Profile Configuration

The profile configuration page contains settings for the Cloud Management functionality and for the client modules (such as ISE Posture, Network Visibility Module, Cisco Secure Endpoint, Customer Experience Feedback, and VPN).

Make sure that these requirements are met when you're creating a profile in Cisco XDR:

  • The profile name (for VPN or any of the Cisco Secure module profiles) must exactly match the name of the profiles created and configured on the ASA or FTD headends and/or in ISE.

  • To make sure the profiles remain synchronized across all endpoints and deployments, the profiles created in Cisco XDR must also then be imported into the ASA or FTD headends and/or in ISE.

If the above requirements are not followed, profiles will not remain synchronized across all environments and could potentially disable certain features currently configured in existing deployments. For example, if you want remote desktop capabilities when using VPN, you must have remote desktop capabilities enabled in the VPN profile on Cisco XDR, and have the feature enabled in the profiles which are configured on the ASA or FTD and/or ISE environments.

The Cloud Management profile configuration page allows you to create profiles that control the Secure Client endpoint software, including updates and logging.

Identity Service Settings

You can enable or disable debug logging for the identity service, which is responsible for identity and session information. This should be disabled, unless you’re asked to enable it by support.

Package Manager Service Settings

The package manager service is responsible for checking in with the cloud to see if there are any software updates available. The package manager Logging Level should be left at the default Error setting, unless you’re asked to set it to another level by support.

The Check-in Interval sets how often each Secure Client endpoint checks in with the cloud for new product versions and updated profile settings. Shorter check-in intervals result in more network traffic, while longer intervals mean that your endpoints will not receive updates as quickly.

Notify User When Reboot Is Required sends a reboot required message to the Windows Action Center to let the user know that a Secure Client software update requires a reboot to complete.

Cloud Management Service Settings

The cloud management service is the main Secure Client endpoint service that manages the other components and services. The cloud management service Logging Level should be left at the default Error setting, unless you’re asked to set it to another level by support.

Product Update Window

You can choose to let product updates happen whenever they’re available or specify a time range for them to be installed. This allows you to restrict updates to your off-hours or more convenient times.

Click the Enable Product Update Window toggle and click Configure to select the day(s), start, and end times. Note that while you can specify multiple days, the start and end times will be the same for each day.

If you don’t specify a time zone, the time zone on the endpoint will be used. For example, if you set the update window to start at 5:00 PM, the update window will begin at 5:00 PM in whichever time zone the endpoint is in. However, if you click the Select Time Zone toggle and click Configure to specify the Eastern time zone (UTC -5), an endpoint located in the Pacific time zone (UTC -8) will begin its update window at 5:00 PM Eastern time, or 2:00 PM Pacific time.

Note: Admin privileges are required to run the diagnostic tool unless the -u option is used.

To generate a support package for Cloud Management, choose Cisco > Cisco Cloud Management Diagnostics from the Start menu in Microsoft Windows. If the menu isn’t available, navigate to the following Cloud Management diagnostic executable file: C:FilesSecure Client\<version>\<version>_cmdt.exe. The package is available on the desktop.

Support Package Content

  • Configuration
    • bs.json
    • cm_config.json
  • Data
    • cmidstore.json
    • MSI install logs (<product-name>.<version>.log)
    • CMID logs (csc_cmid.exe.log, csc_cmid_control_plugin.log, <process>_cmidapi.log)
    • CM Package Manager logs (csc_pm.exe<_timestamp>.log)
    • CM Service logs (csc_cms.exe<_timestamp>.log)

  • Customer Experience Feedback - The customer experience feedback module provides us with information about which features and modules customers use and have enabled. This information gives us insight into the user experience so that Cisco can continue to improve the quality, reliability, performance, and user experience of AnyConnect. If you don’t have a profile to upload, you can click Create New and complete the form.

  • ISE Posture - The ISE Posture module uses the OPSWAT v3 or v4 library to perform posture checks. With an initial posture check, any endpoint that fails to satisfy all mandatory requirements is deemed non-compliant. An administrator can choose to use the standalone editor to create the posture profile and then upload it to ISE. If you don’t have a profile to upload, you can click Create New and complete the form as part of the standalone profile editor for ISE Posture.

  • Local Policy - The AnyConnectLocalPolicy.xml file is an XML file on the client containing security settings. If you don’t have an AnyConnectLocalPolicy.xml file to upload, you can click Create New and complete the form.

  • Network Access Manager - Network Access Manager is client software that provides a secure Layer 2 network in accordance with its policies. It detects and selects the optimal Layer 2 access network and performs device authentication for access to both wired and wireless networks. Network Access Manager manages user and device identity and the network access protocols required for secure access. Although Network Access Manager is part of Cisco Secure Client 5.0, the Network Access Manager Profile Editor within Cisco XDR will not be available for 5.0. To use a profile that was created by a standalone editor outside of Cisco XDR or one that was exported from ASDM, click Upload.

  • Network Visibility Module - The Network Visibility Module (NVM) collects rich flow context from an endpoint on or off premise and provides visibility into network connected devices and user behaviors. The enterprise administrator can then do capacity and service planning, auditing, compliance, and security analytics. If you don’t have a profile to upload, you can click Create New and complete the form.

    Note: The NVM profile configuration is for on-prem NVM data collection. If you want to collect NVM data to send to Cisco XDR, use the NVM Cloud Default Profile.

  • Umbrella - The Umbrella dashboard is where you obtain the profile (OrgInfo.json) for the Cisco Secure Client Umbrella Roaming Security module to include in your deployment. From the Umbrella dashboard, you also manage policy and activity reporting for the roaming client. To use the OrgInfo.json file that you obtained from the dashboard to determine which polices to enforce, click Upload.

  • VPN - AnyConnect VPN profiles contain configuration settings for the AnyConnect VPN functionality of Cisco Secure Client. Profiles are deployed to administrator-defined end user requirements and authentication policies on endpoints as part of Cisco Secure Client, and they make the preconfigured network profiles available to end users.

    • If you have an existing VPN profile created from ASDM or FTD, use the same name for your deployment from Cisco XDR.

    • Ensure that the VPN profile name is appended with .xml (for example, VPN_TEST.xml).

    • The Secure Client Always On configuration has a Closed mode while the VPN is disconnected. During this mode, all outbound traffic is filtered out, except for ASA and the specified hosts or FQDNs. To allow check-in to succeed in a Closed state, you must enable the Always On toggle and add two FQDNs for your region when configuring the List of Trusted Servers and Always-On settings for the Automatic VPN Policy.

      • North America (NAM): identify.prod.nam.csc.cisco.com and pacman.prod.nam.csc.cisco.com
      • European Union (EU): identify.prod.eu.csc.cisco.com and pacman.prod.eu.csc.cisco.com
      • Asia Pacific, Japan, China (APJC): identify.prod.apjc.csc.cisco.com and pacman.prod.apjc.csc.cisco.com

  • VPN Management Tunnel - Additional AnyConnect VPN configurations for a VPN management tunnel, which ensures connectivity to the corporate network whenever the client system is powered up, not just when a VPN connection is established by the end user. One can perform patch management on out-of-the-office endpoints, especially devices that are infrequently connected by the user, using VPN, to the office network. Endpoint OS login scripts which require corporate network connectivity also benefit from this feature. If you don’t have a profile to upload, you can click Create New and complete the form.