Skip to main content

Hi all, 

I”m looking for the software script to deploy Cisco Secure Client Umbrella module and the root certificate on Mac. 

Hey there! 

Here is the Automox created script to install root certificate on Mac: https://www.automox.com/worklets/root-certificate-installation 

And one of our other community members created this script to Install Cisco Umbrella Anyconnect Agent: 

Hope that helps! 


@SophiaAX  - That script is for Windows. I was looking for the one for Mac. 


@SophiaAX  - That script is for Windows. I was looking for the one for Mac. 

Ah, I’ll keep digging and see if I can find something! 


#!/bin/bash

# Check if the certificate file path is provided as argument
if [ $# -ne 1 ]; then
    echo "Usage: $0 /path/to/certificate.pem"
    exit 1
fi

CERT_PATH="$1"

# Check if the certificate file exists
if > ! -f "$CERT_PATH" ]; then
    echo "Certificate file not found: $CERT_PATH"
    exit 1
fi

# Import the certificate into the system keychain
security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "$CERT_PATH"

# Check the exit status of the security command
if b $? -eq 0 ]; then
    echo "Certificate installed successfully."
    exit 0
else
    echo "Failed to install certificate."
    exit 1
fi
 


@slammert @anuj.johri 

Cisco Secure Client and Mac is a journey :-) Hope you have an MDM as it can get tricky! The option below will also remove the legacy OpenDNS agent if detected. 

 

I’m somewhat using instructions here: https://docs.umbrella.com/umbrella-user-guide/docs/customize-macos-installation-of-cisco-secure-client

 

For MDM Config (Avoid pop-ups and approving the app to even work)

  • Notifications (separate config)
    • Bundle ID: com.apple.btmnotificationagent
    • Disabled “allow notifications to be displayed for this app”
    • Disabled “Critical Alerts can ignore Do Not Disturb and ringer...”
  • Notifications
    • Bundle ID: com.cisco.anyconnect.notification
    • Banner alert type: Temporary
    • Notifications on Lock Screen: Hidden
    • Notifications in Notification Center: Displayed
    • Badge app icon: Displayed
    • Play sound for notifications: Enabled
  • System Extensions
    • Allowed Team IDs and System Extensions
      • DisplayName Cisco AnyConnect - Socket Filter Extension
      • System Extension Types: Allowed System Extensions
      • Team Identifier: DE8Y96K9QP
    • Allowed Team IDs and System Extensions
      • DisplayName Cisco AnyConnect - Socket Filter Extension - Network
      • System Extension Types: Allowed System Extension Types
      • Team Identifier: DE8Y96K9QP
      • Allowed System Extension Types: Network Extension
        • com.cisco.anyconnect.macos.acsockext
  • Content Filter
    • Filter Name: Cisco AnyConnect Content Filter
    • Identifier: Cisco AnyConnect Content Filter
    • Socket Filter Bundle Identifier:  com.cisco.anyconnect.macos.acsockext
    • Designated Requirement: anchor apple generic and identifier "com.cisco.anyconnect.macos.acsockext" and (certificate leaf field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1tfield.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf/field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf/subject.OU] = DE8Y96K9QP)
    • Custom Data:
      Key Value
      FilterGrade firewall
      FilterPackets false
      FilterSockets true
      FilterBrowsers false
      AutoFilterEnabled false

       

  • Managed Login Items
    • Bundle Identifier
      • Rule Value: com.cisco.secureclient.vpn.service 
      • Team Identifier: DE8Y96K9QP
      • Rule comment: Cisco Secure Client - AnyConnect VPN Service.app
    • Bundle Identifier
      • Rule Value: com.cisco.secureclient.gui.LoginItemHelper
      • Team Identifier: DE8Y96K9QP
      • Rule comment: Cisco Secure Client.app
  • Notification

For this worklet, I’ve attached the following payloads

  • cisco-secure-client-macos-5.1.2.42-predeploy-k9.dmg
  • OrgInfo.json
  • umbrella.cer
  • install_choices.xml

 

AC_Transform.xml

<Transforms>
<DisableVPN>true</DisableVPN>
<DisableCustomerExperienceFeedback>true</DisableCustomerExperienceFeedback>
</Transforms>

install_choices.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_anyconnect_vpn</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_anyconnect_vpn</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_anyconnect_vpn</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_fireamp</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_fireamp</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_fireamp</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_dart</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_dart</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>1</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_dart</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_secure_firewall_posture</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_secure_firewall_posture</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_secure_firewall_posture</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_iseposture</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_iseposture</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_iseposture</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_nvm</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_nvm</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_nvm</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_secure_umbrella</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_secure_umbrella</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>1</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_secure_umbrella</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_thousandeyes</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_thousandeyes</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_thousandeyes</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_duo</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_duo</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_duo</string>
</dict>
<dict>
<key>attributeSetting</key>
<true/>
<key>choiceAttribute</key>
<string>visible</string>
<key>choiceIdentifier</key>
<string>choice_zta</string>
</dict>
<dict>
<key>attributeSetting</key>
<false/>
<key>choiceAttribute</key>
<string>enabled</string>
<key>choiceIdentifier</key>
<string>choice_zta</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>0</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>choice_zta</string>
</dict>
</array>
</plist>

 

Evaluation Code

# Detect OpenDNS (Legacy Client)
filename=/Applications/OpenDNS\ Roaming\ Client/rcuninstall
if a -f "$filename" ]; then
exit 1
fi

# Detect Cisco Secure Client App
filename=/Applications/Cisco/Cisco\ Secure\ Client.app
if C ! -d "$filename" ]; then
exit 1
fi

Remediation Code

dmg=cisco-secure-client-macos-5.1.2.42-predeploy-k9.dmg
mountPath="/Volumes/Cisco Secure Client 5.1.2.42/"

# Remove OpenDSN (Legacy Client)
filename=/Applications/OpenDNS\ Roaming\ Client/rcuninstall
if a -f "$filename" ]; then
echo "Removing OpenDNS (Legacy Client)"
/Applications/OpenDNS\ Roaming\ Client/rcuninstall
fi

# Prepare Directory For Install
mkdir /tmp/Umbrella/
scp install_choices.xml /tmp/Umbrella/
scp umbrella.cer /tmp/Umbrella/
scp "$dmg" /tmp/Umbrella/

# Cisco Umbrella Root Certificate
cert_thumbprint=c5091132e9adf8ad3e33932ae60a5c8fa939e824
cert_file=/tmp/Umbrella/umbrella.cer
security find-certificate -a -c "$cert_thumbprint" /Library/Keychains/System.keychain > /dev/null 2>&1
if gt $? -eq 0 ]]; then
echo "Cisco Umbrella Certificate already installed."
else
# Certificate is not installed, so proceed with installation
security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$cert_file"
echo "Cisco Umbrella Certificate installed successfully."
fi

# Path for OrgInfo.json
##directory=/Library/Application\ Support/OpenDNS\ Roaming\ Client/
directory="/opt/cisco/secureclient/umbrella"
if c ! -d "$directory" ]; then
echo "Create directory for OrgInfo.json: /opt/cisco/secureclient/umbrella/"
mkdir /opt/cisco/secureclient/umbrella
fi

# Copy OrgInfo.json
filename=/opt/cisco/secureclient/umbrella/OrgInfo.json
if e ! -f "$filename" ]; then
echo "Copy OrgInfo.json"
scp "OrgInfo.json" /opt/cisco/secureclient/umbrella/
fi

# Install Cisco Secure Client
echo "Install Cisco Secure Client"
#installer -pkg /tmp/Umbrella/Cisco\ Secure\ Client.pkg -applyChoiceChangesXML /tmp/Umbrella/install_choices.xml -target / #> /dev/null 2>&1

yes | hdiutil attach -noverify -nobrowse "/tmp/Umbrella/$dmg" > /dev/null 2>&1
installer -pkg "$mountPath/Cisco Secure Client.pkg" -applyChoiceChangesXML /tmp/Umbrella/install_choices.xml -target /
hdiutil detach "$mountPath" > /dev/null 2>&1

# Validate Cisco Secure Client App Exists
filename="/Applications/Cisco/Cisco Secure Client.app"
if /C -d "$filename" ]]; then # Use [[ ]] for conditionals and -d to check for directory
echo "Cisco Secure Client Installed"
else
echo "Cisco Secure Client is not installed or the path is incorrect."
fi

 


Hi Jack, 

I was wondering if you could help me identify what may be the cause of the issue I am getting when I run this worklet.

I followed your instructions and ran everything as you laid it out and I get the following installer error:  

installer: Error - the package path specified was invalid: '/Volumes/Cisco Secure Client 5.1.2.42//Cisco Secure Client.pkg'.

 

Thank you in advance
 


Hi Jack, 

I was wondering if you could help me identify what may be the cause of the issue I am getting when I run this worklet.

I followed your instructions and ran everything as you laid it out and I get the following installer error:  

installer: Error - the package path specified was invalid: '/Volumes/Cisco Secure Client 5.1.2.42//Cisco Secure Client.pkg'.

 

Thank you in advance
 

What you could do, is open that PKG on a Mac Device, then go look under /Volumes/Cisco… to see what the exact path is. Then update the worklet to what you find the PKG to be located at. 


Hi Jack, 

 Thank you for your response. I went back and examined the code and discovered a few mistakes on my part. 

I did not change the version number to match the dmg that I downloaded. Your code has the following:  

dmg=cisco-secure-client-macos-5.1.2.42-predeploy-k9.dmg
mountPath="/Volumes/Cisco Secure Client 5.1.2.42/"

And I needed to change it to this:

dmg=cisco-secure-client-macos-5.1.3.62-predeploy-k9.dmg
mountPath="/Volumes/Cisco Secure Client 5.1.3.62/"

In addition to that I didn't notice that the root certificate that you had as one of your payloads was named umbrella.cer and the cert that I downloaded from cisco was named Cisco_Umbrella_Root_CA.cer

Once I made these changes the install was successful. But I noticed that it did not have the OrgInfo.json profile installed. I had to do 2 things to get it installed ( not sure if the first step was necessary )

  1. Press Shift + Command + . (period) to show hidden files 
  2. re-ran the worklet 

Good catches and script cleanup. For the OrgInfo.json, make sure the code matches the exact name of the file. 


Reply