Customize Windows Installation of Cisco Secure Client
You can customize the installation of the Cisco Secure Client with various modules and features on Windows. The Cisco Secure Client deployment packages support several MSI properties that you can change during installation, including lockdown and disabling the display of the VPN module in the client's GUI.
Contents
Procedure
You can deploy the Cisco Secure Client for Windows using several options including:
- Hide the VPN module in the Cisco Secure Client GUI.
- Hide the Secure Client installation from the Add/Remove Windows programs list.
- Enable Lockdown mode to prevent users from stopping or disabling Secure Client services, for more information , see Configure AnyConnect Lockdown For Windows.
Deploy the Cisco Secure Client VPN Module
Run the Windows installer to deploy the Cisco Secure Client VPN package with the PRE_DEPLOY_DISABLE_VPN=1 option. This option hides the VPN module Secure Client 's GUI, but is not disabled. Set the MSI property to PRE_DEPLOY_DISABLE_VPN=1.
Note:
If the VPN module is hidden in the client's GUI, you can manage the VPN module through the Cisco Secure Client's CLI.
The following command disables the VPN functionality by copying the VPNDisable_ServiceProfile.xml file embedded in the MSI to the directory specified to the endpoints VPN profiles directory.
Example:
msiexec /package cisco-secure-client-win-<version>-core-vpn-predeploy-k9.msi /norestart /passive PRE_DEPLOY_DISABLE_VPN=1 /lvx* c:\\output.log
Deploy the Cisco Secure Client Umbrella Roaming Security Module
- Run the Windows installer to deploy the Cisco Secure Client Umbrella Roaming Security package.
msiexec /package cisco-secure-client-win-<version>-umbrella-predeploy-k9.msi /norestart /passive /lvx* c:\\output.log
- To enable lockdown, add
LOCKDOWN=1in the CLI.
msiexec /package cisco-secure-client-win-<version>-umbrella-predeploy-k9.msi /passive LOCKDOWN=1 /lvx* c:\\output.log
(Optional) Deploy Cisco Secure Client DART
Run the Windows installer to deploy the Secure Client DART package.
msiexec /package cisco-secure-client-win-<version>-dart-predeploy-k9.msi /norestart /passive /lvx* c:\\dart.log
Hide Cisco Secure Client Modules from Add/Remove Programs List
You can hide the installed Cisco Secure Client modules from users who have permission to view the Windows Add/Remove Programs list.
Run the Windows installer for the Cisco Secure Client package using ARPSYSTEMCOMPONENT=1.
You can apply this option to all the modules at the time of deployment.
Example:
msiexec /package cisco-secure-client-win-<version>-umbrella-predeploy-k9.msi /passive ARPSYSTEMCOMPONENT=1 /lvx* c:\\output.log
Optional OrgInfo.json Parameter Configurations
When deploying the Umbrella Roaming Security module in Cisco Secure Client, you have the flexibility to add and configure various parameters directly within the Umbrella OrgInfo.json file. Unlike the LOCKDOWN parameter, these settings are applied directly to the OrgInfo.json profile rather than during the installation process using an msiexec parameter. The following information is not applicable if executed at the time of installation.
| Parameter | Values | Description |
|---|---|---|
| noAutoSuffix | 0 - Adds the domains (default)1 - Does not add domains | Does not add the domains present in the DNS suffix settings in network adapters and networking properties to the Internal Domains list. This exists to enable the Umbrella roaming module to recognize local resources and domains on foreign networks. |
| customUSResolvers | ["208.67.221.76", "208.67.223.76"] - Sets primary and secondary US-based AnyCast addresses | Enables special DNS resolver AnyCast addresses that limit DNS queries to only U.S.-based Umbrella servers. Does not affect block pages or proxy. |
| noNXDOMAIN | 0 - Performs requery (default)1 - Does not perform requery | Automatically requerie public NXDOMAINS at the local resolvers. This parameter allows roaming users to resolve internal domains in networks beyond their own without interruption or internal domains list management. Note: DNS search suffixes are automatically sent to local resolvers, unless this parameter is disabled. |
Note:
Modify the correct Orginfo.json file with the following
%ProgramData%\Cisco\Cisco Secure Client\Umbrella\datapath.
Mass Deployment (Windows)< Customize Windows Installation of Cisco Secure Client > Mass Deployment (macOS)
Updated about 2 months ago