cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2758
Views
25
Helpful
2
Replies
Highlighted
Beginner

Hiding AnyConnect VPN Module from AnyConnect GUI

Dear Team

We are deploying Wired 802.1x with Posture and for that NAM is sufficient for us,

but while installing AnyConnect vpn module has to be installed and cannot be avoided, as a result VPN Tab is also visible in the AnyConnect GUI,

i need to disable VPN Tab from the anyconnect GUI, as it is not used and confusing for the end users,

We have anyconnect-win-4.1.00028-pre-deploy-k9.

We have either  manual installation of AnyConnect on PCs or Client Provisioning, we are not using MSI

Please suggest the "VPN profile" to be pushed to end users, which will hide this vpn module.

Thanks

 

Ahad

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Master

Your situation is highlighted

Your situation is highlighted in the AnyConnect Admin Guide thus:

When configuring the AnyConnect Configuration object in ISE, unchecking the VPN module under AnyConnect Module Selection does not disable the VPN on the deployed/provisioned client. You must configure VPNDisable_ServiceProfile.xml to disable the VPN tile on AnyConnect GUI. VPNDisable_ServiceProfile.xml is on CCO with the other AnyConnect files.

The xml file you need should be on the AnyConnect downloads page but it's not. There's a BugID noting that (CSCus26084). The work around in the BugID doesn't work for me but it might for you. 

The profile CAN be found in the msi file though - if you open it using 7-zip, you will find the file. It's short, so I'll just paste it here:

<?xml version="1.0" encoding="utf-8"?>
<!--
    Cisco AnyConnect VPN Profile -

    This profile is a sample intended to allow for the disabling of VPN service
    for those installations that do not require VPN support.
-->
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
  <ClientInitialization>
    <ServiceDisable>true</ServiceDisable>
  </ClientInitialization>
</AnyConnectProfile>
2 REPLIES 2
Hall of Fame Master

Your situation is highlighted

Your situation is highlighted in the AnyConnect Admin Guide thus:

When configuring the AnyConnect Configuration object in ISE, unchecking the VPN module under AnyConnect Module Selection does not disable the VPN on the deployed/provisioned client. You must configure VPNDisable_ServiceProfile.xml to disable the VPN tile on AnyConnect GUI. VPNDisable_ServiceProfile.xml is on CCO with the other AnyConnect files.

The xml file you need should be on the AnyConnect downloads page but it's not. There's a BugID noting that (CSCus26084). The work around in the BugID doesn't work for me but it might for you. 

The profile CAN be found in the msi file though - if you open it using 7-zip, you will find the file. It's short, so I'll just paste it here:

<?xml version="1.0" encoding="utf-8"?>
<!--
    Cisco AnyConnect VPN Profile -

    This profile is a sample intended to allow for the disabling of VPN service
    for those installations that do not require VPN support.
-->
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
  <ClientInitialization>
    <ServiceDisable>true</ServiceDisable>
  </ClientInitialization>
</AnyConnectProfile>
Beginner

Re: Your situation is highlighted

I know this one is a bit outdated, but I ran into this question again and noticed that in the answer, there isn't much of an explanation of where to put the xml file that is referenced.

 

The file can be placed (in Windows) in the "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile" folder and then the machine (or all services) need to be restarted for the tile to be removed.  

 

Additionally, you can also place the same xml file in ISE as an AnyConnect Profile in the Policy > Policy Elements > Client Provisioning > Resources section by selecting Add then Agent resources from local disk and entering the information as shown below.

 

DisableVPNGui.PNG

 

Once you have uploaded the xml file, you can then configure the AnyConnect package and add the DisableVPNGUI package to your AnyConnect settings as seen below.  Once the client downloads the new profile from ISE and consumes the new XML data, after a reboot they will no longer have the VPN GUI enabled.

 

screenshot1517937018@1X.png

 

Hope this helps for those that are looking for this.

 

-Alex