Hi all,
I”m looking for the software script to deploy Cisco Secure Client Umbrella module and the root certificate on Mac.
Hi all,
I”m looking for the software script to deploy Cisco Secure Client Umbrella module and the root certificate on Mac.
Hey there!
Here is the Automox created script to install root certificate on Mac: https://www.automox.com/worklets/root-certificate-installation
And one of our other community members created this script to Install Cisco Umbrella Anyconnect Agent:
Hope that helps!
Ah, I’ll keep digging and see if I can find something!
#!/bin/bash
# Check if the certificate file path is provided as argument
if [ $# -ne 1 ]; then
echo "Usage: $0 /path/to/certificate.pem"
exit 1
fi
CERT_PATH="$1"
# Check if the certificate file exists
if [ ! -f "$CERT_PATH" ]; then
echo "Certificate file not found: $CERT_PATH"
exit 1
fi
# Import the certificate into the system keychain
security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "$CERT_PATH"
# Check the exit status of the security command
if [ $? -eq 0 ]; then
echo "Certificate installed successfully."
exit 0
else
echo "Failed to install certificate."
exit 1
fi
Cisco Secure Client and Mac is a journey :-) Hope you have an MDM as it can get tricky! The option below will also remove the legacy OpenDNS agent if detected.
I’m somewhat using instructions here: https://docs.umbrella.com/umbrella-user-guide/docs/customize-macos-installation-of-cisco-secure-client
For MDM Config (Avoid pop-ups and approving the app to even work)
Key | Value |
---|---|
FilterGrade | firewall |
FilterPackets | false |
FilterSockets | true |
FilterBrowsers | false |
AutoFilterEnabled | false |
For this worklet, I’ve attached the following payloads
AC_Transform.xml
<Transforms>
<DisableVPN>true</DisableVPN>
<DisableCustomerExperienceFeedback>true</DisableCustomerExperienceFeedback>
</Transforms>
install_choices.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_anyconnect_vpn</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_anyconnect_vpn</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_anyconnect_vpn</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_fireamp</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_fireamp</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_fireamp</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_dart</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_dart</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>1</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_dart</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_secure_firewall_posture</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_secure_firewall_posture</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_secure_firewall_posture</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_iseposture</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_iseposture</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_iseposture</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_nvm</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_nvm</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_nvm</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_secure_umbrella</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_secure_umbrella</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>1</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_secure_umbrella</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_thousandeyes</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_thousandeyes</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_thousandeyes</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_duo</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_duo</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_duo</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_zta</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_zta</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_zta</string>
</dict>
</array>
</plist>
Evaluation Code
# Detect OpenDNS (Legacy Client)
filename=/Applications/OpenDNS\ Roaming\ Client/rcuninstall
if [ -f "$filename" ]; then
exit 1
fi
# Detect Cisco Secure Client App
filename=/Applications/Cisco/Cisco\ Secure\ Client.app
if [ ! -d "$filename" ]; then
exit 1
fi
Remediation Code
dmg=cisco-secure-client-macos-5.1.2.42-predeploy-k9.dmg
mountPath="/Volumes/Cisco Secure Client 5.1.2.42/"
# Remove OpenDSN (Legacy Client)
filename=/Applications/OpenDNS\ Roaming\ Client/rcuninstall
if [ -f "$filename" ]; then
echo "Removing OpenDNS (Legacy Client)"
/Applications/OpenDNS\ Roaming\ Client/rcuninstall
fi
# Prepare Directory For Install
mkdir /tmp/Umbrella/
scp install_choices.xml /tmp/Umbrella/
scp umbrella.cer /tmp/Umbrella/
scp "$dmg" /tmp/Umbrella/
# Cisco Umbrella Root Certificate
cert_thumbprint=c5091132e9adf8ad3e33932ae60a5c8fa939e824
cert_file=/tmp/Umbrella/umbrella.cer
security find-certificate -a -c "$cert_thumbprint" /Library/Keychains/System.keychain > /dev/null 2>&1
if [[ $? -eq 0 ]]; then
echo "Cisco Umbrella Certificate already installed."
else
# Certificate is not installed, so proceed with installation
security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$cert_file"
echo "Cisco Umbrella Certificate installed successfully."
fi
# Path for OrgInfo.json
##directory=/Library/Application\ Support/OpenDNS\ Roaming\ Client/
directory="/opt/cisco/secureclient/umbrella"
if [ ! -d "$directory" ]; then
echo "Create directory for OrgInfo.json: /opt/cisco/secureclient/umbrella/"
mkdir /opt/cisco/secureclient/umbrella
fi
# Copy OrgInfo.json
filename=/opt/cisco/secureclient/umbrella/OrgInfo.json
if [ ! -f "$filename" ]; then
echo "Copy OrgInfo.json"
scp "OrgInfo.json" /opt/cisco/secureclient/umbrella/
fi
# Install Cisco Secure Client
echo "Install Cisco Secure Client"
#installer -pkg /tmp/Umbrella/Cisco\ Secure\ Client.pkg -applyChoiceChangesXML /tmp/Umbrella/install_choices.xml -target / #> /dev/null 2>&1
yes | hdiutil attach -noverify -nobrowse "/tmp/Umbrella/$dmg" > /dev/null 2>&1
installer -pkg "$mountPath/Cisco Secure Client.pkg" -applyChoiceChangesXML /tmp/Umbrella/install_choices.xml -target /
hdiutil detach "$mountPath" > /dev/null 2>&1
# Validate Cisco Secure Client App Exists
filename="/Applications/Cisco/Cisco Secure Client.app"
if [[ -d "$filename" ]]; then # Use [[ ]] for conditionals and -d to check for directory
echo "Cisco Secure Client Installed"
else
echo "Cisco Secure Client is not installed or the path is incorrect."
fi
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.