topic Re: It's not really a Cisco issue in Network Access Control

Disable Anyconnect Uninstallation

network@bigbenkuwait.com — Mon, 11 Mar 2019 07:31:55 GMT

Hi Guys,

I'm using Anyconnect for posturing, I've the following questions:

- How can disable the uninstall option, so the user can't uninstall it? I remember this option was there on ISE, but i can't find it.

- Also under Anyconnect, there is option "Block connections to untrusted servers", can i make it disabled so the user will not change it?

Regards

If you customize the

Marvin Rhoads — Thu, 09 Mar 2017 01:44:24 GMT

If you customize the AnyConnect msi transform, you can enable Windows lockdown (prevent users from stopping AnyConnect services) and/or hide the program in the Add/Remove program list.

These are described in the AnyConnect admin guide here:

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect44/administration/guide/b_AnyConnect_Administrator_Guide_4-4/customize-localize-anyconnect.html?bookSearch=true

The settings in NAM are governed by the NAM profile (XML file). If the user changes these post deployment, it cannot be directly changed from ISE unless the product is redeployed. If you have an enterprise system (like using Windows GPOs) you could periodically re-push the file out but it could still be modified in between deployments.

(That's unlike the VPN use case in which, whenever a user connects, the local VPN profile is compared against that on the ASA and if the hashes differ, the ASA copy will be re-deployed to the client machine.)

Hi Marvin,

network@bigbenkuwait.com — Thu, 09 Mar 2017 04:54:40 GMT

Hi Marvin,

thanks for your reply.

i went through li but am confused how to do it,

could you please give more details (sorry but am beginner in this staff)

regards

How are you deploying

Marvin Rhoads — Thu, 09 Mar 2017 13:02:15 GMT

How are you deploying AnyConenct to your users? A lot depends on the method you are using.

We are pushing it via AD.

network@bigbenkuwait.com — Fri, 10 Mar 2017 11:57:36 GMT

We are pushing it via AD.

The AD admin is using a scripts as the one mentioned in the Anyconnect Admin guide, similar as the following:

msiexec /package anyconnect-win-ver-pre-deploy-k9.msi /norestart /passive PRE_DEPLOY_DISABLE_VPN=1 /lvx* <log_file_name>

msiexec /package anyconnect-websecurity-win-<version>-pre-deploy-k9.msi /norestart /passive /lvx* c:\test.log

What we require is not allowing the users to uninstall the Anyconnect and Password should be used to uninstall it by Admin.

Regards.

Hi Marvin,

network@bigbenkuwait.com — Mon, 13 Mar 2017 21:38:20 GMT

Hi Marvin,

could you please give some details?

Regards

It's not really a Cisco issue

Marvin Rhoads — Tue, 14 Mar 2017 02:50:34 GMT

It's not really a Cisco issue but rather a Windows issue. If the user does not have local administrator privilege then they should be unable to Add/Remove programs.

In such cases, elevation of privilege to run the installer always requires the user or process to provide administrator level credentials.

Thanks for your reply, but

network@bigbenkuwait.com — Tue, 14 Mar 2017 13:09:40 GMT

Thanks for your reply, but from the URL you sent me, i found the following, what about it?:

Setting Windows Lockdown—Cisco recommends that end users be given limited rights to the Cisco AnyConnect Secure Mobility Client on their device. If an end user warrants additional rights, installers can provide a lockdown capability that prevents users and local administrators from switching off or stopping the AnyConnect services. You can also stop the services from the command prompt with the service password.

The MSI installers for VPN, Network Access Manager, Web Security, Network Visibility Module, and Umbrella Roaming Security Module support a common property (LOCKDOWN). When LOCKDOWN is set to a non-zero value, Windows service(s) associated with that installer cannot be controlled by users or local administrators on the endpoint device. We recommend using the sample transform that we provide to set this property, and apply the transform to each MSI installer that you want to have locked down. You can download the sample transforms from the Cisco AnyConnect Secure Mobility Client software download page.

If you deploy the core client plus one or more optional modules, you must apply the LOCKDOWN property to each of the installers. This operation is one way only and cannot be removed unless you re-install the product.

Regards

Yes, that allows one to

Marvin Rhoads — Tue, 14 Mar 2017 13:56:28 GMT

Yes, that allows one to disallow stopping the services. I explicitly mentioned that earlier.

You had asked about preventing the application from being uninstalled.

I didn't understand how and

network@bigbenkuwait.com — Tue, 14 Mar 2017 18:07:38 GMT

I didn't understand how and where to do that?

A Windows admin foirum would

Marvin Rhoads — Wed, 15 Mar 2017 04:17:39 GMT

A Windows admin foirum would be a better place to get a comprehensive answer. However, what I'm referring to is something like this:

http://www.thewindowsclub.com/how-to-prevent-users-from-installing-programs-in-windows-7

Re: It's not really a Cisco issue

olegkatamanin — Fri, 28 Aug 2020 20:06:06 GMT

You may find great article on how to setup LOCKDOWN option that prevents ANYCONNECT service from manually being disabled and also how to Hide ANYCONNECT from ADD/REMOVE programs in Windows 'Programs and Features' list on UMBRELLA SUPPORT page

https://support.umbrella.com/hc/en-us/articles/115004629343-AnyConnect-Roaming-Security-Module-Pre-Deployment-Tips

Enable Lockdown

msiexec /package anyconnect-win-X.X.XXXXX-umbrella-predeploy-k9.msi /passive LOCKDOWN=1 /lvx*

Hide from Programs and Features

msiexec /package anyconnect-win-X.X.XXXXX-umbrella-predeploy-k9.msi /passive ARPSYSTEMCOMPONENT=1 /lvx*

Re: Disable Anyconnect Uninstallation

Iyad10 — Tue, 22 Sep 2020 17:06:44 GMT

We have two sets of users.

1st set of users: Users with AnyConnect VPN

2nd set of Users: AnyConnect VPN and Umbrella.

The challenge here that we have deployed AnyConnect Umbrella using SCCM without the "Lockdown" feature. Now we ended up that users can disable the service.

Is there a way to lockdown AnyConnect Umbrella for the 2nd set of users?