Deploying Cisco Secure Client (formerly known as Cisco AnyConnect) using Group Policy can be challenging as there are so many limited documents related to this method (all the provided methods are based on Microsoft SCCM that follow different methods and leverages different technologies for deployment). So, I decided to document one of the most demanding methods to deploy Cisco Secure Client that all the Active Directory based networks can easily utilize it.

Notes:

• In this article, I want to deploy VPN and NAM modules (other modules installation are similar).
• All the Secure Client modules depend on Core VPN module, so this module must first be installed before any other modules installation.

Use the above MSI transformation file to lockdown the related Secure Client services to be modified by users and local administrators.

The “configuration.xml” file is the output config file from Cisco AnyConnect Profile Editor.

Now, create a GPO, linked it to an OU the your client workstations are reside there and configure it accordingly as follows:

• The “winsrv” is the server the hosts the “anyconnect” shared folder.
• The Target path is: C:\ProgramData\Cisco\Cisco Secure Client\Network Access Manager\newConfigFiles\configuration.xml

The Add Arguments field include the following values:

• /package "\\winsrv\anyconnect\cisco-secure-client-win-5.0.05040-core-vpn-predeploy-k9.msi" /norestart /passive PRE_DEPLOY_DISABLE_VPN=1 TRANSFORMS=_secure-client-win-lockdown.mst LOCKDOWN=1
• /package "\\winsrv\anyconnect\cisco-secure-client-win-5.0.05040-nam-predeploy-k9.msi" /norestart /passive TRANSFORMS=_secure-client-win-lockdown.mst LOCKDOWN=1