Deployment Management

Module	Description
Cloud Management	The Cloud Management version and profile selected for the deployment.
Secure Endpoint	The Secure Endpoint version, instance, and group selected for the deployment.
Secure Client	The Secure Client AnyConnect VPN version, enabled settings, modules, and profiles selected for the deployment.
Zero Trust Access	The Zero Trust Access version for the deployment.

Edit Deployment

To edit a deployment:

Click the (Ellipsis) icon to open the Options menu, then choose Edit.
Modify the deployment settings. For more information, see the Create Deployment help topic.
Click Save.
A success message is displayed in the top right corner of the screen, and the Deployment Management page opens with the updated settings.

Copy Deployment

To copy a deployment:

Click the (Ellipsis) icon to open the Options menu, then choose Make A Copy.
The Deployment Management page opens for the copied deployment. Modify the deployment settings, if needed. For more information, see the Create Deployment help topic.

Delete Deployment

Note: Deleting deployments is permanent and cannot be undone.

To delete a deployment:

Click the (Ellipsis) icon to open the Options menu, then choose Delete.
Click Delete to confirm.
A success message is displayed in the top right corner of the screen, and the Deployments page refreshes with the deployment removed.

Download Installer and Deploy Secure Client

Note: Cisco Secure Client pre-deploy installations are compatible with Cisco XDR Cloud Management deployments. However, Cloud Management and Network Visibility Module - XDR modules must be installed using the Cisco XDR installer.

Click Full Installer or Network Installer at the top of the Deployment Management page to download the installer executable. The installer can be run individually on each endpoint or pushed by using your software management tool.

Network Installer - A lightweight installer that contains only the Cloud Management client. When deploying the network installer, it fetches the rest of the installers configured on the deployment in the background.
Full installer - A bundle of all the installers and profiles that have been configured for a deployment, larger in size than the network installer. When the user installs a full installer, the Cloud Management client and all the packages from the deployment are installed.

Running a full or network installer on a device associates it with the deployment from which the installer was generated. Any time the device checks in to the cloud, the list of installed packages is compared with the deployment requirements, and the packages and profiles will be updated to bring them in line with the deployment. However, installed packages that have a higher version than what is in the deployment will not be downgraded.

AnyConnect VPN profiles that are not in a deployment, but are discovered on an endpoint, will not be deleted. If a profile in a deployment has the same name as a profile on the endpoint, the profile on the endpoint will be replaced.
Network Access Manager profiles on the endpoint will never be deleted, but they will be replaced if updated in a deployment.
Network Visibility Module, ISE Posture, Umbrella, and Cloud Management profiles - Any profile that’s not in a deployment will be deleted on the endpoint.

To change the deployment for a device, see Clients help topic.

Note: Any changes made to devices will require some time to update on the Clients page.

Command Line Options

Note: The command line instructions are for Windows deployments only.

The following flags are available for use with the network installer and the full installer:

            usage: installer.exe [OPTIONS]
OPTIONS:
* -c, --cleanup   : Remove the temp directory after install (default is to remove on success and leave on failure)
* -la             : List install actions to be run
* -ls             : List files in deployment
* -lsjson         : List files in deployment (JSON output)
* -q, --quiet     : Run the installation silently

Note: If you’re installing in environments without OpenGL support, use the -q install option.

Provide Full Disk Access for Network Visibility Module - XDR

Secure Client version 5.1.7.x and later and MacOS 10.14 and later require approval before an application can access parts of the file system that contain personal user data (for example, Contacts, Photos, calendar, and other applications). Network Visibility Module - XDR will not be able to fetch the process details without this approval. You will need to enable Full Disk Access manually or using a Mobile Device Management (MDM) profile.

Provide Full Disk Access using Mobile Device Management

A Privacy Preference Policy Control (PPPC) for macOS must be configured on a Mobile Device Management (MDM) profile to provide Full Disk Access. To enable Full Disk Access using the MDM Profile, complete the following steps:

Open a new or existing PPPC configuration.
Add a new entry under the 10.14+ System Policy (All Files) privacy preference.
In the Identifier field, enter com.cisco.secureclient.vpn.service.
In the Identifier Type field, choose Bundle ID.
In the Code requirement field, enter the following:

anchor apple generic and identifier

"com.cisco.secureclient.vpn.service" and (certificate

leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate

1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate

leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate

leaf[subject.OU] = DE8Y96K9QP)
Check the Static Code checkbox.
Check the Allowed checkbox.
Click Save.
Install the PPPC configuration on the required macOS endpoints.

Note: For this configuration to be enabled, a restart of the vpnagent service or a system restart is required after the PPPC configuration has been distributed and installed on the endpoint.