Guides
ProductDeveloperPartnerPersonal

Customize Windows Installation of Cisco Secure Client

You can customize the installation of the Cisco Secure Client with various modules and features on Windows. The Cisco Secure Client deployment packages support several MSI properties that you can change during installation, including lockdown and disabling the display of the VPN module in the client's graphical user interface (GUI).

This guide describes how to deploy the Cisco Secure Client with the virtual private network (VPN), Umbrella Roaming Security, and DART (for diagnostics) modules. By default, the Cisco Secure Client deploys with the VPN module.

Table of Contents

Requirements

  • Windows 8.1 or newer
    • The Umbrella Roaming Security Module requires a .NET framework (4.6.2+ at the minimum)
    • Windows 10/11 on ARM-64 is not supported by the Umbrella Roaming Security module
  • Cisco Secure Client 5.0 or newer
  • Administrative permissions on the Windows device

Prerequisites

Procedure

You can deploy the Cisco Secure Client for Windows with several options including:

  • Hide the VPN module in the Cisco Secure Client GUI.
  • Hide the Cisco Secure Client installation from the Add/Remove Windows Programs list.
  • Enable Lockdown.

Deploy the Cisco Secure Client VPN Module

  1. Run the Windows installer to deploy the Cisco Secure Client VPN package with the PRE_DEPLOY_DISABLE_VPN=1 option. The PRE_DEPLOY_DISABLE_VPN option hides the VPN module in the client's GUI. The VPN module is not disabled. Set the MSI property to PRE_DEPLOY_DISABLE_VPN=1.

Note: If the VPN module is hidden in the client GUI, you can manage the VPN module through the Cisco Secure Client's CLI.

The following command disables the VPN functionality by copying the VPNDisable_ServiceProfile.xml file embedded in the MSI to the directory specified for profiles for VPN functionality.

For example:

msiexec /package cisco-secure-client-win-\<\_version\_>-core-vpn-predeploy-k9.msi /norestart /passive PRE_DEPLOY_DISABLE_VPN=1 /lvx* c:\\output.log

Deploy the Cisco Secure Client Umbrella Roaming Security Module

  1. Run the Windows installer to deploy the Cisco Secure Client Umbrella Roaming Security package.
msiexec /package cisco-secure-client-win-\<_version_>-umbrella-predeploy.msi /norestart /passive /lvx* c:\\output.log

To enable lockdown, add LOCKDOWN=1 in the command-line installer.

msiexec /package cisco-secure-client-win-\<\_version\_>-umbrella-predeploy-k9.msi /passive LOCKDOWN=1 /lvx* c:\\output.log

(Optional) Deploy the Cisco Secure Client DART Module

  1. Run the Windows installer to deploy the Cisco Secure Client DART (diagnostics and troubleshooting) package.
msiexec /package cisco-secure-client-win-\<_version_>-dart-predeploy-k9.msi /norestart /passive /lvx* c:\\dart.log

Hide Cisco Secure Client from Add/Remove Programs List

You can hide the installed Cisco Secure Client modules from users that have permissions to view the Windows Add/Remove Programs list.

  1. Run the Windows installer for the Cisco Secure Client package using ARPSYSTEMCOMPONENT=1.
    You can apply this option to all modules at the time of deployment.

For example:

msiexec /package cisco-secure-client-win-\<\_version\_>-umbrella-predeploy-k9.msi /passive ARPSYSTEMCOMPONENT=1 /lvx* c:\\output.log

Optional OrgInfo.json Configurations

When deploying the Umbrella Roaming Security module on the Cisco Secure Client, you can add and configure various parameters to the Umbrella OrgInfo.json file. These parameters, unlike LOCKDOWN, are applied to the OrgInfo.json profile directly rather than at the time of installation with an msiexec parameter. The following does not apply if run at install time.

ParameterValuesDescription
noAutoSuffix0 - Add the domains (default)
1 - Do not add domains
Does not add domains contained in the DNS Suffixes settings in network adapters and networking properties to the Internal Domains list.
This feature exists so that the Umbrella roaming module is more aware of local resources and domains on foreign networks.
customUSResolvers["208.67.221.76", "208.67.223.76"] - Sets primary and secondary US-based Anycast addressesEnables special DNS resolver Anycast addresses that limits DNS queries to only US-based Umbrella servers. Does not affect block pages or proxy.
noNXDOMAIN0 - Do re-query (default)
1 - Do not re-query
Automatically re-query public NXDOMAINS at the local resolvers. This feature allows roaming users to resolve internal domains on networks beyond their own without interruption or internal domains list management.
Note: DNS search suffixes are automatically sent to local resolvers, unless this functionality is disabled.

Note: Be sure to modify the correct Orginfo.json file with the following path: %ProgramData%\Cisco\Cisco Secure Client\Umbrella\data


Interpret Diagnostics < Customize Windows Installation of Cisco Secure Client > Customize macOS Installation of Cisco Secure Client