Modify AnyConnect Installation Behavior
Disable Customer Experience Feedback
The Customer Experience Feedback module is enabled by default. This module provides Cisco with anonymous information about what features and modules customers have enabled and are using. This information gives us insight into the user experience so that Cisco can continue to improve quality, reliability, performance, and user experience.
To manually disable the Customer Experience Feedback module, create a CustomerExperience_Feedback.xml file using the standalone profile editor. You must stop the AnyConnect service, name the file CustomerExperience_Feedback.xml, and put it in the C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\CustomerExperienceFeedback\ directory. When the file is created with the disable flag set, you can manually deploy this to AnyConnect. To check the results, open the AnyConnect About menu and verify that the Customer Experience Feedback module is not listed in the Installed Module section.
You can disable the Customer Experience Feedback module using:
-
A Customer Feedback Experience module client profile—Uncheck Enable Customer Experience Feedback Service, and distribute the profile.
-
An MST file—Extract anyconnect-win-disable-customer-experience-feedback.mst from anyconnect-vpn-transforms-X.X.xxxxx.zip.
Modify Installation Behavior, Windows
Note |
AnyConnect does not support Windows Installer ADVERTISE mode. |
-
Command-Line Parameters—One or more properties are passed as parameters on the command-line installer, msiexec. This method is for predeployment; it is not supported by web deployment.
-
Installer Transform—You can modify the installer property table with a transform. Several tools are available to create transforms; one common tool is Microsoft Orca. The Orca tool is part of the Microsoft Windows Installer Software Development Kit (SDK), which is included in the Microsoft Windows SDK. To get the Windows SDK, browse to http://msdn.microsoft.com, and search for the SDK for your version of Windows.
Transforms can be used for predeploy only. (Only Cisco signed transforms will work for web deploy when the downloader invokes the installer.) You can apply your own transforms through the out-of-band methods, but the details are outside the scope of this guide.
Limitations
The AnyConnect uninstall prompt is not customizable.
Windows Installer Properties That Customize Client Installations
The following Windows installer properties customize AnyConnect installations. Bear in mind that there are many other Windows installer properties supported by Microsoft that you can use.
-
Resetting the System MTU—When the VPN installer property (RESET_ADAPTER_MTU) is set to 1, the installer resets all Windows network adapter MTU settings to their default value. The system must be rebooted for the changes to take effect.
-
Setting Windows Lockdown—Cisco recommends that end users be given limited rights to the AnyConnect Secure Mobility Client on their device. If an end user warrants additional rights, installers can provide a lockdown capability that prevents users and local administrators from switching off or stopping the AnyConnect services. You can also stop the services from the command prompt with the service password.
The MSI installers for VPN, Network Access Manager, Network Visibility Module, and Umbrella Roaming Security Module support a common property (LOCKDOWN). When LOCKDOWN is set to a non-zero value, Windows service(s) associated with that installer cannot be controlled by users or local administrators on the endpoint device. We recommend using the sample transform that we provide to set this property, and apply the transform to each MSI installer that you want to have locked down. You can download the sample transforms from the AnyConnect Secure Mobility Client software download page.
If you deploy the core client plus one or more optional modules, you must apply the LOCKDOWN property to each of the installers. This operation is one way only and cannot be removed unless you re-install the product.
Note
The AMP Enabler installer is coupled with the VPN installer.
-
Turning on ActiveX Control—Previous versions of the AnyConnect predeploy VPN package installed the VPN WebLaunch ActiveX control by default. Installation of the VPN ActiveX control is now turned off by default for the most secure configuration.
When predeploying AnyConnect client and optional modules, if you require the VPN ActiveX control to be installed with AnyConnect, you must use the NOINSTALLACTIVEX=0 option with msiexec or a transform.
-
Hiding AnyConnect from the Add/Remove Program List—You can hide the installed AnyConnect modules from a user's Add/Remove Programs list in the Windows Control Panel. Passing ARPSYSTEMCOMPONENT=1 to the installer prevents that module from appearing in the list of installed programs.
We recommend that you use the sample transform we provide to set this property, applying the transform to each MSI installer for each module that you want to hide. You can download the sample transforms from the AnyConnect software download page.
Windows Installer Properties for AnyConnect Modules
The following table provides examples of MSI install command-line calls and the locations to deploy profiles.
Module Installed |
Command and Log File |
---|---|
AnyConnect without VPN capability (Use only when installing standalone modules) |
msiexec /package anyconnect-win-version-predeploy-k9.msi /norestart /passive PRE_DEPLOY_DISABLE_VPN=1 /lvx* anyconnect-win-version-predeploy-k9-install-datetimestamp.log |
AnyConnect with VPN capability (use for all cases except when installing standalone modules) |
msiexec /package anyconnect-win-version-predeploy-k9.msi /norestart /passive /lvx* anyconnect-win-version-predeploy-k9-install-datetimestamp.log |
Customer Experience Feedback |
msiexec /package anyconnect-win-version-predeploy-k9.msi /norestart /passive DISABLE_CUSTOMER_EXPERIENCE_FEEDBACK=1 /lvx* anyconnect-win-version-predeploy-k9-install-datetimestamp.log |
Diagnostic and Reporting Tool (DART) |
msiexec /package anyconnect-win-version-dart-predeploy-k9.msi /norestart /passive /lvx* anyconnect-win-version-dart-predeploy-k9-install-datetimestamp.log |
SBL |
msiexec /package anyconnect-win-version-gina-predeploy-k9.msi /norestart /passive /lvx* anyconnect-win-version-gina-predeploy-k9-install-datetimestamp.log |
Network Access Manager |
msiexec /package anyconnect-win-version-nam-predeploy-k9.msi /norestart /passive /lvx* anyconnect-win-version-nam-predeploy-k9-install-datetimestamp.log |
VPN Posture |
msiexec /package anyconnect-win-version-posture-predeploy-k9.msi /norestart/passive /lvx* anyconnect-win-version-posture-predeploy-k9-install-datetimestamp.log |
ISE Posture |
msiexec /package anyconnect-win-version-iseposture-predeploy-k9.msi /norestart/passive /lvx* anyconnect-win-version-iseposture-predeploy-k9-install-datetimestamp.log |
AMP |
msiexec /package anyconnect-win-version-amp-predeploy-k9.msi /norestart/ passive /lvx* anyconnect-win-version-amp-predeploy-k9-install-datetimestamp.log |
Network Visibility Module |
msiexec /package anyconnect-win-version-nvm-predeploy-k9.msi /norestart/ passive /lvx* anyconnect-win-version-nvm-predeploy-k9-install-datetimestamp.log |
Umbrella Roaming Security Module |
msiexec /package anyconnect-win-version-umbrella-predeploy-k9.msi/norestart/ passive /lvx* anyconnect-win-version-predeploy-k9-install-datetimestamp.log |
Import a Customized Installer Transform to the Secure Firewall Adaptive Security Appliance
Importing a Cisco provided Windows transform to the Secure Firewall ASA allows you to use it for web deployment.
Procedure
Step 1 |
In ASDM go to . |
Step 2 |
Click Import. The Import AnyConnect Customization Objects windows displays: |
Step 3 |
Enter the name of the file to import. The name of the transform file determines to which module the installer transform file applies. You can apply transforms globally or per module with the following syntax:
|
Step 4 |
Select a platform and specify the file to import. Click Import Now. The file now appears in the table of installer transforms. |
Localize the AnyConnect Installer Screens
You can translate the messages displayed by the AnyConnect installer. The Secure Firewall ASA uses a transform to translate the messages displayed by the installer. The transform alters the installation but leaves the original security-signed MSI intact. These transforms only translate the installer screens and do not translate the client GUI screens.
Note |
Every release of AnyConnect includes a localized transform that administrators can upload to the Secure Firewall ASA whenever they upload AnyConnect packages with new software. If you are using our localization transform, make sure to update them with the latest release from cisco.com whenever you upload a new AnyConnect package. |
We currently offer transforms for 30 languages. These transforms are available in the following .zip file on the AnyConnect software download page at cisco.com:
anyconnect-win-<VERSION>-webdeploy-k9-lang.zip
In this file, <VERSION> is the version of AnyConnect release.
The archive contains the transforms (.mst files) for the available translations. If you need to provide a language to remote users that is not one of the 30 languages we provide, you can create your own transform and import it to the Secure Firewall ASA as a new language. With Orca, the database editor from Microsoft, you can modify existing installations and new files. Orca is part of the Microsoft Windows Installer Software Development Kit (SDK) which is included in the Microsoft Windows SDK.
Import a Localized Installer Transform to the Secure Firewall ASA
The following procedure shows how to import a transform to the Secure Firewall ASA using ASDM.
Procedure
Step 1 |
In ASDM go to . |
Step 2 |
Click Import. The Import MST Language Localization window opens: |
Step 3 |
Click the Language drop-down list to choose a language (and the industry-recognized abbreviation) for this transform. If you enter the abbreviation manually, be sure to use an abbreviation recognized by browsers and operating systems. |
Step 4 |
Click Import Now. |
Step 5 |
Click Apply to save your changes. |
In this procedure we specified the language as Spanish (es). The following illustration shows the new transform for Spanish in the list of Languages for AnyConnect.
Modify Installation Behavior, macOS
The AnyConnect installer cannot be localized. The strings used by the installer come from the macOS installer application, not the AnyConnect installer.
Note |
You cannot manipulate the optional module selection that is seen by the user in the installer UI. Changing the default optional module selection in the installer UI requires editing of the installer, which would then invalidate the signature. |
Customize Installer Behavior on macOS with ACTransforms.xml
No standard way to customize .pkg behavior is provided for macOS, so we created ACTransforms.xml. When this XML file is positioned with the installer, the installer reads this file before running the installation. You must place the file in a specific location relative to the installer. The installer searches in this order to see if a modification is found:
- In a “Profile” directory in the same directory as the .pkg installer file.
- In a “Profile” directory in the root of a mounted disk image volume.
- In a “Profile” directory in the root of a mounted disk image volume.
The XML file has this format:
<ACTransforms>
<PropertyName1>Value</PropertyName1>
<PropertyName2>Value</PropertyName2>
</ACTransforms>
For example, the macOS ACTransforms.xml property is DisableVPN to create a “stand-alone” deployment of Network Visibility Module. ACTransforms.xml is in the Profiles directory in the DMG file.
Disable the Customer Experience Feedback Module
The Customer Experience Feedback module is enabled by default. To switch this feature off on macOS:
Procedure
Step 1 |
Convert the dmg package from read-only to read-write using Disk Utility or hdiutil. For example:
|
Step 2 |
Edit ACTransforms.xml, and set or add the following value, if it is not already set.
|
Modify Installation Behavior, Linux
Customizing Installer Behavior on Linux with ACTransform.xml
-
In a “Profile” directory in the same directory as the .pkg installer file
-
In a “Profile” directory in the root of a mounted disk image volume
-
In a “Profile” directory in the same directory as the .dmg file
The XML file, ACTransforms.xml, in the Profiles directory in the predeployment package has this format:
<ACTransforms>
<PropertyName1>Value</PropertyName1>
<PropertyName2>Value</PropertyName2>
</ACTransforms>