Customize Windows Installation of Cisco Secure Client

As an administrator of a user device, you can customize the installation of the Cisco Secure Client (formerly AnyConnect) with various modules and features on Windows. The Cisco Secure Client deployment packages support several MSI properties that you can change during installation, including lockdown and disabling the display of the VPN module in the client's graphical user interface (GUI). Lockdown prevents the service from being disabled manually.

This guide describes how to deploy the Cisco Secure Client with the VPN, Umbrella (Roaming Security that includes both the DNS-layer security and Web security), and DART (diagnostics) modules. By default, the Cisco Secure Client deploys with the VPN module.

Table of Contents

Requirements

  • Windows 8.1 or newer
    • The Umbrella (Roaming Security) module requires the .NET framework 4.6.2 or newer
  • Windows 10 or 11 on ARM-64
  • Cisco Secure Client 5.1 or newer
  • Administrative privileges on the Windows device

Prerequisites

Procedure

You can deploy the Cisco Secure Client for Windows with several options including:

  • Hide the VPN module in the Cisco Secure Client GUI.
  • Hide the Cisco Secure Client installation from the Add/Remove Windows Programs list.
  • Enable Lockdown.

Deploy the Cisco Secure Client VPN Module

  1. Run the Windows installer to deploy the Cisco Secure Client VPN package with the PRE_DEPLOY_DISABLE_VPN=1 option. The PRE_DEPLOY_DISABLE_VPN option hides the VPN module in the client's GUI. The VPN module is not disabled. Set the MSI property to PRE_DEPLOY_DISABLE_VPN=1.

Note: If the VPN module is hidden in the client GUI, you can manage the VPN module through the Cisco Secure Client's CLI.

The following command disables the VPN functionality by copying the VPNDisable_ServiceProfile.xml file embedded in the MSI to the directory specified for profiles for VPN functionality.

For example:

msiexec /package cisco-secure-client-win-<version>-core-vpn-predeploy-k9.msi /norestart /passive PRE_DEPLOY_DISABLE_VPN=1 /lvx* c:\\output.log

Deploy the Cisco Secure Client Umbrella Roaming Security Module

  1. Run the Windows installer to deploy the Cisco Secure Client Umbrella Roaming Security module.
msiexec /package cisco-secure-client-win-<version>-umbrella-predeploy-k9.msi /norestart /passive /lvx* c:\\output.log

To enable lockdown, add LOCKDOWN=1 in the command-line installer.

msiexec /package cisco-secure-client-win-<version>-umbrella-predeploy-k9.msi /passive LOCKDOWN=1 /lvx* c:\\output.log

(Optional) Deploy the Cisco Secure Client DART Module

  1. Run the Windows installer to deploy the Cisco Secure Client DART (diagnostics and troubleshooting) package.
msiexec /package cisco-secure-client-win-<version>-dart-predeploy-k9.msi /norestart /passive /lvx* c:\\dart.log

Hide Cisco Secure Client from Add/Remove Programs List

You can hide the installed Cisco Secure Client modules from users that have permissions to view the Windows Add/Remove Programs list.

  1. Run the Windows installer for a Cisco Secure Client module package using ARPSYSTEMCOMPONENT=1.
    You can apply this option to all modules at the time of deployment.

For example:

msiexec /package cisco-secure-client-win-<version>-umbrella-predeploy-k9.msi /passive ARPSYSTEMCOMPONENT=1 /lvx* c:\\output.log

Optional OrgInfo.json Configurations

Note: After you deploy the Cisco Secure Client with the Umbrella Roaming Security module, you can update the OrgInfo.json file on the device. Only modify the internet security profile located at %ProgramData%\Cisco\Cisco Secure Client\Umbrella\data\OrgInfo.json. The deployed Cisco Secure Client Umbrella Roaming Security module does not read the properties from the %ProgramData%\Cisco\Cisco Secure Client\Umbrella\OrgInfo.json file on the device. For more information, see Download the OrgInfo.json File.

When deploying the Umbrella (Roaming Security) module on the Cisco Secure Client, you can add and configure various parameters to the Umbrella OrgInfo.json file. These parameters, unlike LOCKDOWN, are applied to the OrgInfo.json profile directly rather than at the time of installation with an msiexec parameter. The following does not apply if run at install time.

ParameterValuesDescription
noAutoSuffix0 - Add the domains (default)
1 - Do not add domains
Does not add domains contained in the DNS Suffixes settings in network adapters and networking properties to your organization's Internal Domains list.
This feature exists so that the Umbrella module is more aware of local resources and domains on foreign networks.
customUSResolvers["208.67.221.76", "208.67.223.76"] - Sets primary and secondary US-based Anycast addressesEnables special DNS resolver Anycast addresses that limits DNS queries to only US-based Secure Access servers. Does not affect block pages or proxy.
noNXDOMAIN0 - Do re-query (default)
1 - Do not re-query
Automatically re-query public NXDOMAINS at the local resolvers. This feature allows roaming users to resolve internal domains on networks beyond their own without interruption or internal domains list management.
Note: DNS search suffixes are sent to local resolvers, unless this functionality is disabled.

IPv4 and IPv6 DNS Protection Status < Customize Windows Installation of Cisco Secure Client > Customize macOS Installation of Cisco Secure Client