Configure AnyConnect Lockdown And Hide AnyConnect From The Add/Remove Program List For Windows

Available Languages

Download Options

  • PDF     (9.6 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (10.3 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (5.1 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:June 3, 2021
Document ID:217157

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Table of Contents 

    Introduction

    This document describes the steps required to enable the AnyConnect Lockdown and the Hide AnyConnect from the Add/Remove program list for Windows machines.

    Contributed by Christian G. Hernandez R, Cisco TAC Engineer.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Cisco Adaptive Security Appliance (ASA) configuration

    • Cisco AnyConnect configuration
    • Windows basic knowledge

    Components Used

    The information in this document is based on the software and hardware versions below:

    • Cisco ASA version 9.14.2.13
    • Cisco Adaptive Security Device Manager (ASDM) version 7.14.1
    • Cisco AnyConnect versions 4.9.04053 and 4.9.06037

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    AnyConnect Lockdown for Windows: Cisco recommends that end-users be given limited rights to the Cisco AnyConnect Secure Mobility Client on their device. If end-user warrant additional rights, installers can provide a lockdown capability that prevents users and local administrators to turn off or stop the AnyConnect services.

    You have three different options to enable the AnyConnect Lockdown feature:

        1. MSI installers from the Windows command prompt terminal.

        2. Lockdown option from the AnyConnect pre-deployment package installation wizard.

        3. ASDM - Import a sample installer lockdown transforms file to the ASA.

    Hide AnyConnect from the Add/Remove program list for Windows: You can hide the installed AnyConnect modules from the Add/Remove Programs list in the Windows Control Panel Uninstall a Program.  

    You have two options to enable the Hide AnyConnect from the Add/Remove program list feature:

         1. MSI installers from the Windows command prompt terminal.

         2. ASDM - Import a sample installer hide-addremove transforms file to the ASA.

    Configure

    Network Diagram

    Configure AnyConnect Lockdown

        MSI installers from the Windows command prompt terminal.

    Configuration Steps

    Step 1. Download the AnyConnect pre-deployment package file for Windows.

    Step 1.1 Navigate to the Cisco software download page and download the AnyConnect version to install on the Windows machine.

    For this example, download the Windows AnyConnect pre-deployment package that includes the individual MSI files for version 4.9.04053 (anyconnect-win-4.9.04053-predeploy-k9.zip).

    Step 2. Download the AnyConnect installer transforms file for Windows.

    Step 2.1 Navigate to the Cisco software download page and download the AnyConnect Installer Transforms file for Windows that matches the same AnyConnect version to install in the Windows machine.

    For this example, download the transforms file for the AnyConnect version 4.9.04053 (tools-anyconnect-win-4.9.04053-transforms.zip).

    Step 3. Unzip the AnyConnect files downloaded into different folders.

    Step 3.1 The anyconnect-win-4.9.04053-predeploy-k9.zip file is unzipped on the next folder path: C:\Users\calo\Downloads\anyconnect-win-4.9.04053-predeploy-k9.

    Step 3.2 The tools-anyconnect-win-4.9.04053-transforms.zipfile is unzipped on the next folder path: C:\Users\calo\Downloads\tools-anyconnect-win-4.9.04053-transforms.

    Step 4. Copy and paste the AnyConnect lockdown transforms file into the same folder as the AnyConnect MSI installer files. 

    Step 4.1 From the tools-anyconnect-win-4.9.04053-transforms folder, copy the _anyconnect-win-lockdown.mst lockdown transforms file and pastes it into the anyconnect-win-4.9.04053-predeploy-k9 folder as follows.

    Step 5. CD into the folder path that has the MSI AnyConnect installation files.

    Step 5.1 Open a Windows command prompt terminal and cd into the folder path that has the MSI AnyConnect installation files and the _anyconnect-win-lockdown.mst lockdown transforms file copied/pasted in the step above.

    This example cd into the next folder path C:\Users\calo\Downloads\anyconnect-win-4.9.04053-predeploy-k9.

    Step 6. Install the AnyConnect modules with the lockdown transforms file. 

    Step 6.1 Install each of the AnyConnect modules required with the next MSI installer command that points to the AnyConnect .msi module file and the _anyconnect-win-lockdown.mst lockdown transforms file.

    msiexec -i anyconnect-win-4.9.04053-xxxxxxx-predeploy-k9.msi TRANSFORMS=_anyconnect-win-lockdown.mst LOCKDOWN=1 -lvx* install.log

    Note:The LOCKDOWN value setup as "1", enables the lockdown feature for the AnyConnect module to install. 

    Note: Cisco recommends that you use the sample transforms file provided to set this property, apply the transform to each MSI installer for each module you want to be locked down. You can download the sample transforms from the Cisco AnyConnect Secure Mobility Client software download page.

    Note:If you deploy the core client plus one or more optional modules, you must apply the LOCKDOWN property to each of the installers. This operation is one way only and cannot be removed unless you re-install the product.

    Step 6.2 This example installs the AnyConnect CORE & VPN module and the _anyconnect-win-lockdown.mst lockdown transforms file, both match the files for the AnyConnect version 4.9.04053.

    msiexec -i anyconnect-win-4.9.04053-core-vpn-predeploy-k9.msi TRANSFORMS=_anyconnect-win-lockdown.mst LOCKDOWN=1 -lvx* install.log

    Step 6.3 This example installs the AnyConnect Umbrella Roaming Security module and the _anyconnect-win-lockdown.mst lockdown transforms file, both match the files for the AnyConnect version 4.9.04053.

    msiexec -i anyconnect-win-4.9.04053-umbrella-predeploy-k9.msi TRANSFORMS=_anyconnect-win-lockdown.mst LOCKDOWN=1 -lvx* install.log

        Lockdown option from the AnyConnect pre-deployment package installation wizard.

    Configuration Steps

    Step 1. Download the Anyconnect pre-deployment package file for Windows.

    Step 1.1 Navigate to the Cisco software download page and download the AnyConnect version to install on the Windows machine.

    For this example, download the Windows AnyConnect pre-deployment package that includes the individual MSI files for version 4.9.04053 (anyconnect-win-4.9.04053-predeploy-k9.zip).

    Step 2. Open the AnyConnect setup file.

    Step 2.1 Unzip the anyconnect-win-4.9.04053-pre-deploy-k9.zip file downloaded and open it.

    Step 2.2 Then double-click on the AnyConnect setup file.

      

    Step 3. Work with the AnyConnect installation wizard.

    Step 3.1 Select the AnyConnect modules you would like to install from the options displayed.

    For this example, select the AnyConnect CORE & VPN  and the Umbrella Roaming Security modules.

    Step 4. Enable the AnyConnect lockdown feature.

    Step 4.1 In order to enable the lockdown feature for both the CORE & VPN and the Umbrella Roaming Security modules, select the Lock Down Component Services option and proceed with the installation.

    Step 5. Confirm the installation of the AnyConnect modules.

    Step 5.1 The installation of the AnyConnect modules is completed at 100% once the next message is displayed.

    Configure Hide AnyConnect from the Add/Remove Program List

         MSI installers from the Windows command prompt terminal.

    Configuration Steps

    Step 1. Download the AnyConnect pre-deployment package file for Windows.

    Step 1.1 Navigate to the Cisco software download page and download the AnyConnect version to install on the Windows machine.

    For this example, download the Windows AnyConnect pre-deployment package that includes the individual MSI files for version 4.9.04053 (anyconnect-win-4.9.04053-predeploy-k9.zip).

    Step 2. Download the AnyConnect installer transforms file for Windows.

    Step 2.1 Navigate to the Cisco software download page and download the AnyConnect Installer Transforms file for Windows that matches the same AnyConnect version to install in the windows machine.

    For this example, download the transforms file for the AnyConnect version 4.9.04053 (tools-anyconnect-win-4.9.04053-transforms.zip).

    Step 3. Unzip the AnyConnect files downloaded into different folders.

    Step 3.1 The anyconnect-win-4.9.04053-predeploy-k9.zip file is unzipped on the next folder path: C:\Users\calo\Downloads\anyconnect-win-4.9.04053-predeploy-k9.

    Step 3.2 The tools-anyconnect-win-4.9.04053-transforms.zipfile is unzipped on the next folder path: C:\Users\calo\Downloads\tools-anyconnect-win-4.9.04053-transforms.

    Step 4. Copy and paste the AnyConnect hide-addremove transforms file into the same folder as the AnyConnect MSI installer files.

    Step 4.1 From the tools-anyconnect-win-4.9.04053-transforms folder, copy the _anyconnect-win-hide-addremove-display.mst transforms file and pastes it into the anyconnect-win-4.9.04053-predeploy-k9 folder as follows.

    Step 5. CD into the folder path that has the MSI AnyConnect installation files.

    Step 5.1 Open a Windows command prompt terminal and cd into the folder path that has the MSI AnyConnect installation files and the _anyconnect-win-hide-addremove-display.mst transforms file copied/pasted in the step above.

    This example cd into the next folder path C:\Users\calo\Downloads\anyconnect-win-4.9.04053-predeploy-k9.

    Step 6. Install the AnyConnect modules with the hide-addremove transforms file.

    Step 6.1 Install each of the AnyConnect modules required with the next MSI installer command that points to the AnyConnect .msi module file and the _anyconnect-win-hide-addremove-display.mst transforms file.

    msiexec -i anyconnect-win-4.9.04053-xxxxxxx-predeploy-k9.msi TRANSFORMS=_anyconnect-win-hide-addremove-display.mst ARPSYSTEMCOMPONENT=1 -lvx* install.log

    NoteThe ARPSYSTEMCOMPONENT value setup as "1", enables the Hide AnyConnect from the Add/Remove Program List feature for the AnyConnect module to install. 

    Note: Cisco recommends that you use the sample transforms file provided to set this property, apply the transform to each MSI installer for each module that you want to hide. You can download the sample transforms from the Cisco AnyConnect Secure Mobility Client software download page.

    Note: If you deploy the core client plus one or more optional modules, you must apply the HIDE-AnyConnect property to each of the installers. This operation is one way only and cannot be removed unless you re-install the product.

    Step 6.2 This example installs the AnyConnect CORE & VPN module and the_anyconnect-win-hide-addremove-display.mst transforms file, both match the files for the AnyConnect version 4.9.04053.

    Step 6.3 This example installs the AnyConnect Umbrella Roaming Security module and the _anyconnect-win-hide-addremove-display.mst transforms file, both match the files for the AnyConnect version 4.9.04053.

    msiexec -i anyconnect-win-4.9.04053-umbrella-predeploy-k9.msi TRANSFORMS=_anyconnect-win-hide-addremove-display.mst ARPSYSTEMCOMPONENT=1 -lvx* install.log

    Configure AnyConnect Lockdown and the Hide AnyConnect from the Add/Remove Program List with ASDM

    This procedure applies just to AnyConnect web deployment updates. This example considers an AnyConnect web deployment update from version 4.9.04053 to 4.9.0.6037. 

    Configuration Steps

    Step 1. Confirm the AnyConnect version that runs on the Windows machine.

    Step 1.1 The Windows machine in this example has the AnyConnect version 4.9.04053 already installed for both the Core & VPN and the Umbrella Roaming Security modules.

    Step 2. Download the AnyConnect headend deployment package file for Windows.

    Step 2.1 Navigate to the Cisco software download page and download the AnyConnect headend deployment package file version to install on the Windows machine for the web deployment update.

    For this example, download the Windows AnyConnect headend deployment package version 4.9.06037 (anyconnect-win-4.9.06037-webdeploy-k9.pkg).

    Step 3. Download the AnyConnect installer transforms file for Windows.

    Step 3.1 Navigate to the Cisco software download page and download the AnyConnect Installer transforms file for Windows that matches the same AnyConnect version to install in the windows machine.

    For this example, download the transforms file for the AnyConnect version 4.9.06037 (tools-anyconnect-win-4.9.06037-transforms.zip).

    Step 4. Unzip the AnyConnect transforms file downloaded.

    Step 4.1 The tools-anyconnect-win-4.9.06037-transforms.zipfile is unzipped on the next folder path: C:\Users\calo\Downloads\tools-anyconnect-win-4.9.06037-transforms.

    Step 5. Open the ASDM and connect to the ASA with your credentials.

    Step 6. Transfer the AnyConnect headend deployment package from your PC to the ASA flash memory.

    Step 6.1 Navigate to Tools > File Management > File Transfer > Between Local PC and Flash and transfer the AnyConnect headend deployment package version 4.9.06037 (anyconnect-win-4.9.06037-webdeploy-k9.pkgto the ASA flash memory.

    Step 7. Configure the transferred AnyConnect headend deployment package version for the web deployment update.

    Step 7.1 Navigate to the ASDM Configuration > Remote Access VPN > Anyconnect Client Software and select the AnyConnect headend deployment package version 4.9.04053 installed.

    Step 7.2 Then, select Replace and Browse Flash to replace the old AnyConnect headend deployment package version 4.9.04053 with the 4.9.06037 previously transferred to the flash memory.

    Step 7.3 Apply the configuration changes and Send them to the ASA.

    Step 8. Import the AnyConnect sample transforms files.

    Step 8.1 Navigate to the ASDM Configuration > Remote Access VPN > Customized Installer Transforms > Import and import the sample transforms files required.

    Step 8.2 Import the AnyConnect version 4.9.06037 _anyconnect-win-lockdown.mst sample transforms file to enable the lockdown for both, the CORE & VPN and the Umbrella Roaming Security modules.

    Enter the values as follows:

    Name: _anyconnect-lockdown
    Platform: win
    Select a file - Local computer: C:\Users\calo\Downloads\tools-anyconnect-win-4.9.06037-transforms\_anyconnect-win-lockdown.mst


    NoteThe AnyConnect _anyconnect-win-lockdown.mst sample transforms file works for whatever AnyConnect module required. 

    Step 8.3 Import the AnyConnect version 4.9.06037 _anyconnect-win-hide-addremove-display.mst sample transforms file to enable the hide from the add/remove program list for both, the CORE & VPN and the Umbrella Roaming Security modules.

    Enter the values as follows:

    Name: _anyconnect-hideaddremove
    Platform: win
    Select a file: C:\Users\calo\Downloads\tools-anyconnect-win-4.9.06037-transforms\_anyconnect-win-hide-addremove-display.mst

    NoteThe _anyconnect-win-hide-addremove-display.mstsample transforms file works for whatever AnyConnect module required. 

    Step 8.4  Save the configuration changes and Send them to the ASA.

    Note: By the time this article was written, the name used to import the sample transforms files must have an underscore "_" at the start of the name, this forces the sample transforms imported to work for whatever AnyConnect module. If you use a different name without an underscore at the start of the name, then, the sample transforms imported works just for the CORE & VPN Anyconnect module (CSCvy38427).

    Step 9. AnyConnect web deployment auto-update.

    Step 9.1 Force the AnyConnect web deployment auto-update to happen for the CORE & VPN and the Umbrella Roaming Security modules.

    Here the ASA AnyConnect configuration in place in order to allow the CORE & VPN and the Umbrella Roaming Security modules to get auto-updated:

    webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-4.9.06037-webdeploy-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable

group-policy ANYCONNECT_GP1 internal
group-policy ANYCONNECT_GP1 attributes
 vpn-tunnel-protocol ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT_TUNNEL1
 webvpn
  anyconnect modules value umbrella

tunnel-group MY_TUNNEL1 type remote-access
tunnel-group MY_TUNNEL1 general-attributes
 address-pool VPN_POOL1
 default-group-policy ANYCONNECT_GP1
tunnel-group MY_TUNNEL1 webvpn-attributes
 group-alias SSL_TUNNEL1 enable

    Step 9.2 Start a connection to the ASA headend from the AnyConnect client that runs version 4.9.04053 on the Windows machine.

    Step 9.3 After this, the AnyConnect Core & VPN and the Umbrella Roaming Security modules are updated to version 4.9.06037 with the lockdown and the hide from the add/remove program list features enabled.

    Verify

    Confirm the Lockdown feature is enabled for the AnyConnect modules installed

    Step 1. Open the Windows services (services.msc) as follows.

    Step 2. Then, right-click over the CORE & VPN and the Umbrella Roaming Security services.

    You can confirm the lockdown feature is enabled as you are not allowed to Start, Stop, Pause, Resume or Restart the services for these AnyConnect modules.

    Confirm the Hide from the Add/Remove Program List feature is enabled for the AnyConnect modules installed

    Step 1. Open the AnyConnect client as follows.

    Step 2. Confirm the AnyConnect version installed.

    For this, select the INFO icon under the AnyConnect client as follows:

    Step 2.1 For the AnyConnect version 4.9.04053:


    Step 2.2 For the AnyConnect version 4.9.06037:

    Step 3. Confirm that both the AnyConnect CORE & VPN and the Umbrella Roaming Security modules are hidden from the Add/Remove Windows Program List.

    For this, navigate to the Windows Control Panel > Uninstall a Program.

    Troubleshoot

    There is not troubleshoot procedure to follow for this document.

    Related Bugs

    CSCvy38427     ASDM: Transforms file name must start with "_" underscore to take effect to multiple AC modules

    Related Information

    Technical Support & Documentation - Cisco Systems

    Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.0

    TAC Authored

    Contributed by Cisco Engineers

    • Christian G Hernandez R

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products