Hi all,
I”m looking for the software script to deploy Cisco Secure Client Umbrella module and the root certificate on Mac.
Page 1 / 1
Hey there!
Here is the Automox created script to install root certificate on Mac: https://www.automox.com/worklets/root-certificate-installation
And one of our other community members created this script to Install Cisco Umbrella Anyconnect Agent:
Hope that helps!
Ah, I’ll keep digging and see if I can find something!
#!/bin/bash
# Check if the certificate file path is provided as argument
if [ $# -ne 1 ]; then
echo "Usage: $0 /path/to/certificate.pem"
exit 1
fi
CERT_PATH="$1"
# Check if the certificate file exists
if > ! -f "$CERT_PATH" ]; then
echo "Certificate file not found: $CERT_PATH"
exit 1
fi
# Import the certificate into the system keychain
security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "$CERT_PATH"
# Check the exit status of the security command
if b $? -eq 0 ]; then
echo "Certificate installed successfully."
exit 0
else
echo "Failed to install certificate."
exit 1
fi
Cisco Secure Client and Mac is a journey :-) Hope you have an MDM as it can get tricky! The option below will also remove the legacy OpenDNS agent if detected.
I’m somewhat using instructions here: https://docs.umbrella.com/umbrella-user-guide/docs/customize-macos-installation-of-cisco-secure-client
For MDM Config (Avoid pop-ups and approving the app to even work)
- Notifications (separate config)
- Bundle ID: com.apple.btmnotificationagent
- Disabled “allow notifications to be displayed for this app”
- Disabled “Critical Alerts can ignore Do Not Disturb and ringer...”
- Notifications
- Bundle ID: com.cisco.anyconnect.notification
- Banner alert type: Temporary
- Notifications on Lock Screen: Hidden
- Notifications in Notification Center: Displayed
- Badge app icon: Displayed
- Play sound for notifications: Enabled
- System Extensions
- Allowed Team IDs and System Extensions
- DisplayName Cisco AnyConnect - Socket Filter Extension
- System Extension Types: Allowed System Extensions
- Team Identifier: DE8Y96K9QP
- Allowed Team IDs and System Extensions
- DisplayName Cisco AnyConnect - Socket Filter Extension - Network
- System Extension Types: Allowed System Extension Types
- Team Identifier: DE8Y96K9QP
- Allowed System Extension Types: Network Extension
- com.cisco.anyconnect.macos.acsockext
- Allowed Team IDs and System Extensions
- Content Filter
- Filter Name: Cisco AnyConnect Content Filter
- Identifier: Cisco AnyConnect Content Filter
- Socket Filter Bundle Identifier: com.cisco.anyconnect.macos.acsockext
- Designated Requirement: anchor apple generic and identifier "com.cisco.anyconnect.macos.acsockext" and (certificate leaf field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1tfield.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf/field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf/subject.OU] = DE8Y96K9QP)
- Custom Data:
Key Value FilterGrade firewall FilterPackets false FilterSockets true FilterBrowsers false AutoFilterEnabled false
- Managed Login Items
- Bundle Identifier
- Rule Value: com.cisco.secureclient.vpn.service
- Team Identifier: DE8Y96K9QP
- Rule comment: Cisco Secure Client - AnyConnect VPN Service.app
- Bundle Identifier
- Rule Value: com.cisco.secureclient.gui.LoginItemHelper
- Team Identifier: DE8Y96K9QP
- Rule comment: Cisco Secure Client.app
- Bundle Identifier
- Notification
For this worklet, I’ve attached the following payloads
- cisco-secure-client-macos-5.1.2.42-predeploy-k9.dmg
- OrgInfo.json
- umbrella.cer
- install_choices.xml
AC_Transform.xml
<Transforms>
<DisableVPN>true</DisableVPN>
<DisableCustomerExperienceFeedback>true</DisableCustomerExperienceFeedback>
</Transforms>install_choices.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_anyconnect_vpn</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_anyconnect_vpn</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_anyconnect_vpn</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_fireamp</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_fireamp</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_fireamp</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_dart</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_dart</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>1</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_dart</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_secure_firewall_posture</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_secure_firewall_posture</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_secure_firewall_posture</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_iseposture</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_iseposture</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_iseposture</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_nvm</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_nvm</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_nvm</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_secure_umbrella</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_secure_umbrella</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>1</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_secure_umbrella</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_thousandeyes</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_thousandeyes</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_thousandeyes</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_duo</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_duo</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_duo</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_zta</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_zta</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_zta</string>
</dict>
</array>
</plist>
Evaluation Code
# Detect OpenDNS (Legacy Client)
filename=/Applications/OpenDNS\ Roaming\ Client/rcuninstall
if a -f "$filename" ]; then
exit 1
fi
# Detect Cisco Secure Client App
filename=/Applications/Cisco/Cisco\ Secure\ Client.app
if C ! -d "$filename" ]; then
exit 1
fiRemediation Code
dmg=cisco-secure-client-macos-5.1.2.42-predeploy-k9.dmg
mountPath="/Volumes/Cisco Secure Client 5.1.2.42/"
# Remove OpenDSN (Legacy Client)
filename=/Applications/OpenDNS\ Roaming\ Client/rcuninstall
if a -f "$filename" ]; then
echo "Removing OpenDNS (Legacy Client)"
/Applications/OpenDNS\ Roaming\ Client/rcuninstall
fi
# Prepare Directory For Install
mkdir /tmp/Umbrella/
scp install_choices.xml /tmp/Umbrella/
scp umbrella.cer /tmp/Umbrella/
scp "$dmg" /tmp/Umbrella/
# Cisco Umbrella Root Certificate
cert_thumbprint=c5091132e9adf8ad3e33932ae60a5c8fa939e824
cert_file=/tmp/Umbrella/umbrella.cer
security find-certificate -a -c "$cert_thumbprint" /Library/Keychains/System.keychain > /dev/null 2>&1
if gt $? -eq 0 ]]; then
echo "Cisco Umbrella Certificate already installed."
else
# Certificate is not installed, so proceed with installation
security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$cert_file"
echo "Cisco Umbrella Certificate installed successfully."
fi
# Path for OrgInfo.json
##directory=/Library/Application\ Support/OpenDNS\ Roaming\ Client/
directory="/opt/cisco/secureclient/umbrella"
if c ! -d "$directory" ]; then
echo "Create directory for OrgInfo.json: /opt/cisco/secureclient/umbrella/"
mkdir /opt/cisco/secureclient/umbrella
fi
# Copy OrgInfo.json
filename=/opt/cisco/secureclient/umbrella/OrgInfo.json
if e ! -f "$filename" ]; then
echo "Copy OrgInfo.json"
scp "OrgInfo.json" /opt/cisco/secureclient/umbrella/
fi
# Install Cisco Secure Client
echo "Install Cisco Secure Client"
#installer -pkg /tmp/Umbrella/Cisco\ Secure\ Client.pkg -applyChoiceChangesXML /tmp/Umbrella/install_choices.xml -target / #> /dev/null 2>&1
yes | hdiutil attach -noverify -nobrowse "/tmp/Umbrella/$dmg" > /dev/null 2>&1
installer -pkg "$mountPath/Cisco Secure Client.pkg" -applyChoiceChangesXML /tmp/Umbrella/install_choices.xml -target /
hdiutil detach "$mountPath" > /dev/null 2>&1
# Validate Cisco Secure Client App Exists
filename="/Applications/Cisco/Cisco Secure Client.app"
if /C -d "$filename" ]]; then # Use [[ ]] for conditionals and -d to check for directory
echo "Cisco Secure Client Installed"
else
echo "Cisco Secure Client is not installed or the path is incorrect."
fi
Hi Jack,
I was wondering if you could help me identify what may be the cause of the issue I am getting when I run this worklet.
I followed your instructions and ran everything as you laid it out and I get the following installer error:
installer: Error - the package path specified was invalid: '/Volumes/Cisco Secure Client 5.1.2.42//Cisco Secure Client.pkg'.
Thank you in advance
Hi Jack,
I was wondering if you could help me identify what may be the cause of the issue I am getting when I run this worklet.
I followed your instructions and ran everything as you laid it out and I get the following installer error:
installer: Error - the package path specified was invalid: '/Volumes/Cisco Secure Client 5.1.2.42//Cisco Secure Client.pkg'.
Thank you in advance
What you could do, is open that PKG on a Mac Device, then go look under /Volumes/Cisco… to see what the exact path is. Then update the worklet to what you find the PKG to be located at.
Hi Jack,
Thank you for your response. I went back and examined the code and discovered a few mistakes on my part.
I did not change the version number to match the dmg that I downloaded. Your code has the following:
dmg=cisco-secure-client-macos-5.1.2.42-predeploy-k9.dmg
mountPath="/Volumes/Cisco Secure Client 5.1.2.42/"And I needed to change it to this:
dmg=cisco-secure-client-macos-5.1.3.62-predeploy-k9.dmg
mountPath="/Volumes/Cisco Secure Client 5.1.3.62/"In addition to that I didn't notice that the root certificate that you had as one of your payloads was named umbrella.cer and the cert that I downloaded from cisco was named Cisco_Umbrella_Root_CA.cer
Once I made these changes the install was successful. But I noticed that it did not have the OrgInfo.json profile installed. I had to do 2 things to get it installed ( not sure if the first step was necessary )
- Press Shift + Command + . (period) to show hidden files
- re-ran the worklet
Good catches and script cleanup. For the OrgInfo.json, make sure the code matches the exact name of the file.
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.