Create Deployment

Note: Only users with an Administrator role can create deployments.

You use the Create Deployment page to add a new Secure Client deployment in Cisco XDR. Once the deployment is created, it is displayed on the Deployments page.

Generally, there are three options to select from in each Version Control drop-down list:

  • Skip – This module will not be included in the deployment.
  • Latest – The most recent version of the connector, it will automatically be updated each time a new version is released.
  • Recommended – The version with the largest user base that has been available for a while without any major issues.

Note: The options are subject to change at any time and don’t have to be consistent across the different products.

To create a new deployment:

  1. Click Create New on the Deployments page.

  2. Select the operating system and architecture for the deployment, then click Create New.

    Note: MacOS deployments do not support Secure Endpoint or Zero Trust Access modules.

  3. Enter a name for the deployment, then click Next.

  4. Choose the version and profile for the Cloud Management Module from the drop-down lists, then click Next.

    Note: If you do not specify a Cloud Management profile when creating a deployment, a profile will be generated and applied at the time of installation, in which default Cloud Management settings are used. This profile cannot be viewed or edited and is subject to change. If this is not desirable, we recommend that you create a unique Cloud Management profile to assign to deployments that don't already have one or use the Cloud Management Default Profile. For details on creating a Cloud Management profile, see the Profile Configuration help topic.

    The Cloud Management module will connect to these regional API endpoints:

    • North America (NAM)

      • admin.prod.nam.csc.cisco.com

      • identify.prod.nam.csc.cisco.com

      • pacman.prod.nam.csc.cisco.com

    • Europe (EU)

      • admin.prod.eu.csc.cisco.com

      • identify.prod.eu.csc.cisco.com

      • pacman.prod.eu.csc.cisco.com

    • Asia, Pacific, Japan, China (APJC)

      • admin.prod.apjc.csc.cisco.com

      • identify.prod.apjc.csc.cisco.com

      • pacman.prod.apjc.csc.cisco.com

    Note: There is not an option to configure a proxy for the Cloud Management module.

  5. (Windows only) Choose the version for the Secure Endpoint connector you want to deploy. If you do not want to include the Secure Endpoint module, choose Skip from the drop-down list, then proceed to step 8.

  6. (Windows only) Choose the Secure Endpoint instance from the drop-down list. If you have integrated more than one Secure Endpoint organization with Cisco XDR, they’ll be listed here.

  7. (Windows only) Choose the Secure Endpoint group that the Secure Client endpoints will join. See Groups in the Secure Endpoint User Guide for more information about creating and configuring a group.

  8. (Windows only) Click Next.

  9. Choose a version for the AnyConnect VPN you want to deploy from the drop-down list. If you do not want to include the AnyConnect VPN module, choose Skip from the drop-down list, then proceed to step 13.

  10. Choose the AnyConnect VPN profile from the drop-down list. For details on creating a VPN profile, see the Profile Configuration help topic.

    Note: By default, a VPN profile will be deployed with the name CloudManaged.xml on the device. To specify the name, append .xml to the profile name (for example, VPN_TEST.xml).

  11. To enable the Start Before Logon feature which allows users to establish their VPN connection to the enterprise infrastructure before logging onto Windows, click the toggle.

  12. Check the check boxes to enable the following optional settings:

    • Umbrella - The Umbrella dashboard is where you obtain the profile (OrgInfo.json) for the Cisco Secure Client Umbrella Roaming Security module to include in your deployment. From the Umbrella dashboard, you also manage policy and activity reporting for the roaming client. If you don’t have a profile to select, click Create Profile to upload an Umbrella profile.
    • Diagnostics and Reporting Tool - DART is the Diagnostics and Reporting Tool that you can use to collect data for troubleshooting Cisco Secure Client installation and connection problems. DART assembles the logs, status, and diagnostic information for Cisco Technical Assistance Center (TAC) analysis.
    • ISE Posture - The ISE Posture module uses the OPSWAT v3 or v4 library to perform posture checks. With an initial posture check, any endpoint that fails to satisfy all mandatory requirements is deemed non-compliant. An administrator can choose to use the standalone editor to create the posture profile and then upload it to ISE. If you don’t have a profile to select, click Create Profile to create an ISE Posture profile.
    • Secure Firewall Posture - Secure Firewall Posture automatically identifies operating systems and service packs on any remote device establishing an AnyConnect VPN client session. You can also configure Secure Firewall Posture to inspect the endpoint for specific processes, files, and registry keys. It performs all of these inspections before full tunnel establishment to distinguish between corporate-owned, personal, and public computers.
    • Network Access Manager - The Network Access Manager is client software that provides a secure Layer 2 network in accordance with its policies. It detects and selects the optimal Layer 2 access network and performs device authentication for access to both wired and wireless networks. Network Access Manager manages user and device identity and the network access protocols required for secure access. Although Network Access Manager is part of Cisco Secure Client 5.0, the Network Access Manager Profile Editor within Cisco XDR will not be available for 5.0. If you don’t have a profile to select, click Create Profile to upload a profile that was created by a standalone editor outside of Cisco XDR or one that was exported from ASDM.
    • Network Visibility Module - The Network Visibility Module (NVM) collects rich flow context from an endpoint on or off premises and provides visibility into network connected devices and user behaviors. The enterprise administrator can then do capacity and service planning, auditing, compliance, and security analytics. If you don’t have a profile to select, click Create Profile to create a Network Visibility Module profile.
    • Network Visibility Module - XDR - This module collects rich flow context from an endpoint to provide more visibility into your network. Network Visibility Module - XDR creates a flow record of every connection from an endpoint and forwards the data over a secure connection to the cloud. Deployments using Network Visibility Module - XDR can send telemetry to Cisco XDR without needing an on-premises collector. If you don't have a profile to select, choose the NVM Cloud Default Profile.

  13. Click Next.

  14. (Windows only) If you select AnyConnect VPN version 5.1.3.62 or later, you can enable the Zero Trust Access module. From the version drop-down menu, choose the Zero Trust Access connector version you want to deploy. Zero Trust Access reduces the attack surface by hiding applications, and expands your level of knowing, understanding, and controlling who and what is on your network. For more information, see the Zero Trust Access Module documentation in the Cisco Secure Client (including AnyConnect) Administrator Guide. If you do not want to include the Zero Trust Access module, choose Skip from the drop-down list.

  15. Click Save.

Once you click Save, the Deployment Management page opens, the installers are generated automatically, and you can download a full or network installer. For more information, see the Deployment Management topic.

Note: A maximum of 45 deployments can share the same profile. If the Admin user tries to create a 46th deployment that uses the same profile, the creation will fail with a notification that the limit was reached. We recommend that you use multiple profiles as needed.