Home

After my colleague and I spent more time than we wanted trying to get this deployed in our environment, we finally managed to deploy Cisco Secure Client to our macOS devices. We searched the web extensively to find a useful article on how to deploy this, but it was quite challenging. So, I figured we should create a quick guide on deploying this with what worked for us, and I hope it works for you too!

Why is Cisco Secure Client harder to deploy than other applications?
It’s because it has complex configurations, code signing requirements, and other configurations needed from an IT admin.

Requirements
Intune Administrator role
Access to Cisco to download package

Step by Step Guide:
Go to https://cisco.com > Support > Products and Downloads > under Downloads
select Secure Client 5

Scroll down to the Software Download page and download the following package

After downloading the cisco-secure-client-macos-5.X.X-webdeploy-k9.pkg from the Cisco website, use 7-Zip or any other extraction tool of your choice to extract the installer package.

Go back to your Downloads path and you should see a folder that will be named cisco secure-client-macos-5.1.6.103-webdeploy-k9

Click on cisco-secure-client-macos-5.1.6.103-webdeploy-k9 folder and select binaries to view the DMG for each application

In our case since we are only wanting to use cisco secure client, we are going to select cisco-secure-client-macos-5.1.6.103-core-vpn-webdeploy-k9.dmg

Click on Cisco Secure Client – AnyConnect VPN 5.1.6.103

Select and right click cisco-secure-client-macos-5.1.6.103-core-vpn-webdeploy-k9.pkg and Copy to your downloads folder so we can use the pkg file later to add into our Intune app catalog.

Verify that you have the pkg file in your downloads folder. We do so let us head over to Intune to set up our macOS settings, so the user does not have to prepare anything to get this application working properly.

I used this guide to help me set up the configurations inside of Microsoft Intune.
https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/Cisco-Secure
Client-5/admin/guide/b-cisco-secure-client-admin-guide-5-1/

Go to Microsoft Intune where we are going to Approve the System Extension.

Go to Microsoft Intune > Devices > Configurations > +Create > New Policy > Platform:
macOS > Profile type: Settlings Catalog > Name: Cisco-SystemExtensions > +Settings >
Go to System Configuration Category > System Extensions > select Allowed System
Extension Types & Allowed System Extensions

Allowed System Extension Types
Team Identifier: DE8Y96K9QP
Allowed System Extensions: NetworkExtension

Allowed System Extensions
Team Identifier: DE8Y96K9QP
Allowed System Extensions: com.cisco.anyconnect.macos.acsockext

Approve the Managed Login Items using Intune
Let’s create another Configuration Profile, I’ll name mine Cisco – ManagedLoginItems Go to Microsoft Intune > Devices > Configurations > +Create > New Policy > Platform: macOS > Profile type: Settlings Catalog > Name: Cisco-ManagedLoginItems > +Add Settings > Scroll down and find Login > select Service Management – Managed Login Items > Select Rules

Comment: Cisco Secure Client
Rule Type: Team Identifier
Rule Value: DE8Y96K9QP

Review + Save and Deploy your desired group.

Finally, we are going to have to create a custom configuration profile to load both the Cisco Secure Client system and kernel extensions, along with the system extensions filter component.

Grab the XML file from this site where it says Sample MDM Configuration Profile for Cisco Secure Client System and Kernel Extension Approval and save it as
SecureClient.mobileconfig it should look something like this

Go to Microsoft Intune > Devices > Configuration > +New Policy > Platform: macOS | Profile Type: Templates > select Template name: Custom > Name: Cisco
WebContentFilter > Give the custom configuration profile a name and upload the
configuration profile file in our case it was the secureclient.mobileconfig

Review + Save and deploy to your desired users.

Now that we have all that squared away let’s deploy this app once and for all.
Go to Microsoft Intune > Apps > macOS > +Add > macOS app (PKG) > grab your core vpn .pkg file that we downloaded earlier to our Downloads folder. And upload to the App Information page

In the Detection rules page, we noticed if we set the Ignore app version to No it will update already existing app versions to the one, we are deploying. For example, if you have 5.1.5 in your environment and you deploy this app it will update to 5.1.6.103

Now deploy and assign to your desired group. In my case I went ahead and required this application to a group called macOS Cisco Secure Client.

End User Experience:

If the deployment is successful on your end, you should be able to see the Cisco folder in applications in Finder and once you click into there you can see Cisco Secure Client

Now let’s click and fire it up! We can see the Cisco Secure Client displayed correctly and now I’ll go ahead and add our information to double check the setup is working properly.

Just like that we are now connected and in business!