User notifications for Cisco Secure Client migrations

In my last post I considered the changes in Cisco Secure Client 5. In its default configuration, AnyConnect/Secure Client is a user-facing application. As a VPN client, it’s an important part of our remote and hybrid work environments. While the process of logging onto VPN with Secure Client is unchanged from AnyConnect, the name and iconography changes mean that users will need to be informed.


I wrote a Secure Client installation script that covers five situations. It is not prescriptive for all organizations and will not cover all communications to end users.

1) Installing Secure Client when neither AnyConnect nor Secure Client are installed
This is the provisioning scenario. Installation should occur without prompts, notifications, or user interaction of any kind.

2 and 3) Installing Secure Client when AnyConnect is installed (connected or disconnected from VPN)
Users on computers with AnyConnect 4 or earlier installed should be notified that AnyConnect has been replaced with Secure Client. Users connected to VPN should also be notified before the migration begins and the VPN is disconnected.

4 and 5) Installing Secure Client when an older Secure Client version is installed (connected or disconnected from VPN)
After migrating to Cisco Secure Client 5, future installations of Secure Client are in-place upgrades. Users connected to VPN should be notified a) before the upgrade begins and the VPN is disconnected and b) after the upgrade completes and VPN connections can resume. Otherwise, the upgrade can be silent.


The script (from which I post snippets below) uses the presence of the vpn command to detect if AnyConnect or Secure Client is installed and then executes that command to discover if there’s an active VPN connection. The migrate and connected variables track the nature of the installation. In the snippet below, I’ve commented out the notification code. (It’s long and may not fit every organization.) Use swiftDialog, IBM Notifier, Jamf Helper, or another tool to notify end users.

if [[ -f /opt/cisco/anyconnect/bin/vpn ]]; then
  # Migrate from AnyConnect
  connected=$(/opt/cisco/anyconnect/bin/vpn state | grep Connected)
  if [[ -n "${connected}" ]]; then
    ### Notify user before migration here ###
    /opt/cisco/anyconnect/bin/vpn disconnect

if [[ -f /opt/cisco/secureclient/bin/vpn ]]; then
  connected=$(/opt/cisco/secureclient/bin/vpn state | grep Connected)
  if [[ -n "${connected}" ]]; then
    ### Notify user before upgrade here ###
    /opt/cisco/secureclient/bin/vpn disconnect

After the package is installed, this logic runs to determine what notice the user should receive, if any.

if [[ "${migrate}" -eq 1 ]]; then
  ### Notify user of name and icon change here ###
elif [[ -n "${connected}" ]]; then
  ### Notify user that upgrade is complete here ###

For migrations, I suggest a notification that displays Cisco Secure Client’s icon and text to inform the user of the change:

Cisco AnyConnect VPN has been upgraded and is now called Cisco Secure Client VPN. It has a different icon, as seen on the left.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Website Powered by

%d bloggers like this: