Guides
Secure Access Help Center

Manage Secure Client Scripts

Secure Access supports the upload and management of platform-specific Secure Client scripts that are used to automate the connection process, such as connecting to or disconnecting from a VPN. This functionality can be used for tasks such as configuring network settings, mounting network drives, or enforcing security policies.

Several types of files make up the Cisco Secure Client deployment:

  • AnyConnect VPN, which is included in the Cisco Secure Client package.
  • Modules that support extra features, which are included in the Cisco Secure Client package.
  • Client profiles that configure Cisco Secure Client and the extra features, which you create.
  • Language files, images, scripts, and help files, if you wish to customize or localize your deployment.
  • ISE posture and the compliance module (OPSWAT).

For complete information on how to write and deploy scripts for Cisco Secure Client, see the Customize and Localize Cisco Secure Client and Installer chapter of the Cisco Secure Client (including AnyConnect) Administrator Guide.

Table of Contents

Guidelines and Limitations

There are some guidelines and platform limitations of which you should be aware when deploying scripts for Cisco Secure Client.

  • Platform Support — The scripting feature is available across multiple platforms, including Windows, macOS, and Linux-64. Be aware that Secure Client scripting is not compatible with macOS devices with Apple silicon chips, such as the M1 and M2. Only macOS devices with Intel chips are compatible.
  • Trigger Events — Scripts can be set to run during events like VPN connection or disconnection.
  • Customization — Administrators can create custom scripts tailored to their organization's specific requirements.
  • Security — It is crucial to ensure scripts are secure and have the proper permissions to prevent misuse or security vulnerabilities.
  • Global deployment — This feature is available on a global level for the entire organization, in all regions.
    For more detailed instructions about this feature and configuration, see Configure Secure Client Scripts.

Prerequisites

Enable Secure Client Scripts

You enable the Secure Client scripts feature in the VPN profile, under the Cisco Secure Client settings.

  1. Navigate to Connect > End User Connectivity > Virtual Private Network.

  2. Under VPN Profiles, choose a profile to edit.

  3. Click Cisco Secure Client Configuration in the left panel.

  4. Under Client Settings, check Enable Secure Client Scripts.

    1. Optionally, check Terminate Script on Next Event to enables Secure Client to terminate a running script process if a transition to another scriptable event occurs. For example, the client terminates a running On Connect script if the VPN session ends and terminates a running On Disconnect script if Cisco Secure Client starts a new VPN session. On Microsoft Windows, the client also terminates any scripts that the On Connect or On Disconnect script launched, and all their script descendants. On macOS and Linux, the client terminates only the On Connect or On Disconnect script; it does not terminate child scripts.
    2. Enable Post SBL on Connect Script, enabled by default, lets the client launch the On Connect script (if present) if SBL (Start Before Login) establishes the VPN session. The On Connect script is not launched from the SBL GUI but may be launched from the second GUI after login, depending on the PostSBLScriptingBehavior preference; on Windows, it can mimic logon scripts, so administrators might suppress it in SBL mode to avoid redundancy. For more information, see About Start Before Login

Upload Secure Client Scripts

This topic describes how to upload and manage the scripts that will run when Secure Client scripting is enabled.

  1. Navigate to Connect > End User Connectivity > Virtual Private Network.

  2. In the VPN Profiles page, click Settings and choose Secure Client Scripts from the Settings drop-down.

  3. Click Upload Scripts.

  4. Under Operating Systems, select the operating systems on which these uploaded Secure Client scripts files will run. Supported options are:

    • Windows
    • macOS (Only macOS devices with Intel chips are compatible)
    • Linux-64

    Note: You can select any or all options.

  5. Under Script Files, upload your Secure Client script files for the selected operating systems.

    1. For a selected operating system, Windows for example, expand the applicable operating system pane and click Upload Scripts.

    2. In the Upload Script Files modal, you can drag and drop files there, or you can click to browse to a file location to select it.

    3. Optionally, you can designate a script as a primary file to run when On Connect or On Disconnect events occur. A primary script runs for a selected action and operating system. A primary script can be written to invoke more scripts.

      1. Check Use the same script file for On Connect and On Disconnect events to simplify script selection.

      2. Alternately, select a script for On Connect Script File and/or On Disconnect Script File.

    4. For multiple operating systems:

      1. Select the operating systems on which scripts will run, then expand each operating system to upload scripts for that OS.

      2. To use scripts that support multiple operating systems, check Use files supported by multiple operating systems, expand the multiple operating systems pane, and click Upload Scripts.

      3. In the Upload Script Files modal, you can drag and drop files there, or you can click to browse to a file location to select it.

    5. Click Continue to upload the scripts.

  6. Click Save when you are finished to return to the listing page.

Manage Custom Attributes <Manage Secure Client Scripts > Traffic Steering for Zero Trust Access Client-Based Connections

Updated 10 days ago