With Big Sur you need to approve the System Extension instead of the Kernel extension. In addition, you need to add a Web Content Filter profile to approve the Web Filter.
For the System Extension, create a new Configuration Profile in Jamf. Select System Extensions and choose Allowed System Extensions. Add the Team ID: DE8Y96K9QP and add approved system extension id com.cisco.anyconnect.macos.acsockext.
For the web filter it is a little harder because Jamf Pro 10.25.2 does not currently support the Web Filter Content Filter payload. You can use Profile Creator or iMazing Profile editor to create the Web Content filter. Cisco provides the correct setting in this document:
Cisco AnyConnect
Just remember, if you create your profile and upload it to Jamf Pro, you should sign it before you upload it to ensure that Jamf does not modify it.
Hi Michael,
There is the text of a configuration profile in the following advisory document. You can copy it into a text edit and save it as a .mobileconfig. I had to sign it using ProfileCreator and a certificate generated from Jamf.
https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/upgrade/AnyConnect_macOS_BigSur_Advisory.html
Instructions for signing the profile.
https://www.jamf.com/jamf-nation/articles/649/creating-a-signing-certificate-using-jamf-pro-s-built-in-certificate-authority
Anyone can share a working profile from profilecreator (of course it does not need to be signed). I can´t get the socket filter working to automatically enable without popup. Trying on a brand new Macbook Pro with M1 chipset
There’s one in the Cisco document on page 10. Copy and paste it into a text editor and save as a mobileconfig. Then you can sign it and upload to Jamf.
I copied and saved as a mobileconfig file. Uploaded it to our Jamf Pro v10.26 server as a config profile and deployed to my M1 MBA. The config profile failed to load. I then proceed to remove the kernel extension piece, leaving the system extension and content filtering. The profile loaded successfully on the M1 but it failed to bypass the user popup prompt to allow Cisco Socket Filter to load. Is the Kernel Extension portion needed on Big Sur? Can someone share their screenshots of their working config profile for Cisco AnyConnect?
Kernel Extension approval should not be needed for Big Sur (I don't have it enabled in my test computer.) But, my understanding is that if you push Anyconnect to Catalina or lower it will still use a KEXT instead SysExt. You will probably want create two Anyconnect profiles: one for KEXT approval on Catalina or lower and one for SysExt on Big Sur (or higher) and create the appropriate Smart Groups and scopes.
@RBlount Thanks for confirming that Kernal Extension is not needed for Big Sur.
It seems like my test config profile worked only for Big Sur 11.0.1 running on Intel CPU and not the ARM CPU. Running this command
systemextensionsctl list
shows [activated enabled] for the Intel CPU and [activated waiting for user] on the M1 CPU. I ran
tccutil reset All
on both computer and reapplied the config profile just to confirm my previous result.
Is there anyone that can test this policy with an Apple Silicon computer?
Issue resolved with Big Sur on Apple Silicon. I had to reinsatll the same version of Cisco AnyConnect to resolve the issue. Nothing else changed. :)
It does appear that the configuration profile needs to be pushed before the AnyConnect install happens.
I copied the text from the PDF and the Cisco website and code signed this profile. I get this error.
This is my file I'm trying to upload.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>AllowUserOverrides</key>
<true/>
<key>AllowedKernelExtensions</key>
<dict>
<key>DE8Y96K9QP</key>
<array>
<string>com.cisco.kext.acsock</string>
</array>
</dict>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>AnyConnect Kernel Extension</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>37C29CF2-A783-411D-B2C7-100EDDFBE223</string>
<key>PayloadOrganization</key>
<string>Cisco Systems, Inc.</string>
<key>PayloadType</key>
<string>com.apple.syspolicy.kernel-extension-policy</string>
<key>PayloadUUID</key>
<string>37C29CF2-A783-411D-B2C7-100EDDFBE223</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
<dict>
<key>AllowUserOverrides</key>
<true/>
<key>AllowedSystemExtensions</key>
<dict>
<key>DE8Y96K9QP</key>
<array>
<string>com.cisco.anyconnect.macos.acsockext</string>
</array>
</dict>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>AnyConnect System Extension</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>A8364220-5D8D-40A9-Af66-1Fbfef94E116</string>
<key>PayloadOrganization</key>
<string>Cisco Systems, Inc.</string>
<key>PayloadType</key>
<string>com.apple.system-extension-policy</string>
<key>PayloadUUID</key>
<string>A8364220-5D8D-40A9-Af66-1Fbfef94E116</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
<dict>
<key>Enabled</key>
<true/>
<key>AutoFilterEnabled</key>
<false/>
<key>FilterBrowsers</key>
<false/>
<key>FilterSockets</key>
<true/>
<key>FilterPackets</key>
<false/>
<key>FilterType</key>
<string>Plugin</string>
<key>FilterGrade</key>
<string>firewall</string>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>Cisco AnyConnect Content Filter</string>
<key>PayloadIdentifier</key>
<string>com.apple.webcontent-filter.339Ec532-9Ada-480A-Bf3D-A535F0F0B665</string>
<key>PayloadType</key>
<string>com.apple.webcontent-filter</string>
<key>PayloadUUID</key>
<string>339Ec532-9Ada-480A-Bf3D-A535F0F0B665</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>FilterDataProviderBundleIdentifier</key>
<string>com.cisco.anyconnect.macos.acsockext</string>
<key>FilterDataProviderDesignatedRequirement</key>
<string>anchor apple generic and identifier "com.cisco.anyconnect.macos.acsockext" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = DE8Y96K9QP)</string>
<key>PluginBundleID</key>
<string>com.cisco.anyconnect.macos.acsock</string>
<key>UserDefinedName</key>
<string>Cisco AnyConnect Content Filter</string>
</dict>
</array>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>Approved AnyConnect System and Kernel Extensions</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>A401Bdc2-4Ab1-4406-A143-11F077Baf52B</string>
<key>PayloadOrganization</key>
<string>Cisco Systems, Inc.</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>A401Bdc2-4Ab1-4406-A143-11F077Baf52B</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Check to see if you've already got a version uploaded, or if you have an unsigned profile with the same UUID already on the server. If so, delete the existing items and try uploading again.
@merps Thanks this fixed my issue.
Still newish to Jamf / macOS but having issues with Cisco 4.9
Here is my Configuration Profile. What am I missing?
Jamf Pro 10.26.0
@sgiesbrecht: Hello sgiesbrecht, first, I wish you a great and healthy 2021 
I think, the issues, you write about, are pointed on Big Sur, but you do not write, what kind of issues they are. It would be helpful, to know what kind of issues you face, to be able to help you to find a solution.
Are there any messages appearing? What does the logfile content say?
@NOVELLUS I have it solved and is now working with 1 minor issue, which I think it is more of the application than the installation. My issue was the System Extension setup. I will post my settings when my server is back up (if anyone wants the screenshots) - doing changes right now.
@sgiesbrecht yes could you please share your profile and some screenshots if it's possible, still doesn't work on M1 Mac running BIg Sur 11.1 !
@NOVELLUS Could you please the config profile that worked for you ? I'm testing on M1 mac running BIg Sur 11.1 using the sample profile provided by Cisoc and still no success.
any thoughts ?
@NOVELLUS could you please share the profile you deployed, for me that sample config profile from Cisco didn't work on M1 Mac running Big Sur 11.1 !!
@MacJunior Hi, please excuse my late response, I am not here every day. I am sorry, we do not have any Mac M1 - Machines, so there is no profile for it, I could share.
This is what I have for my profile and I still get the warning about the "Socket Filter"
Any ideas?
@keric @sgiesbrecht @NOVELLUS are you only installing this cisco anyconnect system extension on Big Sur systems?
does it matter if it also gets installed on 10.14 Mojave and 10.15 Catalina systems?
So, my content filter settings like just like the ones above from @ericsontech but I'm still having issues on Big Sur. When the profile is installed I only get one new entry in the network adapters list. When install Anyconnect 4.9, I'm still prompted to allow the filtering and then I get 3 items added to the network adapters list. Anyone get the filtering part working?
Scratch that. I re-uploaded the profile again and that seems to have resolved the issue
I just started testing with Big Sur 11.2.2 and AnyConnect 4.9.04043 on intel architecture and I can't get the System Extension to be allowed without user prompt. I've tried with just team id, with the NetworkExtension extension type, and with the extension name and it will never stop prompting. I've rebooted between every attempt, even tried a fresh system.
I haven't even got to the web filtering part yet. The SentinelOne entry at the bottom of the screenshot worked with no problem. At this point I wonder if it's an app issue. Any advice?
