Hi all,
I”m looking for the software script to deploy Cisco Secure Client Umbrella module and the root certificate on Mac.
Hey there!
Here is the Automox created script to install root certificate on Mac: https://www.automox.com/worklets/root-certificate-installation
And one of our other community members created this script to Install Cisco Umbrella Anyconnect Agent:
Hope that helps!
Ah, I’ll keep digging and see if I can find something!
#!/bin/bash
# Check if the certificate file path is provided as argument
if [ $# -ne 1 ]; then
echo "Usage: $0 /path/to/certificate.pem"
exit 1
fi
CERT_PATH="$1"
# Check if the certificate file exists
if [ ! -f "$CERT_PATH" ]; then
echo "Certificate file not found: $CERT_PATH"
exit 1
fi
# Import the certificate into the system keychain
security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "$CERT_PATH"
# Check the exit status of the security command
if [ $? -eq 0 ]; then
echo "Certificate installed successfully."
exit 0
else
echo "Failed to install certificate."
exit 1
fi
Userlevel 5
+1
Cisco Secure Client and Mac is a journey :-) Hope you have an MDM as it can get tricky! The option below will also remove the legacy OpenDNS agent if detected.
I’m somewhat using instructions here: https://docs.umbrella.com/umbrella-user-guide/docs/customize-macos-installation-of-cisco-secure-client
For MDM Config (Avoid pop-ups and approving the app to even work)
- Notifications (separate config)
- Bundle ID: com.apple.btmnotificationagent
- Disabled “allow notifications to be displayed for this app”
- Disabled “Critical Alerts can ignore Do Not Disturb and ringer...”
- Notifications
- Bundle ID: com.cisco.anyconnect.notification
- Banner alert type: Temporary
- Notifications on Lock Screen: Hidden
- Notifications in Notification Center: Displayed
- Badge app icon: Displayed
- Play sound for notifications: Enabled
- System Extensions
- Allowed Team IDs and System Extensions
- DisplayName Cisco AnyConnect - Socket Filter Extension
- System Extension Types: Allowed System Extensions
- Team Identifier: DE8Y96K9QP
- Allowed Team IDs and System Extensions
- DisplayName Cisco AnyConnect - Socket Filter Extension - Network
- System Extension Types: Allowed System Extension Types
- Team Identifier: DE8Y96K9QP
- Allowed System Extension Types: Network Extension
- com.cisco.anyconnect.macos.acsockext
- Allowed Team IDs and System Extensions
- Content Filter
- Filter Name: Cisco AnyConnect Content Filter
- Identifier: Cisco AnyConnect Content Filter
- Socket Filter Bundle Identifier: com.cisco.anyconnect.macos.acsockext
- Designated Requirement: anchor apple generic and identifier "com.cisco.anyconnect.macos.acsockext" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = DE8Y96K9QP)
- Custom Data:
Key Value FilterGrade firewall FilterPackets false FilterSockets true FilterBrowsers false AutoFilterEnabled false
- Managed Login Items
- Bundle Identifier
- Rule Value: com.cisco.secureclient.vpn.service
- Team Identifier: DE8Y96K9QP
- Rule comment: Cisco Secure Client - AnyConnect VPN Service.app
- Bundle Identifier
- Rule Value: com.cisco.secureclient.gui.LoginItemHelper
- Team Identifier: DE8Y96K9QP
- Rule comment: Cisco Secure Client.app
- Bundle Identifier
- Notification
For this worklet, I’ve attached the following payloads
- cisco-secure-client-macos-5.1.2.42-predeploy-k9.dmg
- OrgInfo.json
- umbrella.cer
- install_choices.xml
AC_Transform.xml
<Transforms>
<DisableVPN>true</DisableVPN>
<DisableCustomerExperienceFeedback>true</DisableCustomerExperienceFeedback>
</Transforms>install_choices.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_anyconnect_vpn</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_anyconnect_vpn</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_anyconnect_vpn</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_fireamp</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_fireamp</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_fireamp</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_dart</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_dart</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>1</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_dart</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_secure_firewall_posture</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_secure_firewall_posture</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_secure_firewall_posture</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_iseposture</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_iseposture</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_iseposture</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_nvm</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_nvm</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_nvm</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_secure_umbrella</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_secure_umbrella</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>1</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_secure_umbrella</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_thousandeyes</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_thousandeyes</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_thousandeyes</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_duo</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_duo</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_duo</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_zta</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_zta</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_zta</string>
</dict>
</array>
</plist>
Evaluation Code
# Detect OpenDNS (Legacy Client)
filename=/Applications/OpenDNS\ Roaming\ Client/rcuninstall
if [ -f "$filename" ]; then
exit 1
fi
# Detect Cisco Secure Client App
filename=/Applications/Cisco/Cisco\ Secure\ Client.app
if [ ! -d "$filename" ]; then
exit 1
fiRemediation Code
dmg=cisco-secure-client-macos-5.1.2.42-predeploy-k9.dmg
mountPath="/Volumes/Cisco Secure Client 5.1.2.42/"
# Remove OpenDSN (Legacy Client)
filename=/Applications/OpenDNS\ Roaming\ Client/rcuninstall
if [ -f "$filename" ]; then
echo "Removing OpenDNS (Legacy Client)"
/Applications/OpenDNS\ Roaming\ Client/rcuninstall
fi
# Prepare Directory For Install
mkdir /tmp/Umbrella/
scp install_choices.xml /tmp/Umbrella/
scp umbrella.cer /tmp/Umbrella/
scp "$dmg" /tmp/Umbrella/
# Cisco Umbrella Root Certificate
cert_thumbprint=c5091132e9adf8ad3e33932ae60a5c8fa939e824
cert_file=/tmp/Umbrella/umbrella.cer
security find-certificate -a -c "$cert_thumbprint" /Library/Keychains/System.keychain > /dev/null 2>&1
if [[ $? -eq 0 ]]; then
echo "Cisco Umbrella Certificate already installed."
else
# Certificate is not installed, so proceed with installation
security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$cert_file"
echo "Cisco Umbrella Certificate installed successfully."
fi
# Path for OrgInfo.json
##directory=/Library/Application\ Support/OpenDNS\ Roaming\ Client/
directory="/opt/cisco/secureclient/umbrella"
if [ ! -d "$directory" ]; then
echo "Create directory for OrgInfo.json: /opt/cisco/secureclient/umbrella/"
mkdir /opt/cisco/secureclient/umbrella
fi
# Copy OrgInfo.json
filename=/opt/cisco/secureclient/umbrella/OrgInfo.json
if [ ! -f "$filename" ]; then
echo "Copy OrgInfo.json"
scp "OrgInfo.json" /opt/cisco/secureclient/umbrella/
fi
# Install Cisco Secure Client
echo "Install Cisco Secure Client"
#installer -pkg /tmp/Umbrella/Cisco\ Secure\ Client.pkg -applyChoiceChangesXML /tmp/Umbrella/install_choices.xml -target / #> /dev/null 2>&1
yes | hdiutil attach -noverify -nobrowse "/tmp/Umbrella/$dmg" > /dev/null 2>&1
installer -pkg "$mountPath/Cisco Secure Client.pkg" -applyChoiceChangesXML /tmp/Umbrella/install_choices.xml -target /
hdiutil detach "$mountPath" > /dev/null 2>&1
# Validate Cisco Secure Client App Exists
filename="/Applications/Cisco/Cisco Secure Client.app"
if [[ -d "$filename" ]]; then # Use [[ ]] for conditionals and -d to check for directory
echo "Cisco Secure Client Installed"
else
echo "Cisco Secure Client is not installed or the path is incorrect."
fi
Reply
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.