Umbrella Module for Cisco Secure Client

This request is the result of Cisco announcing the end of life of the Umbrella Roaming client, which will be effective April 2, 2024. https://support.umbrella.com/hc/en-us/articles/19563700537108

All Cisco Umbrella customers will be required to move to the Cisco Secure Client with the Umbrella Module installed.
ImmyBot currently has a global deployment called "Cisco Secure Client—AnyConnect VPN,” but I cannot see an option to add additional modules.

ImmyBot also has a global software deployment for the “Cisco Umbrella Roaming Client”, which will soon be obsolete.

There is plenty of documentation provided by Cisco on how to migrate to the Secure client, however, most of it centres around using Cisco Secure X, which is not very MSP-friendly.
I have found some useful Cisco articles on deploying the secure client and modules via PowerShell and have attached them below.

My understanding of the steps required are:

  1. Download and extract the cisco-secure-client-win-predeployment package from Cisco’s website.

  2. Install the core-vpn-predeploy.msi, followed by the dart-predeploy.msi and umbrella-predeploy.msi, (all have flags to install passively).

  3. Place a JSON file containing the customer’s umbrella instance information in the following location. C:\ProgramData\Cisco\Cisco Secure Client\Umbrella\

  4. Restart the Umbrella service.

I believe a global ImmyBot deployment of the Secure Client Plus Modules would be a great benefit to all of your customers who currently use Cisco Umbrella or Cisco AnyConnect.

Thank you in advance for your time in reviewing and considering the addition of this software to your global catalogue.

I am just now trying to figure this exact issue out. I was hoping to do it w/ Immy instead of CW Automate. I take it this means that the Immy-managed Cisco Secure Client - AnyConnect VPN software doesn’t have the Umbrella component and we can’t use that for deploying it. A ready-to-go setup for this in Immy would be great.

Please implement this!

Yes, we are evaluating other options long term but will likely need to migrate to secure client and deploy that for the time being

Does anyone have an Umbrella and/or Dart installer file they’re willing to share? @technotlemons , @TrevorDyck

We have a client that uses the Secure Client with all three modules (Secure Endpoint, AnyConnect, and Umbrella), so I’ve got a deployment set up of their client-specific Deployment Toolkit installer for now (installs silently using the /q switch), but I agree this would be a welcome addition to the library to allow it to be used globally.

Could be a good community guide - we are working on ours as well, using Noah T’s guide as a starting point

@TerryW I could potentially help with this if nobody else has reached out.

For everyone else just as a tidbit you can actually pop orginfo.json into the unzipped folder with the installers at …/profiles/umbrella before install and it should automatically move it to the correct location during install so you don’t have to restart the service(s)/device/etc.

On another note we’ve been handling this by assigning the orgid, fingerprintid, userid as a custom property in our RMM, per tenant with Umbrella, passing that info along in the script, and using PowerShell to generate the JSON file on device prior to running the installer(s).

Agreed! This would extremely helpful. I am working on ours using Noah’s guide, but I am still struggling a bit to get it to work correctly.

Thanks, this sounds great. Are you able to share the script and we can feed those IDs in our RMM custom fields too?

@DimitriRodis - Anything we can do to get some traction on this?

1 Like

I don’t have or use Umbrella in my MSP, and without accounts/software/endpoints to test, it’s difficult for me to contribute if I don’t have the need or the means to justify doing it. Much of what I do is because I did it for my MSP or because Immy sponsored me and or/provided someone to get these things done.

That’s fair enough mate. Who can we tag who might be able to help get this across?

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process;
 
cd "c:\PATH\cisco-secure*";
 
$json_info = @{
    "organizationId" = "$organizationId"
    "fingerprint" = "$fingerprint"
    "userId" = "$userId"
}
$json_info | ConvertTo-Json > profiles\umbrella\OrgInfo.json
 
$ac_fn = Get-ChildItem *vpn*.msi | Select-Object -ExpandProperty Name
msiexec /package $ac_fn /norestart /passive PRE_DEPLOY_DISABLE_VPN=1

$umbrella_fn = Get-ChildItem *umbrella*.msi | Select-Object -ExpandProperty Name
msiexec /package $umbrella_fn /norestart /passive

$dart_fn = Get-ChildItem *dart*.msi | Select-Object -ExpandProperty Name
msiexec /package $dart_fn /norestart /passive

[NOTE: This does disable the AnyConnect portion of Secure Client from appearing and only shows Umbrella]
This is what I currently have, our RMM allows you to pass the $organizationId, $fingerprint, $userId from the custom properties of the client as mentioned (I would think this is easily enough done in ImmyBot as well) . This ultimately allows us (as of right now) to get the json file created and settled in to get configured during install and just work. Our current issue is truthfully having somewhere to host the zip of msi files (as I want a seamless single process and not one process to get the zip on device and another to actually do deployment which at the end of the day I guess doesn’t matter much).

Also, can anybody confirm the situation surrounding Cisco Secure Client updating? Are we going to have to regularly push out updates when new secure client versions release? If we have to manually update it can we install over or will we have to uninstall/reinstall new?

UPDATE: I am doing some testing now. I have a deployment setup in ImmyBot where you just upload the json file and hopefully it moves it all and works correctly. I will update once I investigate if it’s working or not and put more information if that’s the case.

@TerryW I can get you an installer / json file to test with if you’re still willing to check it out.

Update:

Set-Location $InstallerFolder
Move-Item $OrgInfoJSON "$InstallerFolder\profiles\umbrella\"

$csc_fn = Get-ChildItem *vpn*.msi | Select-Object -ExpandProperty Name
msiexec /package $csc_fn /norestart /passive PRE_DEPLOY_DISABLE_VPN=1
$umbrella_fn = Get-ChildItem *umbrella*.msi | Select-Object -ExpandProperty Name
msiexec /package $umbrella_fn /norestart /passive
$dart_fn = Get-ChildItem *dart*.msi | Select-Object -ExpandProperty Name
msiexec /package $dart_fn /norestart /passive

Alright everyone. So in my incredibly limited testing today I was able to get this to work. Some further refinements would undoubtedly be helpful.

Process:
Library > Software > New

Upload a file > Attach Secure Client.zip
Installer type: zip file
Remove Installer Executable Path
Installation Script is above
Configuration Task is above

I then created a new deployment, selected ‘Cisco Secure Client’, uploaded their orginfo.json, configured for single tenant etc.

Ran on a newly onboarded machine and had success. Per my above comment I think further refinement to pretty much the entire process would improve it but nonetheless it seems to be functional.

2 Likes

@null @David_Teitsma @technotlemons Were you able to do any additional testing. I attempted to reproduce this. However, it only completes the anyconnect install and seems to skip over DART and Umbrella. I am likely doing this incorrectly.

I had to add some time in between installs. If the core VPN client does not install first the other two will not install correctly.

this has been working great you may be able to trim the sleeps down and if others have better ideas to clean this up let me know. Tips and tricks always appreciated.

Code Derived from @null and tweaked:

Set-Location $InstallerFolder

New-Item “c:\programdata\cisco\cisco secure client\umbrella” -ItemType Directory

$csc_fn = Get-ChildItem vpn.msi | Select-Object -ExpandProperty Name

msiexec /package $csc_fn /norestart /passive

Start-Sleep -Seconds 30

$umbrella_fn = Get-ChildItem umbrella.msi | Select-Object -ExpandProperty Name

msiexec /package $umbrella_fn /norestart /passive

Start-Sleep -Seconds 30

$dart_fn = Get-ChildItem dart.msi | Select-Object -ExpandProperty Name

msiexec /package $dart_fn /norestart /passive

Start-Sleep -Seconds 30

Move-Item -path $OrgInfoJSON -Destination “C:\ProgramData\Cisco\Cisco Secure Client\Umbrella\OrgInfo.json”

1 Like

I am waiting.

In a MSP webinar Cisco said to wait till August to do anything with the changeover from the roaming client to the secure client. It sounds like they will make some major change that will alter the process for rolling it out.

1 Like