sh Cisco AnyConnect Postinstall

Posted 2021-05-07
tags:
篇首语：本文由小常识网(cha138.com)小编为大家整理，主要介绍了sh Cisco AnyConnect Postinstall相关的知识，希望对你有一定的参考价值。
#!/bin/bash

LAUNCHD_DIR="/Library/LaunchDaemons"
LAUNCHD_FILE="com.cisco.anyconnect.vpnagentd.plist"
LAUNCHD_AGENT_DIR="/Library/LaunchAgents"
LAUNCHD_AGENT_FILE="com.cisco.anyconnect.gui.plist"
INSTPREFIX="/opt/cisco/anyconnect"
BINDIR="/opt/cisco/anyconnect/bin"
PROFILEDIR="/opt/cisco/anyconnect/profile"
FEEDBACK_DIR="/opt/cisco/anyconnect/CustomerExperienceFeedback"

# Update the VPNManifest.dat file
${BINDIR}/manifesttool -i ${INSTPREFIX} ${INSTPREFIX}/ACManifestVPN.xml

# Import any AnyConnect XML profiles and read the ACTransforms.xml from one of these locations
# (from highest to lowest priority):
#  1) the directory that contains the pkg installer
#  2) if pkg installer is on a mounted dmg volume, the directory that contains the mounted dmg
# Errors that occur during import are intentionally ignored (best effort)

echo "Determining import locations"
PKG_FILE=$1

PKG_FILE_DIR=$(dirname "${PKG_FILE}")
DMG_FILE_DIR=""

# Use hdiutil to get the information about all mounted disks. Pull out the mount points
# and the DMG paths into separate arrays. Because we are working with a plist, we know
# that MOUNTED_VOL[i] has the DMG located at DMG_PATH[i].
# Note: If the DMG has been moved after being mounted, image-path will point to the
# original location and image-alias will point to the current location. We may want
# to also check the image-alias folder for things to import.

SAVEIFS=$IFS
IFS=$'\n'

MOUNTED_VOLS=($(hdiutil info -plist | egrep -A 1 "mount-point" | grep "<string>" | sed 's:.*<string>::' | sed 's:</string>::'))
DMG_PATHS=($(hdiutil info -plist | egrep -A 1 "image-path" | grep "<string>" | sed 's:.*<string>::' | sed 's:</string>::'))

# To be safe, we only want to process the hdiutil information if we have an equal number of Volume paths and DMG directories
if [ ${#MOUNTED_VOLS[@]} -eq ${#DMG_PATHS[@]} ] ; then
  # If we find a mounted volume that matches our known mounted volume, get the path to the associated DMG
  INDEX=0
  while [ $INDEX -lt ${#MOUNTED_VOLS[@]} ] ; do
    # This check should ensure that there is only a single matching directory to import from.
    MOUNTED_VOLS_PATH=${MOUNTED_VOLS[${INDEX}]}

    case ${PKG_FILE_DIR} in
        ${MOUNTED_VOLS_PATH}*)
            # pkg is located on the mounted volume
            DMG_FILE_DIR=$(dirname "${DMG_PATHS[${INDEX}]}")
        ;;
    esac

    let "INDEX = $INDEX + 1"
  done
fi

IFS=$SAVEIFS

echo "Installer package path: ${PKG_FILE_DIR}"
echo "Installer DMG path: ${DMG_FILE_DIR}"

IS_PRE_DEPLOY=true

if [ -d "${PKG_FILE_DIR}" ] && [ -e "${PKG_FILE_DIR}/.webdeploy" ]; then
    IS_PRE_DEPLOY=false;
fi

if $IS_PRE_DEPLOY; then
    # Import local policy file (pre-deploy only)
    PKG_PROFILE_IMPORT_DIR="${PKG_FILE_DIR}/Profiles"
    DMG_PROFILE_IMPORT_DIR="${DMG_FILE_DIR}/Profiles"

    if [ -d "${PKG_FILE_DIR}" ] && [ -d "${PKG_PROFILE_IMPORT_DIR}" ] ; then
        echo "Importing AnyConnect Local Policy file from ${PKG_PROFILE_IMPORT_DIR}"
        find "${PKG_PROFILE_IMPORT_DIR}" -maxdepth 1 -name "AnyConnectLocalPolicy.xml" -type f -exec cp -f {} ${INSTPREFIX} \;
    elif [ -d "${DMG_FILE_DIR}" ] && [ -d "${DMG_PROFILE_IMPORT_DIR}" ] ; then
        echo "Importing AnyConnect Local Policy file from ${DMG_PROFILE_IMPORT_DIR}"
        find "${DMG_PROFILE_IMPORT_DIR}" -maxdepth 1 -name "AnyConnectLocalPolicy.xml" -type f -exec cp -f {} ${INSTPREFIX} \;
    fi

    # Import VPN profiles (pre-deploy only)
    PKG_VPN_PROFILE_IMPORT_DIR="${PKG_PROFILE_IMPORT_DIR}/vpn"
    DMG_VPN_PROFILE_IMPORT_DIR="${DMG_PROFILE_IMPORT_DIR}/vpn"

    if [ -d "${PKG_FILE_DIR}" ] && [ -d "${PKG_VPN_PROFILE_IMPORT_DIR}" ] ; then
        echo "Importing AnyConnect VPN profiles from ${PKG_VPN_PROFILE_IMPORT_DIR}"
        find "${PKG_VPN_PROFILE_IMPORT_DIR}" -maxdepth 1 -name "*.xml" -type f -exec cp -f {} ${PROFILEDIR} \;
    elif [ -d "${DMG_FILE_DIR}" ] && [ -d "${DMG_VPN_PROFILE_IMPORT_DIR}" ] ; then
        echo "Importing AnyConnect VPN profiles from ${DMG_VPN_PROFILE_IMPORT_DIR}"
        find "${DMG_VPN_PROFILE_IMPORT_DIR}" -maxdepth 1 -name "*.xml" -type f -exec cp -f {} ${PROFILEDIR} \;
    fi

    # Import Customer Feedback profile (pre-deploy only)
    PKG_FEEDBACK_PROFILE_IMPORT_DIR="${PKG_PROFILE_IMPORT_DIR}/feedback"
    DMG_FEEDBACK_PROFILE_IMPORT_DIR="${DMG_PROFILE_IMPORT_DIR}/feedback"

    if [ -d "${PKG_FILE_DIR}" ] && [ -d "${PKG_FEEDBACK_PROFILE_IMPORT_DIR}" ] ; then
        echo "Importing AnyConnect Customer Feedback profile from ${PKG_FEEDBACK_PROFILE_IMPORT_DIR}"
        find "${PKG_FEEDBACK_PROFILE_IMPORT_DIR}" -maxdepth 1 -name "CustomerExperience_Feedback.xml" -type f -exec cp -f {} ${FEEDBACK_DIR} \;
    elif [ -d "${DMG_FILE_DIR}" ] && [ -d "${DMG_FEEDBACK_PROFILE_IMPORT_DIR}" ] ; then
        echo "Importing AnyConnect Customer Feedback profile from ${DMG_FEEDBACK_PROFILE_IMPORT_DIR}"
        find "${DMG_FEEDBACK_PROFILE_IMPORT_DIR}" -maxdepth 1 -name "CustomerExperience_Feedback.xml" -type f -exec cp -f {} ${FEEDBACK_DIR} \;
    fi
fi

# Process transforms
getProperty()
{
    FILE=${1}
    TAG=${2}
    grep ${TAG} "${FILE}" | sed "s/\(.*\)\(<${TAG}>\)\(.*\)\(<\/${TAG}>\)\(.*\)/\3/"
}

DISABLE_VPN_TAG="DisableVPN"
DISABLE_FEEDBACK_TAG="DisableCustomerExperienceFeedback"

BYPASS_DOWNLOADER_TAG="BypassDownloader"
FIPS_MODE_TAG="FipsMode"
RESTRICT_PREFERENCE_CACHING_TAG="RestrictPreferenceCaching"
RESTRICT_TUNNEL_PROTOCOLS_TAG="RestrictTunnelProtocols"
RESTRICT_WEB_LAUNCH_TAG="RestrictWebLaunch"
STRICT_CERTIFICATE_TRUST_TAG="StrictCertificateTrust"
EXCLUDE_PEM_FILE_CERT_STORE_TAG="ExcludePemFileCertStore"
EXCLUDE_WIN_NATIVE_CERT_STORE_TAG="ExcludeWinNativeCertStore"
EXCLUDE_MAC_NATIVE_CERT_STORE_TAG="ExcludeMacNativeCertStore"
EXCLUDE_FIREFOX_NSS_CERT_STORE_TAG="ExcludeFirefoxNSSCertStore"
ALLOW_SOFTWARE_UPDATES_FROM_ANY_SERVER_TAG="AllowSoftwareUpdatesFromAnyServer"
ALLOW_COMPLIANCE_MODULE_UPDATES_FROM_ANY_SERVER_TAG="AllowComplianceModuleUpdatesFromAnyServer"
ALLOW_VPN_PROFILE_UPDATES_FROM_ANY_SERVER_TAG="AllowVPNProfileUpdatesFromAnyServer"
ALLOW_ISE_PROFILE_UPDATES_FROM_ANY_SERVER_TAG="AllowISEProfileUpdatesFromAnyServer"
ALLOW_SERVICE_PROFILE_UPDATES_FROM_ANY_SERVER_TAG="AllowServiceProfileUpdatesFromAnyServer"
AUTHORIZED_SERVER_LIST_TAG="AuthorizedServerList"

if $IS_PRE_DEPLOY; then
    PKG_TRANSFORM_FILE="${PKG_PROFILE_IMPORT_DIR}/ACTransforms.xml"
    DMG_TRANSFORM_FILE="${DMG_PROFILE_IMPORT_DIR}/ACTransforms.xml"

    if [ -d "${PKG_FILE_DIR}" ] && [ -f "${PKG_TRANSFORM_FILE}" ] ; then
        TRANSFORM_FILE=${PKG_TRANSFORM_FILE}
    elif [ -d "${DMG_FILE_DIR}" ] && [ -f "${DMG_TRANSFORM_FILE}" ] ; then
        TRANSFORM_FILE=${DMG_TRANSFORM_FILE}
    fi
else
    DMG_TRANSFORM_FILE="${DMG_FILE_DIR}/ACTransforms.xml"

    if [ -d "${DMG_FILE_DIR}" ] && [ -f "${DMG_TRANSFORM_FILE}" ] ; then
        TRANSFORM_FILE=${DMG_TRANSFORM_FILE}
    fi
fi

if [ -f "${TRANSFORM_FILE}" ] ; then
    echo "Processing transform file in ${TRANSFORM_FILE}"
    DISABLE_VPN=$(getProperty "${TRANSFORM_FILE}" ${DISABLE_VPN_TAG})
    DISABLE_FEEDBACK=$(getProperty "${TRANSFORM_FILE}" ${DISABLE_FEEDBACK_TAG})

    BYPASS_DOWNLOADER=$(getProperty "${TRANSFORM_FILE}" ${BYPASS_DOWNLOADER_TAG})
    FIPS_MODE=$(getProperty "${TRANSFORM_FILE}" ${FIPS_MODE_TAG})
    RESTRICT_PREFERENCE_CACHING=$(getProperty "${TRANSFORM_FILE}" ${RESTRICT_PREFERENCE_CACHING_TAG})
    RESTRICT_TUNNEL_PROTOCOLS=$(getProperty "${TRANSFORM_FILE}" ${RESTRICT_TUNNEL_PROTOCOLS_TAG})
    RESTRICT_WEB_LAUNCH=$(getProperty "${TRANSFORM_FILE}" ${RESTRICT_WEB_LAUNCH_TAG})
    STRICT_CERTIFICATE_TRUST=$(getProperty "${TRANSFORM_FILE}" ${STRICT_CERTIFICATE_TRUST_TAG})
    EXCLUDE_PEM_FILE_CERT_STORE=$(getProperty "${TRANSFORM_FILE}" ${EXCLUDE_PEM_FILE_CERT_STORE_TAG})
    EXCLUDE_WIN_NATIVE_CERT_STORE=$(getProperty "${TRANSFORM_FILE}" ${EXCLUDE_WIN_NATIVE_CERT_STORE_TAG})
    EXCLUDE_MAC_NATIVE_CERT_STORE=$(getProperty "${TRANSFORM_FILE}" ${EXCLUDE_MAC_NATIVE_CERT_STORE_TAG})
    EXCLUDE_FIREFOX_NSS_CERT_STORE=$(getProperty "${TRANSFORM_FILE}" ${EXCLUDE_FIREFOX_NSS_CERT_STORE_TAG})
    ALLOW_SOFTWARE_UPDATES_FROM_ANY_SERVER=$(getProperty "${TRANSFORM_FILE}" ${ALLOW_SOFTWARE_UPDATES_FROM_ANY_SERVER_TAG})
    ALLOW_COMPLIANCE_MODULE_UPDATES_FROM_ANY_SERVER=$(getProperty "${TRANSFORM_FILE}" ${ALLOW_COMPLIANCE_MODULE_UPDATES_FROM_ANY_SERVER_TAG})
    ALLOW_VPN_PROFILE_UPDATES_FROM_ANY_SERVER=$(getProperty "${TRANSFORM_FILE}" ${ALLOW_VPN_PROFILE_UPDATES_FROM_ANY_SERVER_TAG})
    ALLOW_ISE_PROFILE_UPDATES_FROM_ANY_SERVER=$(getProperty "${TRANSFORM_FILE}" ${ALLOW_ISE_PROFILE_UPDATES_FROM_ANY_SERVER_TAG})
    ALLOW_SERVICE_PROFILE_UPDATES_FROM_ANY_SERVER=$(getProperty "${TRANSFORM_FILE}" ${ALLOW_SERVICE_PROFILE_UPDATES_FROM_ANY_SERVER_TAG})
    AUTHORIZED_SERVER_LIST=$(getProperty "${TRANSFORM_FILE}" ${AUTHORIZED_SERVER_LIST_TAG})
fi

# if disable VPN is specified, install disable VPN profile
DISABLE_VPN_PROFILE="${INSTPREFIX}/VPNDisable_ServiceProfile.xml"

if [ "x${DISABLE_VPN}" = "xtrue" ] ; then
    echo "Installing disable VPN profile"
    if [ -f ${DISABLE_VPN_PROFILE} ] ; then
        mv ${DISABLE_VPN_PROFILE} ${PROFILEDIR}/
    fi
else
    rm -f ${DISABLE_VPN_PROFILE}
fi

# if disable phone home is specified, remove the phone home plugin and any data folder
# note: this will remove the customer feedback profile if it was imported above
FEEDBACK_PLUGIN="${BINDIR}/plugins/libacfeedback.dylib"

#convert tag value to lower case
DISABLE_FEEDBACK=`echo ${DISABLE_FEEDBACK} | tr '[:upper:]' '[:lower:]'`

if [ "x${DISABLE_FEEDBACK}" = "xtrue" ] ; then
    echo "Disabling Customer Experience Feedback plugin"
    rm -f ${FEEDBACK_PLUGIN}
    rm -rf ${FEEDBACK_DIR}
fi

# generate default AnyConnect Local Policy file if it doesn't already exist
${BINDIR}/acinstallhelper -acpolgen bd=${BYPASS_DOWNLOADER:-false} \
                                    fm=${FIPS_MODE:-false} \
                                    rpc=${RESTRICT_PREFERENCE_CACHING:-false} \
                                    rtp=${RESTRICT_TUNNEL_PROTOCOLS:-false} \
                                    rwl=${RESTRICT_WEB_LAUNCH:-false} \
                                    sct=${STRICT_CERTIFICATE_TRUST:-false} \
                                    epf=${EXCLUDE_PEM_FILE_CERT_STORE:-false} \
                                    ewn=${EXCLUDE_WIN_NATIVE_CERT_STORE:-false} \
                                    emn=${EXCLUDE_MAC_NATIVE_CERT_STORE:-false} \
                                    efn=${EXCLUDE_FIREFOX_NSS_CERT_STORE:-false} \
                                    upsu=${ALLOW_SOFTWARE_UPDATES_FROM_ANY_SERVER:-true} \
                                    upcu=${ALLOW_COMPLIANCE_MODULE_UPDATES_FROM_ANY_SERVER:-true} \
                                    upvp=${ALLOW_VPN_PROFILE_UPDATES_FROM_ANY_SERVER:-true} \
                                    upip=${ALLOW_ISE_PROFILE_UPDATES_FROM_ANY_SERVER:-true} \
                                    upsp=${ALLOW_SERVICE_PROFILE_UPDATES_FROM_ANY_SERVER:-true} \
                                    upal=${AUTHORIZED_SERVER_LIST}

echo "Setting ownership permissions for VPN Profiles and AnyConnect Local Policy file ..."

# Set proper ownership and permissions on profiles
chown root:wheel ${PROFILEDIR}/*.xml >/dev/null 2>&1
chmod 0644 ${PROFILEDIR}/*.xml >/dev/null 2>&1

# Set proper ownership and permissions on AnyConnectLocalPolicy file
chown root:wheel ${INSTPREFIX}/AnyConnectLocalPolicy.xml >/dev/null 2>&1
chmod 0644 ${INSTPREFIX}/AnyConnectLocalPolicy.xml >/dev/null 2>&1

# Attempt to start the VPN agent.
echo "Attempting to start the VPN agent ..."
launchctl load -wF ${LAUNCHD_DIR}/${LAUNCHD_FILE} || exit 1

# Load the GUI launch agent
echo "Attempting to load the GUI launch agent ..."
MYUID=$(echo "show State:/Users/ConsoleUser" | scutil | awk '/UID/ { print $3 }')
sudo -u \#${MYUID} launchctl load -wF -S Aqua ${LAUNCHD_AGENT_DIR}/${LAUNCHD_AGENT_FILE}

exit 0
以上是关于sh Cisco AnyConnect Postinstall的主要内容，如果未能解决你的问题，请参考以下文章
sh 适用于OpenConnect的Cisco Anyconnect CSD包装器。
怎么彻底删除 anyconnect mac
通过 bash 连接 CISCO Anyconnect ***
使用 Cisco *** AnyConnect 时无法让 docker-machine 与 virtualbox 一起使用
CISCO anyconnect ***配置
Cisco AnyConnect Secure Mobility Client Data Sheet