cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5257
Views
0
Helpful
12
Replies

Disable Anyconnect Uninstallation

Hi Guys,

I'm using Anyconnect for posturing, I've the following questions:

- How can disable the uninstall option, so the user can't uninstall it? I remember this option was there on ISE, but i can't find it.

- Also under Anyconnect, there is option "Block connections to untrusted servers", can i make it disabled so the user will not change it?

Regards

1 Accepted Solution

Accepted Solutions

It's not really a Cisco issue but rather a Windows issue. If the user does not have local administrator privilege then they should be unable to Add/Remove programs.

In such cases, elevation of privilege to run the installer always requires the user or process to provide administrator level credentials. 

View solution in original post

12 Replies 12

Marvin Rhoads
Hall of Fame
Hall of Fame

If you customize the AnyConnect msi transform, you can enable Windows lockdown (prevent users from stopping AnyConnect services) and/or hide the program in the Add/Remove program list.

These are described in the AnyConnect admin guide here:

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect44/administration/guide/b_AnyConnect_Administrator_Guide_4-4/customize-localize-anyconnect.html?bookSearch=true

The settings in NAM are governed by the NAM profile (XML file). If the user changes these post deployment, it cannot be directly changed from ISE unless the product is redeployed. If you have an enterprise system (like using Windows GPOs) you could periodically re-push the file out but it could still be modified in between deployments.

(That's unlike the VPN use case in which, whenever a user connects, the local VPN profile is compared against that on the ASA and if the hashes differ, the ASA copy will be re-deployed to the client machine.)

Hi Marvin,

thanks for your reply.

i went through li but am confused how to do it,

could you please give more details (sorry but am beginner in this staff)

regards

How are you deploying AnyConenct to your users? A lot depends on the method you are using.

We are pushing it via AD.

The AD admin is using a scripts as the one mentioned in the Anyconnect Admin guide, similar as the following:

msiexec /package anyconnect-win-ver-pre-deploy-k9.msi /norestart /passive PRE_DEPLOY_DISABLE_VPN=1 /lvx* <log_file_name>

msiexec /package anyconnect-websecurity-win-<version>-pre-deploy-k9.msi /norestart /passive /lvx* c:\test.log

What we require is not allowing the users to uninstall the Anyconnect and Password should be used to uninstall it by Admin.

Regards.

Thanks for your reply, but from the URL you sent me, i found the following, what about it?:

Setting Windows Lockdown—Cisco recommends that end users be given limited rights to the Cisco AnyConnect Secure Mobility Client on their device. If an end user warrants additional rights, installers can provide a lockdown capability that prevents users and local administrators from switching off or stopping the AnyConnect services. You can also stop the services from the command prompt with the service password.

The MSI installers for VPN, Network Access Manager, Web Security, Network Visibility Module, and Umbrella Roaming Security Module support a common property (LOCKDOWN). When LOCKDOWN is set to a non-zero value, Windows service(s) associated with that installer cannot be controlled by users or local administrators on the endpoint device. We recommend using the sample transform that we provide to set this property, and apply the transform to each MSI installer that you want to have locked down. You can download the sample transforms from the Cisco AnyConnect Secure Mobility Client software download page.

If you deploy the core client plus one or more optional modules, you must apply the LOCKDOWN property to each of the installers. This operation is one way only and cannot be removed unless you re-install the product.

Regards

Yes, that allows one to disallow stopping the services. I explicitly mentioned that earlier.

You had asked about preventing the application from being uninstalled.

I didn't understand how and where to do that?

 A Windows admin foirum would be a better place to get a comprehensive answer. However, what I'm referring to is something like this:

http://www.thewindowsclub.com/how-to-prevent-users-from-installing-programs-in-windows-7

Hi Marvin,

could you please give some details?

Regards

It's not really a Cisco issue but rather a Windows issue. If the user does not have local administrator privilege then they should be unable to Add/Remove programs.

In such cases, elevation of privilege to run the installer always requires the user or process to provide administrator level credentials. 

You may find great article on how to setup LOCKDOWN option that prevents ANYCONNECT service from manually being disabled and also how to Hide ANYCONNECT from ADD/REMOVE programs in Windows 'Programs and Features' list on UMBRELLA SUPPORT page

https://support.umbrella.com/hc/en-us/articles/115004629343-AnyConnect-Roaming-Security-Module-Pre-Deployment-Tips

 

Enable Lockdown

msiexec /package anyconnect-win-X.X.XXXXX-umbrella-predeploy-k9.msi /passive LOCKDOWN=1 /lvx* 

 

Hide from Programs and Features

msiexec /package anyconnect-win-X.X.XXXXX-umbrella-predeploy-k9.msi /passive ARPSYSTEMCOMPONENT=1 /lvx* 

 

 

 

Iyad10
Level 1
Level 1

We have two sets of users.

1st set of users: Users with AnyConnect VPN

2nd set of Users: AnyConnect VPN and Umbrella.

The challenge here that we have deployed AnyConnect Umbrella using SCCM without the "Lockdown" feature. Now we ended up that users can disable the service.

 

Is there a way to lockdown AnyConnect Umbrella for the 2nd set of users?

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: