Back to Basics – Using a ConfigMgr Baseline to Update an XML Configuration File

Configuration Baselines in ConfigMgr is an excellent way to update application configurations the way you want them to be. In this example, I was asked by one of our online academy students to update a Cisco AnyConnect local policy with a new value for its <FipsMode> setting. Sounded like a great blog topic to me 🙂

The Cisco AnyConnect Local Policy

The AnyConnectLocalPolicy.xml is an XML file containing security settings on the client, and is typically added during the installation of the Cisco AnyConnect client. Here is an example of a AnyConnectLocalPolicy.xml file:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectLocalPolicy xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectLocalPolicy.xsd" acversion="3.0.0592">
	<FipsMode>false</FipsMode>
	<BypassDownloader>false</BypassDownloader>
	<RestrictScriptWebDeploy>true</RestrictScriptWebDeploy>
	<RestrictHelpWebDeploy>true</RestrictHelpWebDeploy>
	<RestrictResourceWebDeploy>true</RestrictResourceWebDeploy>
	<RestrictLocalizationWebDeploy>true</RestrictLocalizationWebDeploy>
	<RestrictWebLaunch>true</RestrictWebLaunch>
	<StrictCertificateTrust>true</StrictCertificateTrust>
	<EnableCRLCheck>false</EnableCRLCheck>
	<RestrictPreferenceCaching>false</RestrictPreferenceCaching>
	<ExcludePemFileCertStore>false</ExcludePemFileCertStore>
	<ExcludeMacNativeCertStore>false</ExcludeMacNativeCertStore>
	<ExcludeFirefoxNSSCertStore>false</ExcludeFirefoxNSSCertStore>
	<UpdatePolicy>
		<AllowSoftwareUpdatesFromAnyServer>false</AllowSoftwareUpdatesFromAnyServer>
		<AllowVPNProfileUpdatesFromAnyServer>false</AllowVPNProfileUpdatesFromAnyServer>
		<AllowManagementVPNProfileUpdatesFromAnyServer>false</AllowManagementVPNProfileUpdatesFromAnyServer>
		<AllowServiceProfileUpdatesFromAnyServer>false</AllowServiceProfileUpdatesFromAnyServer>
		<AllowISEProfileUpdatesFromAnyServer>false</AllowISEProfileUpdatesFromAnyServer>
		<AllowComplianceModuleUpdatesFromAnyServer>false</AllowComplianceModuleUpdatesFromAnyServer>
		<AuthorizedServerList>
			<ServerName>vpn.corp.viamonstra.com</ServerName>
			<ServerName>192.168.1.100</ServerName>
		</AuthorizedServerList>
	</UpdatePolicy>
</AnyConnectLocalPolicy>

Configuration Baselines in ConfigMgr

In ConfigMgr you can use Configuration Baselines to discover and remediate settings. A Configuration Baseline is made up by one or more Configuration Items, which in turn has one or more settings you want to verify. You can have different types of settings, like registry value, file system, WQL query, etc. But in this example, I will use a PowerShell script which gives me more flexibility.

I will have one PowerShell script, the discovery script, that checks the FIPS mode setting in the AnyConnectLocalPolicy.xml file. And then, another PowerShell script, the remediation script, that updates the AnyConnectLocalPolicy.xml file with the correct value if needed. To simplify troubleshooting, I'll also add some basic logging to the scripts. You find the sample scripts in the end of this post.

Create the Configuration Item

Using the Configuration Manager console, navigate to Assets and Compliance / Compliance Settings / Configuration Items and then click Create Configuration Item.

On the General page, assign the name: CI – Update Cisco AnyConnect FIPS Mode, and then click Next.

Creating the configuration item

On the Supported Platforms page, accept the default settings, and click Next.

On the Settings page, click New, configure the following settings, click OK, and then click Next:

  • Name: Update Cisco AnyConnect FIPS Mode
  • Setting type: Script
  • Data type: Boolean
  • Discovery Script: Add the sample discovery script (see further down this post)
  • Remediation Script: Add the sample remediation script (see further down this post)
Creating the setting

In the Compliance Rules tab, click New, configure the following settings, click OK, and then click Next twice followed by Close to finish the wizard.

  • Name: Check FIPS Mode
  • Selected setting: CI – Update Cisco AnyConnect FIPS Mode
  • Rule Type: Value
  • The value returned by the specified script: Equals / True
  • Run the specified remediation script when this setting is noncompliant
Creating the Rule

Create the Configuration Baseline

Once the Configuration Item has been created, creating the Configuration Baseline is the next step.

Using the Configuration Manager console, navigate to Assets and Compliance / Compliance Settings / Configuration Baselines and then click Create Configuration Baseline.

On the General information page, configure the following settings, and click OK:

  • Name: CB – Update Cisco AnyConnect FIPS Mode
  • Configuration Data: CI – Update Cisco AnyConnect FIPS Mode
Creating the Configuration Baseline

Deploy the Configuration Baseline

The final step is to deploy the baseline to a collection.

Using the Configuration Manager console, right-click the CB – Update Cisco AnyConnect FIPS Mode baseline, and click Deploy. Configure the following settings, and then click OK:

Remediate noncompliant rules when supported
Collection: Collection of your choosing, mine was named Update Cisco AnyConnect FIPS Mode

Deploying the baseline

Verifying on the client

On the client you can easily verify the baseline by navigating to the Configuration tab in the Configuration Manager control panel applet.

Verifying the Baseline

The Discovery Script

In this example, the discovery script will look for the <FipsMode> value, and return True if it's set correctly (meaning enabled), or False if its set to something else.

# Configuration Item Script that checks for FipsMode setting

$FipsModeCompliantValue = "true"

$Logfile = "C:\Windows\Temp\CiscoAnyConnectProfile_Discovery.log"

# Delete any existing logfile if it exists
If (Test-Path $Logfile){Remove-Item $Logfile -Force -ErrorAction SilentlyContinue -Confirm:$false}

Function Write-Log{
	param (
    [Parameter(Mandatory = $true)]
    [string]$Message
   )

   $TimeGenerated = $(Get-Date -UFormat "%D %T")
   $Line = "$TimeGenerated : $Message"
   Add-Content -Value $Line -Path $LogFile -Encoding Ascii
}

# Check if Cisco AnyConnect Policy is available 
$AnyConnectLocalPolicyFile = "$Env:AllUsersProfile\Cisco\Cisco AnyConnect Secure Mobility Client\AnyConnectLocalPolicy.xml"

If (Test-Path $AnyConnectLocalPolicyFile){
    Write-Log "Cisco AnyConnect Policy found, continuing"

    # Read the value from the profile
    $xml = [Xml](Get-Content -Path $AnyConnectLocalPolicyFile)
    $FipsModeCurrentValue = $xml.AnyConnectLocalPolicy.FipsMode

    If ($FipsModeCurrentValue -eq $FipsModeCompliantValue){
        Write-Log "Fipsmode value is compliant, currently set to: $FipsModeCurrentValue"
        Return $True
    }
    Else{
        Write-Log "Fipsmode value is Not compliant, currently set to: $FipsModeCurrentValue"
        Return $False
    }

}
Else{
    Write-Log "Cisco AnyConnect Policy found Not found, do Nothing"    
    Return $True # Returning compliant anyway, no point in triggering a remediation for something that does not exist
}

The Remediation Script

In this example, the remediation script will look for the <FipsMode> value, and change it to True.

# Configuration Item Script that checks for FipsMode setting

$FipsModeCompliantValue = "true"

$Logfile = "C:\Windows\Temp\CiscoAnyConnectProfile_Remediation.log"

# Delete any existing logfile if it exists
If (Test-Path $Logfile){Remove-Item $Logfile -Force -ErrorAction SilentlyContinue -Confirm:$false}

Function Write-Log{
	param (
    [Parameter(Mandatory = $true)]
    [string]$Message
   )

   $TimeGenerated = $(Get-Date -UFormat "%D %T")
   $Line = "$TimeGenerated : $Message"
   Add-Content -Value $Line -Path $LogFile -Encoding Ascii
}

# Check if Cisco AnyConnect Policy is available 
$AnyConnectLocalPolicyFile = "$Env:AllUsersProfile\Cisco\Cisco AnyConnect Secure Mobility Client\AnyConnectLocalPolicy.xml"

If (Test-Path $AnyConnectLocalPolicyFile){
    Write-Log "Cisco AnyConnect Policy found, continuing"

    # Set the correct value 
    Write-Log "Setting Fipsmode value to: $FipsModeCompliantValue"

    # Create XML Object and load the file (using PreserveWhitespace to preserve the tabs)
    $xml = New-Object System.Xml.XmlDocument
    $xml.PreserveWhitespace = $true
    $xml.Load($AnyConnectLocalPolicyFile)

    # Change the value
    $node = $xml.AnyConnectLocalPolicy
    $node.FipsMode = $FipsModeCompliantValue

    # Set encoding to UTF 8 without BOM
    $Encoding = New-Object System.Text.UTF8Encoding($false)
    $StreamWriter = New-Object System.IO.StreamWriter($AnyConnectLocalPolicyFile, $false, $Encoding)

    # Save the file
    $xml.Save( $StreamWriter )
    $StreamWriter.Close()

}
About the author

Johan Arwidmark

4.7 3 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

>