Script to set up Cisco Umbrella Roaming Client on Mac
The command-line installation of the Cisco Roaming client enables you to customize its behavior/appearance during the installation process. For example, you can use various custom parameters to redesign the single/standalone deployment of the Umbrella roaming client on Mac. However, when you want to deploy the Umbrella roaming client or modify its installation on numerous Mac endpoints, performing a command-line installation on each of them can be a gruesome task. Instead, by
executing custom scripts from Hexnode, you can push the configurations for the roaming client remotely. Further, distributing the roaming client to the device from the portal enables seamless mass deployments.
Deploying Cisco Roaming Client through Hexnode
You can remotely install the Cisco Umbrella Roaming client on macOS devices. The automatic installation of the roaming client from Hexnode involves a series of steps:
- Push the configurations for the roaming client using scripts.
- Upload the PKG file for the roaming client to the Hexnode app inventory.
- Install the application on the target macOS devices.
- Distribute root certificate to the devices.
1. Push the configurations for the roaming client using scripts.
Before configuring the attributes for the roaming client, it is necessary that you download the roaming client on an administrator’s Mac.
- Log in to Cisco Umbrella.
- Go to Deployments > Core Identities > Roaming Computers.
- Select Roaming Client.
- Click on Download.
- Choose Download macOS Client.
- Next, extract the .zip file.
Further, the configurations for the roaming client can be pushed to the devices using scripts. You can deploy all the customizations specific to your organization by modifying the OrgInfo.plist downloaded along with the roaming client ZIP file.
The ZIP file downloaded from the Cisco Umbrella portal consists of:
- OrgInfo.plist file
- PKG file for the roaming client.
The OrgInfo.plist contains the parameter values that can be used for pushing the configurations. For instance, the attribute values specified in this script, such as APIFingerprint, APIOrganizationID, and APIUserID, can be obtained from the .plist file. These values are unique to your organization, and only the privileged users can download the ZIP file for the roaming client.
mkdir "/Library/Application Support/OpenDNS Roaming Client/"
cat <<EOF > "/Library/Application Support/OpenDNS Roaming Client/OrgInfo.plist"
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
After customizing the shell script, you can push the configurations to the macOS device directly from the Hexnode console using the Execute Custom Script action.
2. Upload the PKG file for the roaming client to the Hexnode app inventory.
Secondly, add the PKG file for the roaming client to the Hexnode app inventory.
- Log in to the Hexnode console.
- Navigate to the Apps tab.
- Go to +Add Apps > Enterprise App.
- Choose the app platform as macOS.
- Provide a suitable App Name.
- Specify a Category and Description for the app.
- Choose the PKG file.
- Click on Add.
3. Install the application on the target macOS devices.
After uploading the PKG file for the roaming client to the Hexnode app inventory, you can install the app on the devices either using the Mandatory Apps policy or Install Application action.
4. Distribute root certificate to the devices.
The advanced Cisco Umbrella features such as Block Page, Block Page Bypass, etc., require the installation of Cisco Umbrella root certificates on the devices. To distribute the root certificate:
- Log in to Cisco Umbrella.
- Navigate to Deployments > Configuration > Root Certificate and click Download Certificate.
- Next, log in to the Hexnode portal.
- Move to Policies > New Policy. Specify a policy name and description. You may also use the same Mandatory Apps policy configured for the app installation.
- Go to macOS > Security > Certificates.
- Click on Add Certificate.
- Upload the certificate obtained in step 2.
- Add Policy Targets.
- Save the policy.
The root certificates installed on the devices avoid specific certificate warnings or related error pages. Though the error pages are expected during browsing, the messages might be ambiguous if the certificate is not installed.