specify other parameters for the installation, we are using the default parameters to install the application as soon as possible, then click “Next”:
10. Review the configuration to make sure everything is good and click “Create”:
11. If you go back to MS Intune Portal under “Home>Apps>Windows” you will find the created AnyConnect Umbrella Module Win32 app has been created and assigned, at this point we just need to wait for it to be pushed to the devices/users within the selected group:

12. Finally, you can review the successful installation by going under “Home>Apps>All Apps” and click on both “Cisco AnyConnect Mobility Client” and “Cisco AnyConnect Umbrella Roaming Security Module”:

AnyConnect Core VPN status:

AnyConnect Umbrella Module status:

Successful installation on the device: