Guides
ProductDeveloper
Guides

Command-Line and Customization for Installation

You can customize the Umbrella Roaming Module for AnyConnect during installation.

Table of Contents


##AnyConnect Umbrella Deployment Options for macOS
AnyConnect for MacOS can be deployed without the VPN module active and with the Umbrella profiles pre-configured. This makes deployment simpler for MDMs. While deploying without VPN capabilities and bundling Umbrella profile data are unrelated, the method of configuring each of these capabilities is the same: modifying the AnyConnect deployment DMG file.

This is for deploying AnyConnect with only Umbrella and DART (for diagnostics) without VPN. For more information, see the AnyConnect documentation.

  1. Download AnyConnect Pre-Deployment Package (Mac OS) from https://software.cisco.com/download/home.
  2. Customize the installer.
    You can pre-deploy the Umbrella configuration and customize which modules are deployed.

A. Pre-deploy the Umbrella Configuration Profile:

a. Open a Terminal console and set the DMG File to be Read/Write:
hdiutil convert anyconnect-macos-<version>-predeploy-k9.dmg -format UDRW -o anyconnect-macos-<version>-predeploy-k9-rw.dmg
b. Launch the DMG from /Volumes.
c. Generate the Installer XML (vpninstall_choices.xml) in Terminal.
**installer -pkg /volumes/Anyconnect\ <_version
>/Anyconnect.pkg -showChoiceChangesXML > /users/<user>/downloads/vpninstall_choices.xml
d. Launch the DMG so that you can see the
PKG and Profiles folder.
e. In the Umbrella dashboard, navigate to
Deployments > Roaming Computers > Roaming Client** and download the AnyConnect OrgInfo.json.
f. Open the
/Profiles/Umbrella_ directory from the install volume. Drag the OrgInfo.json file into the directory.

B. Custom AnyConnect Deployment Modules
By default, AnyConnect deploys with the VPN module. To deploy with Umbrella from the CLI or MDM, an XML configuration is required. Additionally, a transform is available to deploy without VPN capabilities.

a. Generate the Installer XML (vpninstall_choices.xml) in Terminal.
**installer -pkg /volumes/Anyconnect\ <_version
>/Anyconnect.pkg -showChoiceChangesXML > /users/<user>/downloads/vpn_install_choices.xml
b. Launch the DMG so that you can see the
PKG and Profiles folder.
c. In Umbrella, navigate to
Deployments > Roaming Computers > Roaming Client and download the AnyConnect OrgInfo.json.
d. Disable VPN. To install with the VPN Application hidden and disabled, you need to modify ACTtransforms.xml.
In
/Profiles/ACTtransforms.xml**, edit the file to comment out the following:

<Transforms>
<DisableVPN>true</DisableVPN>
<DisableCustomerExperienceFeedback>true</DisableCustomerExperienceFeedback>
</Transforms>
>> e. Select your desired modules. Modify the *vpn_install_choices.xml* with the following, and save. 
**Note**: Modifying choice_vpn does not supersede the ACTransforms.xml changes you just made.
In this example, only Umbrella and DART are deployed.


>>>```
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
	<dict>
		<key>attributeSetting</key>
		<true/>
		<key>choiceAttribute</key>
		<string>visible</string>
		<key>choiceIdentifier</key>
		<string>choice_vpn</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<false/>
		<key>choiceAttribute</key>
		<string>enabled</string>
		<key>choiceIdentifier</key>
		<string>choice_vpn</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<integer>0</integer>
		<key>choiceAttribute</key>
		<string>selected</string>
		<key>choiceIdentifier</key>
		<string>choice_vpn</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<true/>
		<key>choiceAttribute</key>
		<string>visible</string>
		<key>choiceIdentifier</key>
		<string>choice_websecurity</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<false/>
		<key>choiceAttribute</key>
		<string>enabled</string>
		<key>choiceIdentifier</key>
		<string>choice_websecurity</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<integer>0</integer>
		<key>choiceAttribute</key>
		<string>selected</string>
		<key>choiceIdentifier</key>
		<string>choice_websecurity</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<true/>
		<key>choiceAttribute</key>
		<string>visible</string>
		<key>choiceIdentifier</key>
		<string>choice_fireamp</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<false/>
		<key>choiceAttribute</key>
		<string>enabled</string>
		<key>choiceIdentifier</key>
		<string>choice_fireamp</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<integer>0</integer>
		<key>choiceAttribute</key>
		<string>selected</string>
		<key>choiceIdentifier</key>
		<string>choice_fireamp</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<true/>
		<key>choiceAttribute</key>
		<string>visible</string>
		<key>choiceIdentifier</key>
		<string>choice_dart</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<false/>
		<key>choiceAttribute</key>
		<string>enabled</string>
		<key>choiceIdentifier</key>
		<string>choice_dart</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<integer>1</integer>
		<key>choiceAttribute</key>
		<string>selected</string>
		<key>choiceIdentifier</key>
		<string>choice_dart</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<true/>
		<key>choiceAttribute</key>
		<string>visible</string>
		<key>choiceIdentifier</key>
		<string>choice_posture</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<false/>
		<key>choiceAttribute</key>
		<string>enabled</string>
		<key>choiceIdentifier</key>
		<string>choice_posture</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<integer>0</integer>
		<key>choiceAttribute</key>
		<string>selected</string>
		<key>choiceIdentifier</key>
		<string>choice_posture</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<true/>
		<key>choiceAttribute</key>
		<string>visible</string>
		<key>choiceIdentifier</key>
		<string>choice_iseposture</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<false/>
		<key>choiceAttribute</key>
		<string>enabled</string>
		<key>choiceIdentifier</key>
		<string>choice_iseposture</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<integer>0</integer>
		<key>choiceAttribute</key>
		<string>selected</string>
		<key>choiceIdentifier</key>
		<string>choice_iseposture</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<true/>
		<key>choiceAttribute</key>
		<string>visible</string>
		<key>choiceIdentifier</key>
		<string>choice_nvm</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<false/>
		<key>choiceAttribute</key>
		<string>enabled</string>
		<key>choiceIdentifier</key>
		<string>choice_nvm</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<integer>0</integer>
		<key>choiceAttribute</key>
		<string>selected</string>
		<key>choiceIdentifier</key>
		<string>choice_nvm</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<true/>
		<key>choiceAttribute</key>
		<string>visible</string>
		<key>choiceIdentifier</key>
		<string>choice_umbrella</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<false/>
		<key>choiceAttribute</key>
		<string>enabled</string>
		<key>choiceIdentifier</key>
		<string>choice_umbrella</string>
	</dict>
	<dict>
		<key>attributeSetting</key>
		<integer>1</integer>
		<key>choiceAttribute</key>
		<string>selected</string>
		<key>choiceIdentifier</key>
		<string>choice_umbrella</string>
	</dict>
</array>
</plist>
  1. Setup the correct extension permission settings:

    a. Eliminate the System Extension Approval Pop-up on macOS.
    By default, macOS requires the user to accept the activation of a new System Extension. As a result, the user is presented with a popup that must be accepted prior to the application becoming functional. An MDM is required to approve the AnyConnect system extension and disable the pop-up, using a management profile’s SystemExtensions payload. For more information on SystemExtensions payloads, see System Extensions.
    b. Follow the payload guidance in Extension Approval using MDM to deploy the MDM.

  2. Deploy the .dmg in Terminal.
    cd /volumes/AnyConnect\ 4.10.01075/ sudo installer -pkg Anyconnect.pkg -applyChoiceChangesXML vpn_install_choices.xml -target /

AnyConnect Umbrella Deployment Options for Windows

AnyConnect for Windows can be deployed with several options including excluding VPN installation, hidden installation from add/remove programs and lockdown.

Set MSI Properties During Installation

Cisco installation packages support a number of MSI properties that can be changed during installation, including lockdown and disabling the VPN. Lockdown prevents the service from being disabled manually.
Note: To set these during installation, the Umbrella module must be pre-deployed.

Deploy without VPN Module

  1. Open the Windows installer to disable VPN functionality. Configure your deployment to set the MSI property to PREDEPLOY_DISABLE_VPN=1.
    For example:
    **msiexec /package anyconnect-win-ver-pre-deploy-k9.msi /norestart /passive PRE_DEPLOY_DISABLE_VPN=1 /lvx
    <_log_file_name*>**

This command disables the VPN functionality by copying the VPNDisable_ServiceProfile.xml file embedded in the MSI to the directory specified for profiles for VPN functionality.

  1. Deploy the Umbrella module:
    msiexec /package anyconnect-win-<version>-umbrella-predeploy.msi /norestart /passive /lvx* c:\test.log
    **
    Note**: To enable lockdown, add the LOCKDOWN=1 parameter in the installation line.
    3. Optionally, install DART:
    msiexec /package anyconnect-dart-win-<version>-k9.msi /norestart /passive /lvx* c:\test.log

Enable Lockdown

In the Windows installer, enter:
msiexec /package anyconnect-win-X.X.XXXXX-umbrella-predeploy-k9.msi /passive LOCKDOWN=1 /lvx*

Hide AnyConnect from Add/Remove Programs List

You can hide the installed AnyConnect modules from users that view the Windows Add/Remove Programs list.

  1. Launch any installer using ARPSYSTEMCOMPONENT=1.
    This module does not appear in the Windows Add/Remove Programs list. Apply this to all module MSIs at the time of deployment.

Optional OrgInfo.json Configurations

When deploying the client, additional parameters may be provided into the OrgInfo.json profile file. These parameters, unlike LOCKDOWN, are applied to the OrgInfo.json profile directly rather than at the time of installation with an MSIEXEC parameter. The following does not apply if run at install time.

ParameterValuesDescription
noAutoSuffix0 - Add the domains (default)
1 - Do not add domains
Does not add domains contained in the DNS Suffixes settings in network adapters and networking properties to the Internal Domains list.
This feature exists so that the Umbrella roaming module is more aware of local resources and domains on foreign networks.
customUSResolvers["208.67.221.76", "208.67.223.76"] - Sets primary and secondary US based Anycast addressesEnables special DNS resolver Anycast addresses that limits DNS queries to only US-based Umbrella servers. Does not affect block pages or proxy.
noNXDOMAIN0 - Do re-query (default)
1 - Do not re-query
Automatically re-query public NXDOMAINS at the local resolvers. This feature allows roaming users to resolve internal domains on networks beyond their own without interruption or internal domains list management.
Note: DNS search suffixes are still automatically sent to local resolvers, unless this functionality is disabled.

Roaming Computer Settings < Command-Line and Customization for Installation