cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
17560
Views
24
Helpful
4
Replies

Hiding AnyConnect VPN Module from AnyConnect GUI

MANSOORQ123
Level 1
Level 1

Dear Team

We are deploying Wired 802.1x with Posture and for that NAM is sufficient for us,

but while installing AnyConnect vpn module has to be installed and cannot be avoided, as a result VPN Tab is also visible in the AnyConnect GUI,

i need to disable VPN Tab from the anyconnect GUI, as it is not used and confusing for the end users,

We have anyconnect-win-4.1.00028-pre-deploy-k9.

We have either  manual installation of AnyConnect on PCs or Client Provisioning, we are not using MSI

Please suggest the "VPN profile" to be pushed to end users, which will hide this vpn module.

Thanks

 

Ahad

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

Your situation is highlighted in the AnyConnect Admin Guide thus:

When configuring the AnyConnect Configuration object in ISE, unchecking the VPN module under AnyConnect Module Selection does not disable the VPN on the deployed/provisioned client. You must configure VPNDisable_ServiceProfile.xml to disable the VPN tile on AnyConnect GUI. VPNDisable_ServiceProfile.xml is on CCO with the other AnyConnect files.

The xml file you need should be on the AnyConnect downloads page but it's not. There's a BugID noting that (CSCus26084). The work around in the BugID doesn't work for me but it might for you. 

The profile CAN be found in the msi file though - if you open it using 7-zip, you will find the file. It's short, so I'll just paste it here:

<?xml version="1.0" encoding="utf-8"?>
<!--
    Cisco AnyConnect VPN Profile -

    This profile is a sample intended to allow for the disabling of VPN service
    for those installations that do not require VPN support.
-->
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
  <ClientInitialization>
    <ServiceDisable>true</ServiceDisable>
  </ClientInitialization>
</AnyConnectProfile>

View solution in original post

4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

Your situation is highlighted in the AnyConnect Admin Guide thus:

When configuring the AnyConnect Configuration object in ISE, unchecking the VPN module under AnyConnect Module Selection does not disable the VPN on the deployed/provisioned client. You must configure VPNDisable_ServiceProfile.xml to disable the VPN tile on AnyConnect GUI. VPNDisable_ServiceProfile.xml is on CCO with the other AnyConnect files.

The xml file you need should be on the AnyConnect downloads page but it's not. There's a BugID noting that (CSCus26084). The work around in the BugID doesn't work for me but it might for you. 

The profile CAN be found in the msi file though - if you open it using 7-zip, you will find the file. It's short, so I'll just paste it here:

<?xml version="1.0" encoding="utf-8"?>
<!--
    Cisco AnyConnect VPN Profile -

    This profile is a sample intended to allow for the disabling of VPN service
    for those installations that do not require VPN support.
-->
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
  <ClientInitialization>
    <ServiceDisable>true</ServiceDisable>
  </ClientInitialization>
</AnyConnectProfile>

I know this one is a bit outdated, but I ran into this question again and noticed that in the answer, there isn't much of an explanation of where to put the xml file that is referenced.

 

The file can be placed (in Windows) in the "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile" folder and then the machine (or all services) need to be restarted for the tile to be removed.  

 

Additionally, you can also place the same xml file in ISE as an AnyConnect Profile in the Policy > Policy Elements > Client Provisioning > Resources section by selecting Add then Agent resources from local disk and entering the information as shown below.

 

DisableVPNGui.PNG

 

Once you have uploaded the xml file, you can then configure the AnyConnect package and add the DisableVPNGUI package to your AnyConnect settings as seen below.  Once the client downloads the new profile from ISE and consumes the new XML data, after a reboot they will no longer have the VPN GUI enabled.

 

screenshot1517937018@1X.png

 

Hope this helps for those that are looking for this.

 

-Alex

One more minor detail.... the XML profile shown above must be the *only* XML profile in the (in Windows) "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile" directory (or C:\ProgramData\Cisco\Cisco Secure Client\VPN\Profile directory for Secure Client 5.x)

 

If anyone is testing this feature with an existing client... just move your current XML profile for the VPN out of that directory and stop/start the Secure Client from the system tray 

 

(tested and working with Secure Client 5.0.02075, with Umbrella module that stayed active and visible after making this change)

 

--Ken

tdb1
Level 1
Level 1

Any guidance on how to do this on macOS? I'm guessing it would be be in one of the folder here:  /opt/cisco/secureclient

Would the xml file be the same as above?

Thanks