Umbrella Module for Cisco Secure Client

technotlemons · December 20, 2023, 2:44am

This request is the result of Cisco announcing the end of life of the Umbrella Roaming client, which will be effective April 2, 2024. https://support.umbrella.com/hc/en-us/articles/19563700537108

All Cisco Umbrella customers will be required to move to the Cisco Secure Client with the Umbrella Module installed.
ImmyBot currently has a global deployment called "Cisco Secure Client—AnyConnect VPN,” but I cannot see an option to add additional modules.

ImmyBot also has a global software deployment for the “Cisco Umbrella Roaming Client”, which will soon be obsolete.

There is plenty of documentation provided by Cisco on how to migrate to the Secure client, however, most of it centres around using Cisco Secure X, which is not very MSP-friendly.
I have found some useful Cisco articles on deploying the secure client and modules via PowerShell and have attached them below.

My understanding of the steps required are:

Download and extract the cisco-secure-client-win-predeployment package from Cisco’s website.
Install the core-vpn-predeploy.msi, followed by the dart-predeploy.msi and umbrella-predeploy.msi, (all have flags to install passively).
Place a JSON file containing the customer’s umbrella instance information in the following location. C:\ProgramData\Cisco\Cisco Secure Client\Umbrella\
Restart the Umbrella service.

I believe a global ImmyBot deployment of the Secure Client Plus Modules would be a great benefit to all of your customers who currently use Cisco Umbrella or Cisco AnyConnect.

Thank you in advance for your time in reviewing and considering the addition of this software to your global catalogue.

TrevorDyck · February 3, 2024, 1:18am

I am just now trying to figure this exact issue out. I was hoping to do it w/ Immy instead of CW Automate. I take it this means that the Immy-managed Cisco Secure Client - AnyConnect VPN software doesn’t have the Umbrella component and we can’t use that for deploying it. A ready-to-go setup for this in Immy would be great.

Noahbalboah · February 8, 2024, 4:43am

Please implement this!

Steve_King · February 9, 2024, 11:23pm

Yes, we are evaluating other options long term but will likely need to migrate to secure client and deploy that for the time being

TerryW · March 23, 2024, 6:34am

Does anyone have an Umbrella and/or Dart installer file they’re willing to share? @technotlemons , @TrevorDyck

hoosiernick · March 23, 2024, 3:31pm

We have a client that uses the Secure Client with all three modules (Secure Endpoint, AnyConnect, and Umbrella), so I’ve got a deployment set up of their client-specific Deployment Toolkit installer for now (installs silently using the /q switch), but I agree this would be a welcome addition to the library to allow it to be used globally.

Steve_King · March 27, 2024, 2:34pm

Could be a good community guide - we are working on ours as well, using Noah T’s guide as a starting point

null · March 27, 2024, 10:50pm

@TerryW I could potentially help with this if nobody else has reached out.

For everyone else just as a tidbit you can actually pop orginfo.json into the unzipped folder with the installers at …/profiles/umbrella before install and it should automatically move it to the correct location during install so you don’t have to restart the service(s)/device/etc.

On another note we’ve been handling this by assigning the orgid, fingerprintid, userid as a custom property in our RMM, per tenant with Umbrella, passing that info along in the script, and using PowerShell to generate the JSON file on device prior to running the installer(s).

Peter_Just · March 28, 2024, 3:01am

Agreed! This would extremely helpful. I am working on ours using Noah’s guide, but I am still struggling a bit to get it to work correctly.

technotlemons · April 4, 2024, 2:46am

Thanks, this sounds great. Are you able to share the script and we can feed those IDs in our RMM custom fields too?

technotlemons · April 4, 2024, 2:47am

@DimitriRodis - Anything we can do to get some traction on this?

DimitriRodis · April 4, 2024, 3:08am

I don’t have or use Umbrella in my MSP, and without accounts/software/endpoints to test, it’s difficult for me to contribute if I don’t have the need or the means to justify doing it. Much of what I do is because I did it for my MSP or because Immy sponsored me and or/provided someone to get these things done.

technotlemons · April 4, 2024, 3:20am

That’s fair enough mate. Who can we tag who might be able to help get this across?

null · April 4, 2024, 3:39pm

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process;
 
cd "c:\PATH\cisco-secure*";
 
$json_info = @{
    "organizationId" = "$organizationId"
    "fingerprint" = "$fingerprint"
    "userId" = "$userId"
}
$json_info | ConvertTo-Json > profiles\umbrella\OrgInfo.json
 
$ac_fn = Get-ChildItem *vpn*.msi | Select-Object -ExpandProperty Name
msiexec /package $ac_fn /norestart /passive PRE_DEPLOY_DISABLE_VPN=1

$umbrella_fn = Get-ChildItem *umbrella*.msi | Select-Object -ExpandProperty Name
msiexec /package $umbrella_fn /norestart /passive

$dart_fn = Get-ChildItem *dart*.msi | Select-Object -ExpandProperty Name
msiexec /package $dart_fn /norestart /passive

[NOTE: This does disable the AnyConnect portion of Secure Client from appearing and only shows Umbrella]
This is what I currently have, our RMM allows you to pass the $organizationId, $fingerprint, $userId from the custom properties of the client as mentioned (I would think this is easily enough done in ImmyBot as well) . This ultimately allows us (as of right now) to get the json file created and settled in to get configured during install and just work. Our current issue is truthfully having somewhere to host the zip of msi files (as I want a seamless single process and not one process to get the zip on device and another to actually do deployment which at the end of the day I guess doesn’t matter much).

Also, can anybody confirm the situation surrounding Cisco Secure Client updating? Are we going to have to regularly push out updates when new secure client versions release? If we have to manually update it can we install over or will we have to uninstall/reinstall new?

UPDATE: I am doing some testing now. I have a deployment setup in ImmyBot where you just upload the json file and hopefully it moves it all and works correctly. I will update once I investigate if it’s working or not and put more information if that’s the case.

David_Teitsma · April 4, 2024, 5:59pm

@TerryW I can get you an installer / json file to test with if you’re still willing to check it out.

null · April 4, 2024, 11:31pm

Update:

Set-Location $InstallerFolder
Move-Item $OrgInfoJSON "$InstallerFolder\profiles\umbrella\"

$csc_fn = Get-ChildItem *vpn*.msi | Select-Object -ExpandProperty Name
msiexec /package $csc_fn /norestart /passive PRE_DEPLOY_DISABLE_VPN=1
$umbrella_fn = Get-ChildItem *umbrella*.msi | Select-Object -ExpandProperty Name
msiexec /package $umbrella_fn /norestart /passive
$dart_fn = Get-ChildItem *dart*.msi | Select-Object -ExpandProperty Name
msiexec /package $dart_fn /norestart /passive

Alright everyone. So in my incredibly limited testing today I was able to get this to work. Some further refinements would undoubtedly be helpful.

Process:
Library > Software > New

Upload a file > Attach Secure Client.zip
Installer type: zip file
Remove Installer Executable Path
Installation Script is above
Configuration Task is above

I then created a new deployment, selected ‘Cisco Secure Client’, uploaded their orginfo.json, configured for single tenant etc.

Ran on a newly onboarded machine and had success. Per my above comment I think further refinement to pretty much the entire process would improve it but nonetheless it seems to be functional.