cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
37502
Views
41
Helpful
13
Replies

AnyConnect deploy with SCCM help

rschwart
Level 1
Level 1

We are in need of help deploying AnyConnect via Microsoft SCCM. Has anybody done this and willing to share how they did it. Our AD admin has not done this before. We need to deploy 4 msi files as well as a profile folder. We are using the SCCM to insure the users do not uninstall AnyConnect. We want to deploy using the domain admin credentials, as some users are not admins and can not install the software. During our initial test with the SCCM we got a message that a module was missing. The software was on the computer but wanted the user permission to run, but not being admin, they could not do this.

Thank you for any help.

2 Accepted Solutions

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

Here's an example that I've used successfully for NAM + ISE Posture module (and no VPN tile). You would of course substitute your version for the one I used below:

msiexec /package anyconnect-win-4.2.00096-pre-deploy-k9.msi /norestart /passive PRE_DEPLOY_DISABLE_VPN=1 TRANSFORMS=anyconnect_client_novpn.mst
msiexec /package anyconnect-nam-win-4.2.00096-k9.msi /norestart /passive TRANSFORMS=nam.mst
msiexec /package anyconnect-iseposture-win-4.2.00096-pre-deploy-k9.msi /norestart /passive TRANSFORMS=iseposture.mst
XCopy /Y /F /C /E  "\\<server name>\<folder / subfolder name(s)>\profile.xml" "c:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Network Access Manager\newConfigFiles\"

 

View solution in original post

It's referencing the source of the profile.xml that you telling the target host to pull down. 

In SCCM usage, the <server name> is any way the target host can see that folder. It can be the NetBIOS computer name (e.g filesvr01), fully qualified domain name (something like fs01.company.com) or even IP address (e.g., 192.168.1.100). If the file is local to the SCCM server, then your would just specify drive and folder.

View solution in original post

13 Replies 13

Marvin Rhoads
Hall of Fame
Hall of Fame

Here's an example that I've used successfully for NAM + ISE Posture module (and no VPN tile). You would of course substitute your version for the one I used below:

msiexec /package anyconnect-win-4.2.00096-pre-deploy-k9.msi /norestart /passive PRE_DEPLOY_DISABLE_VPN=1 TRANSFORMS=anyconnect_client_novpn.mst
msiexec /package anyconnect-nam-win-4.2.00096-k9.msi /norestart /passive TRANSFORMS=nam.mst
msiexec /package anyconnect-iseposture-win-4.2.00096-pre-deploy-k9.msi /norestart /passive TRANSFORMS=iseposture.mst
XCopy /Y /F /C /E  "\\<server name>\<folder / subfolder name(s)>\profile.xml" "c:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Network Access Manager\newConfigFiles\"

 

Marvin,

In this statement could you clarify the server referenced in \\<server name>\. Not being familiar with SCCM at all, is this the SCCM or a shared folder on another server,  or a folder on the ISE server.

Thank you for your help here.

Roger

It's referencing the source of the profile.xml that you telling the target host to pull down. 

In SCCM usage, the <server name> is any way the target host can see that folder. It can be the NetBIOS computer name (e.g filesvr01), fully qualified domain name (something like fs01.company.com) or even IP address (e.g., 192.168.1.100). If the file is local to the SCCM server, then your would just specify drive and folder.

Marvion,

Another question from our SCCM admin "Could you ask him if all the msiexec commands were enclosed in one application or package in SCCM?"

Again thank you for your assistance.Roger

You're welcome.

One of my customers developed it originally - he was an SCCM whiz kid. :)

He had the commands I listed all in a single package that was a bat file deployed via SCCM.

Marvin,

Could you reach out to my SCCM admin?

bterhune@uthsc.edu

Thank you

Roger

We prefer to keep discussion online here in CSC. I'm just a volunteer who helps out as I can. I do this in addition to my "day job".

If you need focused Cisco support please open a TAC case. If you need partner support, please reach out to your reseller. 

hi,

 

Thanks for the script it was really helpful, just one question what does TRANSFORM will do?

 

Thanks & Regards,

Dhayanithi S

Hello!

 

Is there any way yo deploy upgrade of Cisco AnyConnect Client unattended from SCCM ? 

 

So when the user is online with VPN with Cisco AnyConnect the upgrade can work then?

Hi Marvin

 

I want to know if this could work with Umbrella modulo? I need to copy OrgInfo.json like the last command Xcopy? I have the chance maybe you can tell me.

 

Thanks

bettygdurand
Level 1
Level 1

Here's an overview of the process:

  1. Prepare the AnyConnect deployment package: Ensure you have the necessary files for deployment, including the four MSI files and the profile folder. Verify that these files are accessible to the SCCM server and have the appropriate permissions.

  2. Create an application package in SCCM: Open the SCCM console and create a new application Alight Motion Mod APK package for AnyConnect. Specify the installation parameters and deployment settings according to your requirements. This includes selecting the appropriate installation program, specifying the installation command, and configuring any additional options.

  3. Define the deployment target: Specify the target collection or group of devices/users that will receive the AnyConnect deployment. This can be done by creating a device or user collection in SCCM and adding the relevant devices or users to it.

  4. Deploy the AnyConnect package: Initiate the deployment process for the AnyConnect package to the desired target collection. Configure the deployment options, such as deployment schedule, installation behavior, and user interaction settings. Choose the appropriate credentials for the deployment, such as using domain admin credentials.

  5. Monitor the deployment: Monitor the deployment process through the SCCM console to ensure that the AnyConnect package is being distributed and installed successfully. Review deployment status, logs, and any error messages to troubleshoot and address any issues encountered during the deployment.,

  6. Test and verify: After the deployment, perform testing to verify that AnyConnect is installed correctly and functioning as expected. Ensure that users can establish VPN connections and access the necessary resources.

If you encountered a missing module error during the initial test, it's possible that the module dependency was not included in the deployment package. Double-check that all required files and dependencies are included in the package and accessible to the SCCM server.

It's important to involve your AD admin, as they may need to configure appropriate permissions and policies within Active Directory to support the deployment. Additionally, consulting Cisco AnyConnect and Microsoft SCCM documentation or reaching out to their respective support channels can provide more detailed guidance specific to your setup.

Note: Handling software deployment, especially with sensitive credentials like domain admin, should be done with caution and consideration of security best practices.

Here's an overview of the process:

  1. Prepare the AnyConnect deployment package: Ensure you have the necessary files for deployment, including the four MSI files and the profile folder. Verify that these files are accessible to the SCCM server and have the appropriate permissions.

  2. Create an application package in SCCM: Open the SCCM console and create a new application package for AnyConnect. Specify the installation parameters and deployment settings according to your requirements. This includes selecting the appropriate installation program, specifying the installation command, and configuring any additional options.

  3. Define the deployment target: Specify the target collection or group of devices/users that will receive the AnyConnect deployment. This can be done by creating a device or user collection in SCCM and adding the relevant devices or users to it.

  4. Deploy the AnyConnect package: Initiate the deployment process for the AnyConnect package to the desired target collection. Configure the deployment options, such as deployment schedule, installation behavior, and user interaction settings. Choose the appropriate credentials for the deployment, such as using domain admin credentials.

  5. Monitor the deployment: Monitor the deployment process through the SCCM console to ensure that the AnyConnect package is being distributed and installed successfully. Review deployment status, logs, and any error messages to troubleshoot and address any issues encountered during the deployment.

  6. Test and verify: After the deployment, perform testing to verify that AnyConnect is installed correctly and functioning as expected. Ensure that users can establish VPN connections and access the necessary resources.

If you encountered a missing module error during the initial test, it's possible that the module dependency was not included in the deployment package. Double-check that all required files and dependencies are included in the package and accessible to the SCCM server.

It's important to involve your AD admin, as they may need to configure appropriate permissions and policies within Active Directory to support the deployment. Additionally, consulting Cisco AnyConnect and Microsoft SCCM documentation or reaching out to their respective support channels can provide more detailed guidance specific to your setup.

Note: Handling software deployment, especially with sensitive credentials like domain admin, should be done with caution and consideration of security best practices.

fintechhop
Level 1
Level 1

Certainly! Deploying Cisco AnyConnect with Microsoft System Center Configuration Manager (SCCM) involves several steps. Here's a general guide on how to do it:

  1. Download AnyConnect Package:

    • Obtain the Cisco AnyConnect installation package from the Cisco website or your organization's software repository.
  2. Prepare the SCCM Environment:

    • Ensure that your SCCM environment is properly set up and configured for software deployment.
  3. Create a Package in SCCM:

    • Open the SCCM console.
    • Go to the "Software Library" workspace.
    • Right-click on "Packages" and select "Create Package."
    • Fill in the package information, such as name, version, and manufacturer.
  4. Distribute Content:

    • After creating the package, distribute the AnyConnect installation files to distribution points within your SCCM infrastructure. Right-click the package, select "Distribute Content," and follow the wizard to distribute the package.
  5. Create a Program:

    • Within the package, create a program for the AnyConnect installation.
    • Specify the command line parameters needed for a silent installation.