I'm running into a similar issue with the SCEP cert payload. The client downloads the cert and places it in the System keychain and when Cisco Anyconnect tries to access it it prompts for admin credentials.

@mcampbel If you have a Configuration Profile that's applied at the Computer Level then the certificate from the SCEP payload is going to install in the System keychain as that's just the way it works. If you want the cert in the login keychain it has to be a User Level profile (and that's a whole other bunch of fun)

What sdagley said. But VPN apps should be able to read the system keychain as well.

VPN can read just needs admin password to do so.

@patgmac I agree, it should be able to read the cert in the system keychain, but for some reason it's not. I do have "Allow Access to All Apps" checked in the payload and it's still having this issue. We have one ticket open with Cisco and are going to open another with Apple to try to resolve.

@mcampbel Let me know if you get this fixed.

@kericson One of these articles may help

https://help.duo.com/s/article/4791?language=en_US

https://mostlikelee.com/blog-1/2017/9/16/cisco-anyconnect-certificate-auth-and-admin-prompts

We're in the same situation, we have the AD CS Connector setup and can get the Machine cert applied, but need it in the local login instead of the System Keychain. We use AnyConnect VPN and are required to have this cert in place for the device to be allowed on our network.

@mcampbel - any update on your open Cisco and Apple support cases?

@Hyvonen Are you deploying your profile as a "device-level" profile? If so, the cert should be placed in your System keychain.

We are using ADCS and I don´t remember any issues on this. We get the certificates in the login keychain and not in system

Hi @Hyvonen

there is the possibility to configure AnyConnect in which stores it should check for the identitiy cert.

We use the AD CS Connector for user certs placed in login keychain, therefore we configured it just to check login keychain and allowed all apps access to it. Have a look your AnyConnect profile and it's config - there should be your solution.

Greets Max

Can anyone share how they were able to get this to work? See my post earlier from 5/28. We can get the User cert to apply if we download the .mobileconfig file and manually open it on another Mac, but then the user has to enter their credentials. This is a clunky workaround.

Our Macs are all bound to the domain. We have an 802.1x network with Cisco ISE. Our windows machines receive certs automatically from our CA via GPO. We have an ADCS Connector setup on Server 2016 in the DMZ. All necessary ports have been opened up.

The Machine cert is set to Computer Level, using an AD Certificate payload. This completes and adds the cert to the System Keychain. When selecting "User Level" it fails.

The ADCS Connector whitepaper suggests using the Certificate Payload instead of the AD Certificate payload. Every test we've tried with that payload fails.

We've opened several Jamf Support cases but it's still not resolved. We have a hard deadline of having both machine and user certs in place by end of June. Thanks in advance!