Deploy Umbrella for Cisco Secure Client

The Cisco Secure Client software packages support various deployment methods. This guide describes how to install the Secure Client with the client modules and deploy the Umbrella profile on Windows or macOS devices.

Table of Contents

• Prerequisites
• Download the Cisco Secure Client and OrgInfo.json from Umbrella
• Manual Installation (Most Common for Evaluation
• Standard Installation (Most Common)
• VPN Headend (Pushed) Installation

Prerequisites

• For more information, see Prerequisites.

Download the Cisco Secure Client and OrgInfo.json from Umbrella

1. Navigate to Deployments > Roaming Computers and click Roaming Client.
2. Select and download the Cisco Secure Client deployment packages.
   a. Pre-deployment Package—Click the link to the Secure Client pre-deployment package for the operating system of the user devices in your organization.
   Note: You can not install these packages on the headend of the ASA or FTD devices.
   b. Headend Deployment Package—Click the link to the Secure Client headend deployment package for the operating system of the user devices in your organization. Then, upload the package to the ASA or FTD headend.

3. Click Download Module Profile to download the OrgInfo.json (Umbrella Roaming Security Module profile) file to your local system.

Manual Installation (Most Common for Evaluation)

1. Download the Cisco Secure Client (formerly AnyConnect). For more information, see Download the Cisco Secure Client and OrgInfo.json from Umbrella.
2. Manually install the Secure Client on the user device.
3. When you install the Secure Client, choose the software modules to install on the client.
   a. For Umbrella only, select Umbrella and DART.
   b. For Umbrella and VPN, select Core/VPN, DART, and Umbrella.

Note: The DART module is optional, but you must install this module to generate the Secure Client's troubleshooting logs. We recommend that you install the DART module.

Standard Installation (Most Common)

Standard deployments consist of manual or mass installing the client with the module's MSI installer or with the setup.exe installer contained in the client's download ZIP file.

When you install the Secure Client, choose the software modules to install on the client.
a. For Umbrella only, select Umbrella and DART.
b. For Umbrella and VPN, select Core/VPN, DART, and Umbrella.

Note: The DART module is optional, but you must install this module to generate the Secure Client's troubleshooting logs. We recommend that you install the DART module.

To begin, download the prerequisite software:

1. Download the Cisco Secure Client deployment packages from software.cisco.com or from Umbrella. For more information, see Download the Cisco Secure Client and OrgInfo.json from Umbrella.
   Cisco Secure Client is licensed for use with all Umbrella packages, but may require linking your contract ID to your Cisco account. For more information, see Standalone Roaming Client vs AnyConnect Roaming Module.
2. Download a copy of the Secure Client's configuration profile, OrgInfo.json from Umbrella. For more information, see Download the Cisco Secure Client and OrgInfo.json from Umbrella.
3. Depending on your system, drop or push the OrgInfo.json file into the client's profile directory:
   a. Windows: %ProgramData%\\Cisco\\Cisco Secure Client\\Umbrella
   b. macOS: /opt/cisco/secureclient/umbrella/

Note: To deploy the OrgInfo.json file before installing the Secure Client, create the directory for the Umbrella profile.

After you deploy the Secure Client and copy the OrgInfo.json in the Umbrella directory on the user device, the Secure Client activates the Umbrella module.

🚧

Important

When you deploy the OrgInfo.json file for the first time, it is copied to the data subdirectory (/umbrella/data), where several other registration files are also created. Therefore, if you need to deploy a replacement OrgInfo.json file, the data subdirectory must be deleted. Alternatively, you can uninstall the Umbrella Roaming Security module (which deletes the data subdirectory) and reinstall it with the new OrgInfo.json file.

The OrgInfo.json has specific information about your Umbrella dashboard instance that lets the Roaming Security module know where to report to and which policies to enforce. If you use another OrgInfo.json file from a different dashboard to install the Roaming Security module, the client computer appears in that dashboard instead.

VPN Headend (Pushed) Installation

You can deploy the Cisco Secure Client from a Cisco Secure VPN headend on ASA or FTD devices. Headend deployment of the Umbrella profile is not supported on Meraki MX devices.

Deploy the Umbrella Roaming Security Module

1. To add the Umbrella module to your VPN profile, add Umbrella from ASDM or with the following command:

webvpn 

       anyconnect modules value umbrella 

Deploy the Umbrella Profile (OrgInfo.json)

After configuring the module, you must deploy the profile. You can deploy the profile from the ASA command-line interface (CLI) or the ASDM GUI, or through ISE.

ASA CLI

1. Upload the OrgInfo.json file that you downloaded from Umbrella​ to the ASA file system. For more information, see Download the Cisco Secure Client and OrgInfo.json from Umbrella.
2. Run the following commands, substituting your value for <Group_Policy_Name>.

Note: On the ASA, filenames are case sensitive. If you upload a file named OrgInfo.json, you must maintain the case of the filename.

For example:

 

webvpn 

    anyconnect profiles orginfo disk0:/OrgInfo.json 

 

group-policy <Group_Policy_Name> attribute 

    webvpn 

        anyconnect profiles value orginfo type umbrella 

 

group-policy <Group_Policy_Name> attributes 

    webvpn 

        anyconnect modules value umbrella 

ASDM GUI

Note: You must have ASDM version 7.6.2 or higher to configure the Umbrella Roaming Security module through the GUI.

1. Navigate to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile.
2. Choose Add.
3. Give the profile a name.
4. Choose the Umbrella Security Roaming Client type from the Profile Usage drop-down list. The OrgInfo.json file populates in the Profile Location field.
5. Click Upload and browse to the location of the OrgInfo.json file that you downloaded from Umbrella. For more information, see Download the Cisco Secure Client and OrgInfo.json from Umbrella.
6. Associate the profile with the DfltGrpPolicy on the Group Policy drop-down list or the policy of your choice. For information about how to specify the new module name in the group-policy,
   see Enable Additional AnyConnect Modules.

ISE

1. Upload the OrgInfo.json that you downloaded from Umbrella. For more information, see Download the Cisco Secure Client and OrgInfo.json from Umbrella.
2. Rename the file to OrgInfo.xml.
3. Follow the steps in Configure ISE to Deploy AnyConnect.

Before You Begin < Deploy Umbrella for Cisco Secure Client > Meraki Systems Manager (SM) Deployment