Skip to main content

Cisco Secure Client

Purpose

This solution provides automated deployment, management, and removal of Cisco Secure Client across Windows and Macintosh systems within NinjaOne. The solution enables organizations to centrally configure and deploy Cisco Secure Client with support for multiple modules including Core-VPN, Umbrella, ISE Posture, Network Visibility Module, ThousandEyes Endpoint, Zero Trust Access, and platform-specific modules.

The solution supports flexible deployment configurations at the Organization, Location, or Device level, allowing administrators to specify which operating systems should receive automatic deployment, which modules should be installed, and various Windows-specific settings such as system tray visibility, Add/Remove Programs visibility, and service lockdown options.

Key capabilities include:

  • Automated Deployment: Automatically installs Cisco Secure Client modules on devices based on configured deployment settings and module selections
  • Module Management: Supports selective installation of specific modules or installation of all available modules
  • Umbrella Integration: Provides configuration fields for Umbrella UserID, Fingerprint, and OrgID when deploying the Umbrella module
  • Platform-Specific Options: Windows-specific settings for system tray display, Add/Remove Programs visibility, and service lockdown
  • Module Comparison: Pre-installation checks to compare installed modules against configured selections to determine if installation is required
  • On-Demand Operations: Installation and uninstallation automations can be run ad-hoc on demand for immediate deployment or removal

The auto-deployment compound conditions monitor devices and automatically trigger installation when deployment is enabled and required modules are missing. Installation and uninstallation scripts are available as ad-hoc automations that can be executed on demand when immediate action is required.

Associated Content

Custom Fields

NameFunction
cPVAL Cisco Secure Client DeploymentSpecifies which operating system should receive Cisco Secure Client automatically. Options include Disable, All, Windows Workstations, Windows Server, Macintosh, Windows, or Windows Workstations and Macintosh.
cPVAL Cisco Secure Client ModulesMulti-select field to specify which modules should be installed. Selecting "All" installs every available module and overrides individual selections.
cPVAL Cisco Secure Client MAC SourceProvides the download URL or local path for the .dmg file used to install Cisco Secure Client modules on Mac systems.
cPVAL Cisco Secure Client Windows SourceProvides the download URL or local path for the .zip file used to install Cisco Secure Client modules on Windows systems.
cPVAL Cisco Secure Client Umbrella UserIDRequired when "All" or "Umbrella" module is selected. Provides the Umbrella UserID associated with your organization.
cPVAL Cisco Secure Client Umbrella FingerprintRequired when "All" or "Umbrella" module is selected. Provides the Umbrella Fingerprint associated with your organization.
cPVAL Cisco Secure Client Umbrella OrgIDRequired when "All" or "Umbrella" module is selected. Provides the Umbrella OrgID associated with your organization.
cPVAL Cisco Secure Client Windows Show VPNCheckbox to enable Core-VPN module display in the Windows system tray icon. By default, Core-VPN does not appear in the tray. Windows only.
cPVAL Cisco Secure Client Windows ARPCheckbox to hide Cisco Secure Client modules from the Add/Remove Programs section in Windows. Windows only.
cPVAL Cisco Secure Client Windows LockdownCheckbox to lock Cisco Secure Client services and prevent modifications by all users, including administrators. Windows only.

Automations

NameFunction
Cisco Secure Client - Package Installation [Windows]Installs the modules selected in the Modules custom field using the installer specified in the Windows Source field. Supports HTTP/HTTPS URLs or local file paths. Can be run ad-hoc on demand.
Cisco Secure Client - Module Comparison [Windows]Compares the number of installed Cisco Secure Client modules with the number of modules selected in the Modules custom field. Used as a pre-check to determine if installation is required.
Cisco Secure Client - Package Uninstallation [Windows]Removes Cisco Secure Client from Windows systems by detecting installed instances in the Windows Registry and performing a silent uninstallation. Can be run ad-hoc on demand.
Cisco Secure Client - Package Installation [Macintosh]Installs the modules selected in the Modules custom field using the installer specified in the Mac Source field. Supports HTTP/HTTPS URLs or local file paths. Can be run ad-hoc on demand.
Cisco Secure Client - Module Comparison [Macintosh]Compares the number of installed Cisco Secure Client modules with the number of modules selected in the Modules custom field. Used as a pre-check to determine if installation is required.
Cisco Secure Client - Package Uninstallation [Macintosh]Uninstalls all Cisco Secure Client modules from macOS systems using the built-in uninstaller script. Verifies successful removal and reports any remaining components. Can be run ad-hoc on demand.

Compound Conditions

NameFunction
Cisco Secure Client - Package Installation [Windows Workstation]Automatically runs the Cisco Secure Client - Package Installation [Windows] automation on Windows workstations that have deployment enabled and are missing one or more of the selected modules. Recommended for Windows Workstation Policy [Default].
Cisco Secure Client - Package Installation [Windows Server]Automatically runs the Cisco Secure Client - Package Installation [Windows] automation on Windows servers that have deployment enabled and are missing one or more of the selected modules. Recommended for Windows Server Policy [Default].
Cisco Secure Client - Package Installation [Macintosh]Automatically runs the Cisco Secure Client - Package Installation [Macintosh] automation on Mac computers that have deployment enabled and are missing one or more of the selected modules. Recommended for Mac Policy [Default].

Implementation

Step 1

Create the following custom fields as described in the document:

Step 2

Create the following automations as described in the document:

Step 3

Create the following compound conditions as described in the document:

FAQs

Q. Where can I obtain the Cisco Secure Client installer?

A: Download the latest available installer files from the Cisco Software Download Center.
Note: You will need to log in using your Cisco credentials to download the installer files. For Windows systems, download the .zip file. For Macintosh systems, download the .dmg file.

Q. How do I provide the installer to the installation scripts?

A: The installation scripts support two methods for providing the installer:

  1. HTTP/HTTPS URL (Recommended): Host the installer file on a web server, cloud storage (such as Azure Blob Storage), or file server that provides a public download URL. Store the full URL in the appropriate source custom field:

  2. Local File Path: Provide a local file path on the target machine (e.g., C:\Path\To\File.zip for Windows or /tmp/cisco-secure-client.dmg for Mac). The file must already be present on the device before running the installation automation.

Q. Can I provide a local file path to the installer?

A: Yes, you can provide a local file path to the installer. The installation scripts support local file paths such as C:\Path\To\File.zip for Windows or /tmp/cisco-secure-client.dmg for Macintosh. However, the installer file must already be present on the target device at the specified path before running the installation automation.

Q. Can I provide a network UNC path to the installer?

A: No, the installation scripts do not support network UNC paths (e.g., \\server\share\file.zip) directly. However, you can work around this limitation by:

  1. Using a separate automation or script to copy the installer from a network location to a local path on the target machine
  2. Then providing that local path to the Cisco Secure Client installation script

Alternatively, you can host the installer on a web server or cloud storage that provides an HTTP/HTTPS download URL, which is the recommended approach.

Q. Why do I need to host the installer files externally?

A: Unlike other RMM platforms such as VSA and Automate, NinjaOne does not have a built-in file hosting mechanism for storing and distributing installer files. Therefore, you must host the Cisco Secure Client installer files on an external location that provides a public download URL accessible to your managed devices.

Common hosting options include:

  • Azure Blob Storage: Provides secure, scalable cloud storage with public download URLs
  • File Server with Web Access: A file server configured to serve files via HTTP/HTTPS
  • Cloud Storage Services: Other cloud storage solutions that provide direct download links
  • Web Server: Any web server capable of hosting and serving files via HTTP/HTTPS

The key requirement is that the hosting location must provide a publicly accessible HTTP or HTTPS URL that the installation scripts can download from.

Q. Is it mandatory to create all compound conditions?

A: No, it is not mandatory to create all compound conditions. You should only create the compound conditions that are required for your environment. For example, if you only deploy to Windows workstations, you only need to create the Cisco Secure Client - Package Installation [Windows Workstation] compound condition. Create compound conditions based on the operating systems and device types you need to support.

A: If you are using different or custom agent policies (other than Windows Workstation Policy [Default], Windows Server Policy [Default], or Mac Policy [Default]), you will need to create compound conditions against those specific policies instead. The compound conditions must be assigned to the agent policies that match your environment's configuration.

Q. Can I execute the installation automations manually without compound conditions?

A: Yes, the installation automations can be executed manually without compound conditions. The Cisco Secure Client - Package Installation [Windows] and Cisco Secure Client - Package Installation [Macintosh] automations can be run ad-hoc on demand. You only need to ensure that the mandatory custom fields are set before running the automation. Compound conditions are optional and are used for automatic deployment when devices meet specific criteria.

Q. What are the mandatory custom fields for the Windows installation script?

A: The mandatory custom fields for the Cisco Secure Client - Package Installation [Windows] automation are:

Additionally, if "All" or "Umbrella" is selected in the Modules field, the following fields become mandatory:

Q. What are the mandatory custom fields for the Macintosh installation script?

A: The mandatory custom fields for the Cisco Secure Client - Package Installation [Macintosh] automation are:

Additionally, if "All" or "Umbrella" is selected in the Modules field, the following fields become mandatory:

Q. Do I need to install Core-VPN module to install Umbrella?

A: Yes, the Umbrella module requires the Core-VPN module to be installed. When installing Umbrella, you must ensure that both Core-VPN and Umbrella are selected in the cPVAL Cisco Secure Client Modules custom field. If you select "All" in the Modules field, both modules will be installed automatically.

Q. Why is the Core-VPN module not visible in the Windows system tray?

A: By default, the Core-VPN module is hidden from the Windows system tray icon. This is the standard behavior of Cisco Secure Client. To make the Core-VPN module visible in the system tray, you need to enable the cPVAL Cisco Secure Client Windows Show VPN custom field checkbox. This setting applies only to Windows systems.

Q. How do custom field levels work (Organization, Location, Device)?

A: All custom fields in this solution are available at three levels: Organization, Location, and Device. This allows for flexible configuration where you can set default values at the organization level, override them for specific locations, and further customize them for individual devices. Lower-level settings override higher-level settings. For example, if you set a value at the Organization level, you can override it at the Location level, and that Location value can be overridden at the Device level. This hierarchical approach enables centralized management with the flexibility to handle exceptions.

Q. How do I exclude a machine or location from auto-deployment?

A: To exclude a machine or location from auto-deployment, set the cPVAL Cisco Secure Client Deployment custom field to "Disable" at the desired level (Location or Device). When set to "Disable", the deployment will not occur for that configuration level, effectively excluding those devices from automatic installation. The compound conditions will not trigger installation on devices where deployment is disabled, even if modules are missing.

Q. What happens when I select "All" in the Modules field?

A: When you select "All" in the cPVAL Cisco Secure Client Modules custom field, the installation script will install every available module for the target platform, regardless of any other individual module selections. This option overrides individual selections and ensures all modules are installed. Note that if "All" is selected, you must also provide the Umbrella UserID, Fingerprint, and OrgID fields since Umbrella will be included in the installation.

Q. What's the difference between the Module Comparison automation and the Package Installation automation?

A: The Cisco Secure Client - Module Comparison automation is a pre-check script that compares the number of installed modules on a device with the number of modules selected in the Modules custom field. It does not perform any installation; it only determines if installation is required. This automation is used by the compound conditions to evaluate whether a device needs Cisco Secure Client installed. The Cisco Secure Client - Package Installation automation actually performs the installation of the selected modules using the installer file specified in the Source custom field.

Q. Can I add modules to an existing installation?

A: Yes, you can add modules to an existing installation. Simply update the cPVAL Cisco Secure Client Modules custom field to include the additional modules you want to install, then run the installation automation again. The installation script will install any missing modules that are selected in the Modules field. The Cisco Secure Client - Module Comparison automation will detect that additional modules are needed and can trigger the installation via compound conditions.

Q. What's the difference between "Windows" and "Windows Workstations" in the Deployment field?

A: In the cPVAL Cisco Secure Client Deployment custom field, "Windows" includes both Windows workstations and Windows servers, while "Windows Workstations" only includes Windows workstation devices. Similarly, "Windows Server" only includes Windows server devices. Use "Windows" if you want to deploy to all Windows devices regardless of type, or use the specific options if you need different configurations for workstations versus servers.

Q. Can I run the installation script multiple times on the same device?

A: Yes, you can run the installation script multiple times on the same device. The installation script will install any modules that are selected in the Modules custom field but are not currently installed. If all selected modules are already installed, the script will typically skip installation or report that no action is needed. Running the installation script multiple times is safe and can be used to add modules to an existing installation or ensure all selected modules are present.

Q. How do I update Cisco Secure Client to a newer version?

A: To update Cisco Secure Client to a newer version, download the latest installer files from the Cisco Software Download Center and update the source URLs in the cPVAL Cisco Secure Client Windows Source or cPVAL Cisco Secure Client MAC Source custom fields. Then run the installation automation again. The installation script will install the new version, which typically upgrades existing installations. Alternatively, you can uninstall the current version first using the uninstallation automation, then install the new version.

Q. What happens if I change the Deployment field from "All" to "Disable" after installation?

A: Changing the cPVAL Cisco Secure Client Deployment custom field from "All" (or any deployment option) to "Disable" will prevent future automatic installations on devices at that configuration level. However, this change does not uninstall Cisco Secure Client from devices that are already installed. The installed software will remain on the devices. If you want to remove the software, you must run the Cisco Secure Client - Package Uninstallation automation.

Q. Does the uninstallation script remove specific modules or all modules?

A: The Cisco Secure Client - Package Uninstallation [Windows] and Cisco Secure Client - Package Uninstallation [Macintosh] automations remove all Cisco Secure Client modules from the system. They do not support selective removal of individual modules. If you need to remove specific modules, you would need to uninstall all modules and then reinstall only the modules you want to keep.

Q. What happens if a device is offline when the compound condition tries to run?

A: If a device is offline when a compound condition is evaluated, the automation will not execute. Compound conditions only trigger when devices are online and can communicate with the NinjaOne platform. Once the device comes back online and the compound condition is re-evaluated (typically during the next policy check cycle), it will detect if installation is still needed and trigger the installation automation if the conditions are met.

Q. How often do compound conditions run?

A: Compound conditions run hourly. After making any changes to the cPVAL Cisco Secure Client Deployment custom field or other deployment-related custom fields, you should expect deployments to occur within one to two hours, as the compound conditions will be evaluated during the next hourly check cycle. If you need immediate deployment, you can run the installation automation manually instead of waiting for the compound condition to trigger.

Q. How do I verify that modules were installed correctly?

A: You can verify module installation by running the Cisco Secure Client - Module Comparison automation, which will compare the installed modules against the modules selected in the Modules custom field. Additionally, on Windows systems, you can check the installed modules in the Windows Registry or Add/Remove Programs (if the ARP option is not enabled). On Mac systems, you can check the installed modules in the Applications folder or using system commands. The installation automation's activity details will also provide information about which modules were successfully installed.