Cisco Anyconnect Powershell

  



Anyconnect

  1. Cisco Anyconnect Download
  2. Uninstall Cisco Anyconnect With Powershell
  3. Cisco Anyconnect Vpncli Powershell

Cisco Anyconnect Download

When you start Cisco AnyConnect VPN Client manually, you need to insert IP address, Username and Password. I’m trying to use a SSIS (SQL Server Integration Services) task to automate starting the Cisco AnyConnect VPN Client and for that I need the correct Arguments. See attached file. Affects Cisco AnyConnect Secure Mobility Client 4.9.x and prior About A powershell POC to bypass the “AllowRemoteUsers” setting set in Cisco Adaptive Security Device Manager (ASDM).

Description:

Follow this guide to have Anyconnect start after the user signs in on their computer. I couldn’t ever get this to officially work because what it does is “hijack” Windows explorer as the landing pad and runs a batch file instead and essentially holds the desktop hostage unless the user signs into the VPN. The problem is a couple things:

  1. The network stack doesn’t always completely load so sometimes it will throw weird errors.
  2. Sometimes it works perfectly, other times it doesn’t?

DISCLAIMER: This was abandoned because we want to go the official route using Cisco Anyconnect SBL => Start Before Logon. Just fun in a lab.

Uninstall Cisco Anyconnect With Powershell

To Resolve:

  1. So start by creating the following in C:scripts on a laptop you want to test this with:

  2. All the bat files just need:

    • Except script.bat, it should have:

  3. Now populate create-info.ps1:

    • This is to be ran once, it just saves the username and password to a file in c:scriptsstart-vpnpublic called “info.dat”. I know, not secure, but this is just testing. We will eventually need to find a way to store in Credential Manager or encrypt somehow.

  4. Now populate “create-sched.ps1”:

    • This just creates a scheduled task at login to run startup.bat.

  5. Now we populate startup.ps1:

    • Modify line 46 to an IP on your internal network. The idea here is to check their connection status and if they are not connected to the internet at all or connected to your internal network => do nothing. If they have internet and are not connected => launch VPN.

    • We could just stop here, but as I said => sometimes works, sometimes doesn’t. So we go a step further…

  6. Modified “startup.ps1”:

    • This does the same thing, but it will hijack Windows Explorer after the user logs in and instead show a message that they need to connect to the VPN if the conditions of the previous step are met. Lines 20-26 are what hijacks the desktop. They allow the user to the desktop, but change it afterwards to the startup script for the next reboot.

    • Lines 28-74 are just the function to show the fullscreen message.

    • Lines 118-125 is the main part it’s supposed to keep looping until they connect to the VPN. It’s supposed to use the credentials from step 2. You could also look at the Event Viewer here which is how I initially coded it, but it wasn’t as reliable as just a ping to an internal device.

  7. Well, as I mentioned, this is as far as I got in my lab => if you are working on this => good luck!

  8. Some other resources you could try:

In an everlasting remediation with Cisco AnyConnect on Windows where 4.5.xxxxx doesn't upgrade properly by just installing a newer version of the product. Cisco has a workaround with 4.6.x but your 4.5 installation is still fucked because a) it's uninstalled in Apps & Feature (Add/Remove if you're old school) but it complains you have a newer version installed if you attempt to install a newer version, or b) it is complaining about 'The File 'ManifestTool.exe' is not marked for installation.' when attempting to uninstall/reinstall AnyConnect.

So enough of that rant, why did I want to document the versioning? Because Cisco AnyConnect relies a lot of its modules to be the same version of the Core install. I had a need to do some version checking with SCCM and in PowerShell scripting to make sure I can remediate the installation. The problem is, not every developer writes their versions the same way. Most versions are generally written in this format 1.0.123.3456 (see semver.org for some usage examples); however Cisco AnyConnect uses 4, 6, 03049 when queried. Cisco is not the only offender here though; the open source R project version query returns this: 3.5.3.26217 (2019-03-11). If you gave PowerShell a comparison test between 1.4.323.456 and 2.5.323.128, PowerShell can automatically translate them into a version object and compare the 2 versions properly. PowerShell will detect those versions as Major Version, Minor Version, Build Number, Revision Number respectively. For example, you can see your PowerShell's Version table using this command: $PSVersionTable.PSVersion

Uninstall cisco anyconnect with powershell

If you are writing a script, creating a detection method, or a global condition in SCCM, you will have to convert those version numbers into a readable format for PowerShell. If you are a seasoned programmer, you probably know how to do this already. I'm not a seasoned programmer, research + asking questions on PowerShell Slack had given me a lot of insight.

Here's some things to consider when working with version objects:

Cisco Anyconnect Vpncli Powershell

Convert your number-dot-number string to a version object, remember to quote your string!
$OurVersion=[version]'2.11.1'

Grab the version number using ProductVersion (This command for AnyConnect returns commas); note that I'm using a wild card in the path in case it gets ran on a 32-bit system.

Let's get rid of the commas and convert the string into a version object

There is another place that product returns a version without commas though (for AnyConnect). You can get it with Get-Command; it is used in older PowerShell versions for other things but works here for AnyConnect.

So what do we do with the R project and the extra date? Just trim it off.

If there are multiple versions of R installed we split the lines before trimming.

In conclusion, we have a few ways to get versions. Here are 2 examples I've used to compare versions.

First one here is a global condition in SCCM. You can turn this into a detection method by adding Write-Host 'Installed' along with your $true; the string for Write-Host does not matter.

Here's a snippet of a script also trying to detect the version of AnyConnect. If it's a certain version or newer, run another installer.