Cisco Secure Client + Umbrella, Part 2: MDM Profiles
You'll want a few MDM profiles ready to go before you begin deploying Cisco Secure Client 5.x with the Umbrella module
Now that we've sourced the necessary installer and support files, let's look at the MDM profiles needed to support Cisco Secure Client with the Umbrella module. In total, we're looking at five payloads as of April 2024:
- Certificate - Cisco Secure Client - Umbrella Roaming Client Root
- Content Filter - Cisco Secure Client
- System Extension - Cisco Secure Client
- Managed Login Item - Cisco Secure Client
- Notifications - Cisco Secure Client
As of version 5.1.2, I've encountered some odd behavior on a small percentage of devices when installing just the Umbrella module without the VPN components. I may recommend installing both for the foreseeable future, to err on the side of safety. Let's check out those profiles.
1 - Certificate
This is a relatively simple one - fetch the certificate from Cisco's guide here. Create a new Certificate payload, set the type to "root" and attach the certificate.
2 - Content Filter
Cisco's guide on this payload can be found here. You can manually create the profile or scroll to the bottom of the page, copy the sample profile, save it, and upload it to your MDM. If you'd rather build it in an MDM profile editor, here are the values you'll need:
|
Property |
Value |
|---|---|
|
AutoFilterEnabled |
false |
|
FilterBrowsers |
false |
|
FilterSockets |
true |
|
FilterPackets |
false |
|
FilterGrade |
firewall |
|
FilterDataProviderBundleIdentifier |
com.cisco.anyconnect.macos.acsockext |
|
FilterDataProviderDesignatedRequirement |
anchor apple generic and identifier "com.cisco.anyconnect.macos.acsockext" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = DE8Y96K9QP) |
|
PluginBundleID |
com.cisco.anyconnect.macos.acsock |
|
VendorConfig |
|
|
UserDefinedName |
Cisco AnyConnect Content Filter |
Note that if you use the sample profile provided by Cisco, it also includes...
3 - System Extension
The System Extension approval profile is very straightforward. If you've copied Cisco's sample profile from the link above, it includes this setting and the kernel extension approval. If you build this yourself, create entries for:
Team ID: DE8Y96K9QP
Bundle ID: com.cisco.anyconnect.macos.acsockext
Add these to the "Allowed System Extensions" payload. You can optionally add these values to the "Removable System Extensions" payload if you want to make uninstallation smoother in the future.
4 - Managed Login Item (Service Management)
Use this profile to ensure users can't easily deactivate the Umbrella module on their managed workstation. Create a new profile with two "Bundle Identifier" records:
com.cisco.secureclient.vpn.service
com.cisco.secureclient.gui
5 - Notifications
Notifications for Cisco Secure Client can spawn from a few different places depending on which modules you're installing. If you're sticking with just the Umbrella Module and VPN, create these three app bundle ID records:
com.cisco.secureclient.gui
com.cisco.secureclient.vpn.service
com.cisco.secureclient.vpn.notification
You can alter the Notification settings for each bundle ID based on your environment.
Create these five MDM Profiles using your preferred MDM Profile creator. I tend to leverage the one built into my MDM provider, then desktop apps like iMazing Profile Editor, and fall back to a plaintext editor if needed. Once those have been uploaded, it's time to look at assembling an installation script.