Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. Join us in person at the ninth annual Jamf Nation User Conference (JNUC) this November for three days of learning, laughter and IT love.

Cisco AnyConnect 4.4

I have created a custom .pkg for Cisco AnyConnect. It seems that after install the service isn't running so you have to reboot for the vpn to work. Can I make this as a post install script with composer and what service would that be?

Like Comment
Order by:
SOLVED Posted: by blackholemac

This package is an example of one where I would consider using the vendor-provided package as its scripts make changes to various things in the network stack.

If we want to customize, what I might do is create a "helper package" that is essentially a snapshot from the point of finishing the install the vendor package to the point it is ready for the end user to login with. That way you can populate preference files and such. You could also consider installing with Cisco's AnyConnect profiles as well, but may take some more advanced packaging. A snapshot is not a great choice here simply because AnyConnect does have an impact on network settings.

Like
SOLVED Posted: by kericson

The vender told me to do this and they offer no other solution that what I have done. I just need the VPN server to start after the install.

Like
SOLVED Posted: by jhbush1973

This is currently what I'm using for AnyConnect.

#!/bin/sh
## postinstall

pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3

# Install the software

installer -package "/private/tmp/AnyConnect/AnyConnect.pkg" -target / -applyChoiceChangesXML "/private/tmp/AnyConnect/choices.xml"

# Hide the opt folder

chflags hidden /opt

# Remove the files from /private/tmp

/bin/rm -rf "/private/tmp/AnyConnect"

exit 0      ## Success
exit 1      ## Failure
choices.xml
<array>
    <string>choice_fireamp</string>
    <string>choice_websecurity</string>
    <string>choice_posture</string>
    <string>choice_nvm</string>
    <string>choice_umbrella</string>
</array>
Like
SOLVED Posted: by JustDeWon

Why not just have it to require a reboot after install in the policy?

Like
SOLVED Posted: by chriscollins

We deploy this similarly to @jhbush1973. Use the vendor package and use the choice changes xml functionality of the command line installer command to choose the components you want to install and let the vendor package do its thing. No restarts or anything else like that required.

Like
SOLVED Posted: by al_platt

I extract the bit I need from the AnyConnect pkg with Pacifist and then deploy with an xml for the connection setting.

Like
SOLVED Posted: by iJake

I would highly recommend you use our package as opposed to building your own but it can be modified and this is what I do. I'd be happy to help you @kericson with getting this working as you need it. Feel free to send me an email: jadavids AT cisco.com

Like
SOLVED Posted: by blackholemac

I think @iJake 's post coming from a Cisco employee is probably the gold standard saying that it is not a good idea to repackage this. I only go to a repackage personally if no other technique gets the software the way I want it on a system and that is very rare. I would be interested to see @iJake 's response to the original poster if he is offering custom help. I don't have to deploy AnyConnect too often, but having a bonafide recipe to get it deployed from a Mac guy at the vendor itself is the best that can be sought.

Like
SOLVED Posted: by iJake

Sorry it took a while for the reply but wanted to make sure the process worked for @kericson. Below is the process we use to package AnyConnect with only certain modules.

External Requirements:
Packages (http://s.sudre.free.fr/Software/Packages/about.html)
XML Editor (Such as TextWrangler, BBedit)

Overview:
Create Choice Change XML (See end of post)
Create Pre and Post flight scripts (See end of post)
Create wrapper package to install vendor AnyConnect.pkg with Choice Change XML

Create Choice Change XML:
Like the attached plist, you create an xml file saved as whatever name you like but ensuring it is in the proper plist format. I’ve already created it this time with the modules you want enabled.

Create Pre and Post Scripts:
I’ve attached examples of these scripts. You’ll see where to use them below.
The preflight closes AnyConnect if it is already installed and running.
The postflight installs the vendor package with the choices XML file so you only install what you want.

Create Wrapper package:
Create folder for AnyConnect Packages project. Here is how I structure my folders:

Open the Packages app to create a new Raw package and name it anything you like:

Choose an identifier (ours is com.cisco.x.x because we are Cisco. I would use something unique to you) and supply a version number for your package. I make the version number match the version of AnyConnect:

There is no payload to specify so you can skip this screen.

On the Scripts tab add your Pre and Post scripts and add the Choices xml and vendor package as addition resources:

(The file can be named whatever you would like. This was an example for @kericson )

Save the project and then choose to build it. You should now have a package, though unsigned, that will install only the modules you want. If you need to install profiles or other files you can create further packages or simply add to the payload. Packages can apply a cert to your package if you have one or you can sign it after you build it.

Choice XML Example:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
    <dict>
        <key>attributeSetting</key>
        <integer>1</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_vpn</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>0</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_websecurity</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>0</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_fireamp</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>1</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_dart</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>1</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_posture</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>0</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_iseposture</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>0</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_nvm</string>
    </dict>
    <dict>
        <key>attributeSetting</key>
        <integer>0</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>choice_umbrella</string>
    </dict>
</array>
</plist>

To see what these options are in the future when more modules might be added:

installer -showChoiceChangesXML -pkg AnyConnect.pkg

Preflight Script (just closes AC if already open):

#!/bin/bash

## BODY
osascript -e 'tell application "Cisco AnyConnect Secure Mobility Client" to quit'

## FOOTER
exit 0

Postflight Script Example:

#!/bin/bash

ResourceLocation=$(dirname $0)
PackageName="AnyConnect.pkg"
ChoicesXML="acChoices_TrueMFG.plist"

## BODY
if [[ -e "$ResourceLocation/$PackageName" ]]; then
    echo "Executing installer package"
    installer -dumplog -verbose -pkg "$ResourceLocation/$PackageName" -target / -allowUntrusted -applyChoiceChangesXML "$ResourceLocation/$ChoicesXML"
else
    echo "Unable to locate installer package"
    ls "$ResourceLocation"
fi

## FOOTER
exit 0
Like
SOLVED Posted: by CasperSally

I did pretty much exactly what @iJake did above. Actually, on my list of things to do was to document it. Thanks to him for saving me the trouble :)

Like
SOLVED Posted: by winterboer

@iJake What is the acChoices_TrueMFG.plist? Is it the XML file to create connection profiles?

Like
SOLVED Posted: by iJake

@winterboer No, it is the file that controls what packages Installer installs. Specifically that name in the documentation above is just an example name.

Like
SOLVED Posted: by chriscollins

@winterboer Its an XML file you feed to the command line installer application to tell it what your choices are for what you are choosing to install. Its the XML equivalent of checking what you want to install in the GUI based install. You can learn more by looking at the man page for installer. But basically its how you specify what's in this screenshot when you are doing an install from the command line.

Like
SOLVED Posted: by winterboer

@chriscollins I built a custom installer using the directions above and I ended up with everything installed, I just want the VPN client. When I ran the GUI based installer it only offers VPN, everything else is greyed out.

Like
SOLVED Posted: by buckychappell

We're testing for an upgrade to version 4.5 of AnyConnect; is there a place in this recipe where we can prevent the app from becoming a user login item?

Like
SOLVED Posted: by chriscollins

@buckychappell I don't believe so but you can easily add as part of your post install script a step that just deletes or unloads the LaunchAgent plist file in "/Library/LaunchAgents/com.cisco.anyconnect.gui.plist"

Like
SOLVED Posted: by Kyuubi

@iJake Quick question: what is the best way to install profiles for the various modules with your workflow? I'd like to just add it to the package that has the vendor installer and Choices Plist.

Like
SOLVED Posted: by Kyuubi

@iJake Never mind, i see the answer above.

Like
SOLVED Posted: by Kyuubi

@jhbush1973 I'm following your workflow and am having trouble with the XML file. Created on just like your example, and put it in the package. I've run xmllint in Terminal and it shows as a valid xml file but when i run the command I get an error that says it can't find the xml file or its malformed. Any ideas?

Like
SOLVED Posted: by mhinsz

@chriscollins @buckychappell - I'm having the same auto login issue, but mine only seems to occur when the Cisco ISE Posturing package is deployed. I can manually kill it, but it returns after a computer restart. Did you have sucess?

Like
SOLVED Posted: by Kyuubi

Same here @mhinsz . Auto login is a pain.

Like
SOLVED Posted: by asommerio

I know this thread is a bit old but I was able to successfully deploy the Cisco AnyConnect VPN module and the ISE Posture Module (the only two we use) separately by extracting them with Pacifist. Yes I have to upload two separate .pkg's to the JSS but the result was smooth and everything works great.

  1. Open .DMG with Pacifist and navigate to the AnyConnect.pkg
  2. The dropdown will show you the packages for all of the modules within the main AnyConnect.pkg
  3. Choose the ones you want to deploy later and use the "Extract Subpackages" option.
  4. Upload to the JSS and create your policy for deployment. Thats it. Hope this helps anyone not keen on editing XML and plist files.
Like
SOLVED Posted: by itupshot

I have a question: which of the two v.4.5.x packages from Cisco is the one we need to download, the "pre-deploy," or "web-deploy?"

What's the difference?

Like
SOLVED Posted: by asommerio

The packages I extracted were from the "pre-deploy" and they work fine.

Like
SOLVED Posted: by ostrowsp

With this installer it does not show how you are supposed to add your own VPN Profiles. Also how are people dealing with the KEXT issue with 10.13 and the new version of anyconnect?

Like
SOLVED Posted: by iJake

@ostrowsp I'd suggest signing up for the jamf 10.3 beta where you can create and test Approved Kernel Extensions Configuration Profiles. The Team ID for Cisco AnyConnect is DE8Y96K9QP

Like
SOLVED Posted: by rqomsiya

@ostrowsp : Take a look at this JN post

https://www.jamf.com/jamf-nation/discussions/26583/kextpocalyse-2-the-remediation-blog-post-by-our-own-franton

Like
SOLVED Posted: by boanes

Hey @iJake, I'm trying to follow this process and one additional thing that my admins want me to complete is to add some XML files that reference our 3 different VPN Servers...

How would I include this in the package?

Like
SOLVED Posted: by iJake

@boanes I package our profiles in a separate pkg that places them in either opt/cisco/anyconnect/profile or umbrella depending on what type of profile it is (this is manual just do both kinds in the same package). This profiles package is then part of the larger package that installs AC, Profiles, and some other bits all at once via individual packages.

Like
SOLVED Posted: by boanes

Sorry @iJake, I don't quite follow... Can you elaborate a bit more?

Like
SOLVED Posted: by boanes

Hey @iJake,
I got now what you're saying about the various profiles...

Right now I'm not quite sure how to build part 1 to this package... I've followed your process that you've outlined bak on 3/6/17 and I'm running into issues...

When I build the package then attempt to deploy it, it doesn't install anything... help?

Like
SOLVED Posted: by saikitjk

@boanes

I am having the same issue as well.
Followed the instructions above and the pkg file does not install on the machine.
Changed the post script to set directory for the pkg file and still no luck.

@iJake, any help would be awesome!

Like
SOLVED Posted: by boanes

@saikitjk What's your email address, I've written down some instructions that I'd like you to go over and verify that they're clear...

Like
SOLVED Posted: by landon_Starr

Hi all,

Sorry for bumping an old thread, but I was hoping I could get some insight for an issue I've been seeing.

Using @asommerio method, I pulled the VPN and Umbrella components from my pre-deploy DMG, but when I go to install them I get nothing but errors. Self Service reports an error upon install, and if I try to install them by hand, I'm getting this:

Is this related to some new Mojave security policy?

Like
SOLVED Posted: by kcadm

@landon_Starr i am getting the same error on Mojave 10.14.2

Like
SOLVED Posted: by CasperSally

@kcadm @landon_Starr how did you work around this error? I'm seeing it on 10.14 and 10.13 so I don't think it's a Mojave issue. I'm trying to extract pkgs from v4.7 dmg.

Edit: choices.xml install (mostly following iJakes instructions above) worked fine.

Like