Customize Windows Installation of Cisco Secure Client
You can customize the installation of the Cisco Secure Client with various modules and features on Windows. The Cisco Secure Client deployment packages support several MSI properties that you can change during installation, including lockdown and disabling the display of the VPN module in the client's graphical user interface (GUI).
This guide describes how to deploy the Cisco Secure Client with the virtual private network (VPN), Umbrella Roaming Security, and DART (for diagnostics) modules. By default, the Cisco Secure Client deploys with the VPN module.
Table of Contents
Requirements
- Windows 8.1 or newer
- The Umbrella Roaming Security Module requires a .NET framework (4.6.2+ at the minimum)
- Windows 10/11 on ARM-64 is not supported by the Umbrella Roaming Security module
- Cisco Secure Client 5.0 or newer
- Administrative permissions on the Windows device
Prerequisites
- Download OrgInfo.json from Umbrella.
- Download the Cisco Secure Client Pre-Deployment Package (Windows). For more information, see Deploy Umbrella for Cisco Secure Client.
Procedure
You can deploy the Cisco Secure Client for Windows with several options including:
- Hide the VPN module in the Cisco Secure Client GUI.
- Hide the Cisco Secure Client installation from the Add/Remove Windows Programs list.
- Enable Lockdown.
Deploy the Cisco Secure Client VPN Module
- Run the Windows installer to deploy the Cisco Secure Client VPN package with the
PRE_DEPLOY_DISABLE_VPN=1option. ThePRE_DEPLOY_DISABLE_VPNoption hides the VPN module in the client's GUI. The VPN module is not disabled. Set the MSI property toPRE_DEPLOY_DISABLE_VPN=1.
Note: If the VPN module is hidden in the client GUI, you can manage the VPN module through the Cisco Secure Client's CLI.
The following command disables the VPN functionality by copying the VPNDisable_ServiceProfile.xml file embedded in the MSI to the directory specified for profiles for VPN functionality.
For example:
msiexec /package cisco-secure-client-win-<version>-core-vpn-predeploy-k9.msi /norestart /passive PRE_DEPLOY_DISABLE_VPN=1 /lvx* c:\\output.log
Deploy the Cisco Secure Client Umbrella Roaming Security Module
- Run the Windows installer to deploy the Cisco Secure Client Umbrella Roaming Security package.
msiexec /package cisco-secure-client-win-<version>-umbrella-predeploy-k9.msi /norestart /passive /lvx* c:\\output.log
To enable lockdown, add LOCKDOWN=1 in the command-line installer.
msiexec /package cisco-secure-client-win-<version>-umbrella-predeploy-k9.msi /passive LOCKDOWN=1 /lvx* c:\\output.log
(Optional) Deploy the Cisco Secure Client DART Module
- Run the Windows installer to deploy the Cisco Secure Client DART (diagnostics and troubleshooting) package.
msiexec /package cisco-secure-client-win-<version>-dart-predeploy-k9.msi /norestart /passive /lvx* c:\\dart.log
Hide Cisco Secure Client from Add/Remove Programs List
You can hide the installed Cisco Secure Client modules from users that have permissions to view the Windows Add/Remove Programs list.
- Run the Windows installer for the Cisco Secure Client package using
ARPSYSTEMCOMPONENT=1.
You can apply this option to all modules at the time of deployment.
For example:
msiexec /package cisco-secure-client-win-<version>-umbrella-predeploy-k9.msi /passive ARPSYSTEMCOMPONENT=1 /lvx* c:\\output.log
Optional OrgInfo.json Configurations
When deploying the Umbrella Roaming Security module on the Cisco Secure Client, you can add and configure various parameters to the Umbrella OrgInfo.json file. These parameters, unlike LOCKDOWN, are applied to the OrgInfo.json profile directly rather than at the time of installation with an msiexec parameter. The following does not apply if run at install time.
| Parameter | Values | Description |
|---|---|---|
| noAutoSuffix | 0 - Add the domains (default)1 - Do not add domains | Does not add domains contained in the DNS Suffixes settings in network adapters and networking properties to the Internal Domains list. This feature exists so that the Umbrella roaming module is more aware of local resources and domains on foreign networks. |
| customUSResolvers | ["208.67.221.76", "208.67.223.76"] - Sets primary and secondary US-based Anycast addresses | Enables special DNS resolver Anycast addresses that limits DNS queries to only US-based Umbrella servers. Does not affect block pages or proxy. |
| noNXDOMAIN | 0 - Do re-query (default)1 - Do not re-query | Automatically re-query public NXDOMAINS at the local resolvers. This feature allows roaming users to resolve internal domains on networks beyond their own without interruption or internal domains list management. Note: DNS search suffixes are automatically sent to local resolvers, unless this functionality is disabled. |
Note: Be sure to modify the correct Orginfo.json file with the following path: %ProgramData%\Cisco\Cisco Secure Client\Umbrella\data
Interpret Diagnostics < Customize Windows Installation of Cisco Secure Client > Customize macOS Installation of Cisco Secure Client
Updated about 2 months ago