We’ve come across an issue with Cisco AnyConnect where the connection option we use (called client_installed_local) appears fine on Intel Macs, but does not appear at all using the same version of AnyConnect on M1 Macs. We’re using AnyConnect 4.10.04071.

How our setup should work:

• User connects to the VPN server
• User is then prompted to choose options for connecting. Client_installed_local is the first option, and what the user will be choosing.
• This then kicks the user over to Azure MFA authentication.
• Once authenticated via Azure, the VPN connects

Other facts:

• The installer package is the webdeploy core vpn package, pulled from the predeploy package. I have been told we don’t need anything else.
• Our previous versions all used the webdeploy package. There is nothing special about these that I can see.
• Tested on macOS 12 and 13 on both the M1 and Intel sides
  • Older versions ran on everything from 10.14 up to 11 without issue on Intels

Here’s what I’ve tried:

• Reviewing and implementing a Configuration Profile with settings specified by Cisco: https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/upgrade/AnyConnect_macOS_BigSur_Advisory.pdf
• Which is to say, the Configuration Profile approves the system extensions and the filters. I have a separate profile that has the Kernel Extension settings, though I’ve tried them bundled in with the system extensions too. Failing over to Kernel Extensions doesn’t fix the issue.
• We’ve reached out to Cisco support, who’ve basically poked at our ASA settings and found that all of the computers were in the correct group to use the Client Installed Local settings.
• We’ve gone up packages, all the way to what was current as of a week or two ago.
• This thread brought up encryption ciphers in the VPN Gateway: https://community.jamf.com/t5/jamf-pro/cisco-anyconnect-broken-after-update-to-monterey-12-3/m-p/261983 This appears to be a Posture thing, which I have been told we haven’t implemented, and the network guy I’ve been working with seemed to know nothing about it

We can't be the only group be having this issue. What are we doing wrong? What are we missing? What about Apple Silicon makes this not work? Is the app sandboxed in a way that the Intel app wouldn’t have been? Is there something I should be doing to the Installer package? I don’t think I need to wrap a certificate in it, but honestly I’ll take whatever dark magic I can get to make this work.