I had to reboot to get rid of those messages. Might have something todo with kernel
extension loading

@c.kay thanks for the reply. I tried many time and restarted but the error still appearing. the Kernel extension was my first thought too.

Big Sur is only supported on 4.9.02028, released 9/1/20, and it should be using the new System Extensions, rather than Kernel Extensions in that version.

I would do a full uninstall and then a re-install to make sure there aren't any legacy Cisco AnyConnect files anywhere that could be causing the errors...

Has anyone whitelisted the Cisco AnyConnonect 4.9.02028 System Extension (com.cisco.anyconnect.macos.acsockext) from JAMF Pro Configuration Profile successfully?

We attempted to whitelist the Team ID 'DE8Y96K9QP' but the following System Extension warning message is still prompted on macOS 11 Big Sur beta 6.

We are seeing very high CPU load with the Big Sur version of Cisco AnyConnect, look for vpnagentd in Activity Monitor. Even with the app closed and no VPN conenction its sitting at 70%

@takayuki Thanks. it worked perfectly fine. I created system extension with the values you suggested and deployed it to my test computer and it is working fine.

I didn't have that updated kext approval (thanks @takayuki), but I'm seeing 4.9 cut off all traffic after about 15 seconds and then rebooting my device with a KP when disconnecting.

Where can I download Cisco AnyConnonect 4.9.02028? there is no access to the offsite. (

@sukharev I believe you'll need a registered login to the customer downloads section of Cisco's web site.

4.9.03047 was released today FYI. No longer has an issue where the KEXT would get loaded on systems that don’t need it.

If you can’t access the downloads site yourself you’ll need to speak with whomever at your company has access. It is not publicly accessible.

@iJake can you share the .pkg to 4.9.03047 version for us, please?

@1729patrick You can send an email to ask-anyconnect@cisco.com to see if the beta is still open otherwise you'll need to get it from someone at your company that has access to the Cisco downloads portal. I cannot share the file.

@raghdasi @takayuki I see this was "Solved" but I don't actually see any solution here and the post that was marked solved is just a question if anyone was able to get it to work.

We currently have 4.9.01095 deployed and I have run into the same issue as the OP when testing on BS. As suggested, this version may not be fully supported but it does work on systems where AnyConnect was installed prior to updating to BS. New installs, however, are coming up with the error about being unable to create the DNS plugin.

To add to this, we had an instance of someone who was running on 10.15.5 run into the same problem. If anyone has managed to fix this, I would really love some insight into how you got around this.

Thanks!

-Dan

Hi @engh

The solution is documented by Cisco here. See the following section:

3.2 Extension Approval using MDM

The 'WebContentFilter' payload may not be supported yet by your JAMF Pro version. Contact JAMF Support for confirmation.

We are running Jamf Pro 10.25.0. I uploaded and deployed the sample profile from the end of the cisco document but the system extension does not get loaded in big sur beta 11.0.1, and as one would expect the user still gets prompts to approve the system extension. So whats the deal ? Has anyone got the Cisco Anyconnect system extension profile working in Big Sur beta ?

I haven't tried the sample profile but got the system extension approved using the following profile:

@kgam
Curious.
Thats the first thing I tried. Along with a couple other variants of the built in System Extensions payload.
None of it worked for me.
Thats all you did ? Nothing with the WebContentFilter payload referenced in the Cisco doc ?
systemextensionsctl list, reports your cisco extension is loaded ?

At first I had an additional entry which only allowed the team identifier but read somewhere that it may not be necessary so now I only have the one entry to allow the "com.cisco.anyconnect.macos.acsockext" extension which seems to work as I'm no longer prompted to allow the extension and 'systemextensionsctl list' shows the extension as enabled and active:

enabled active teamID bundleID (version) name [state]
DE8Y96K9QP com.cisco.anyconnect.macos.acsockext (4.9.03047/4.9.03047) Cisco AnyConnect Socket Filter Extension [activated enabled]

But yes I also had to create a configuration profile for the WebContentFilter payload. I used ProfileCreator and the .mobileconfig file gets created correctly but I'm having some problems signing the profile.

I used this guide: https://www.macblog.org/post/signing-configuration-profiles/

The finished configuration profile works but it's signed using a wong certificate so I'll have to look into that.

OK, so I can get the System Extension working by duplicating the image above. But I've still not found a solution for the WebContentFilter requirement....

Has anyone a workaround since this payload isn't supported by JAMF?

@kgam, can you share the config profile that you're using?

Seems like a lot of people going to a lot of workarounds for lack of just using the correct software. AnyConnect (and Umbrella) are fully supported from 4.9.03047 and above. I'll add that there's a CVE where every version other than 4.9.03047 has a major vulnerability that was released last week, so y'all are working hard to get a security hole installed. https://www.cisco.com/c/en/us/support/security/anyconnect-secure-mobility-client/products-security-advisories-list.html

@wolftech
I used the sample MDM Configuration Profile found at the end of this PDF file:
https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/upgrade/AnyConnect_macOS_BigSur_Advisory.pdf

Saved it as 'AnyConnect.mobileconfig' and signed it using the procedure outlined here:
https://www.macblog.org/post/signing-configuration-profiles/

Go to the section: "Signing Profiles for Trust Only by Jamf-enrolled Clients"

Due to a possible bug in Catalina I ended up using the following command to sign the certificate:

/usr/bin/security cms -S -Z 9CCE397F5491E9C6D70D305D0922687AAC2EA379 -i "AnyConnect.mobileconfig" -o "AnyConnect-signed.mobileconfig"

where the "-Z" value is "Subject Key Identifier" from the self-signed certificate in Keychain.app without <spaces> with the certificate set to "Use System Defaults" under "Trust".

You can also use "openssl x509 -in <.pem file> -noout -text" on the downloaded .pem file from Jamf Pro's 'Create Certificate from CSR'

After the .mobileconfig file had been signed I could upload it to Jamf Pro and scope it.

I was able to get it working following the documentation provided by Cisco here.

1) I made sure that the System Extension payload had both the bundleID and the type.

2) Since Jamf doesn't have the WebContentFilter payload yet, I was able to strip away the Kernel and System Extension attributes from the Sample Configuration Profile (#5 in the Cisco documentation). Leaving just the dictionary that shows the settings for the content filter and upload that as a Custom Setting within the same config profile. I gave it the same name as the PayloadType attribute inside the plist.

All looks good for me. Hope that helps.

@a.feliciano

Thank you for your post here!

I have done the same as you describe and I get the network extension to work without a problem but I do have to restart before the WebContentFilter payload kicks in and the dialog "Cisco AnyConnect Socket Filter Would Like to Filter Network Content" don't show anymore and the additional items are visible in System Preferences -> Network

I´m not loading Kernel Extension (verified with "kextstat") and the "systemextensionsctl list" gives the correct answer for System Extensions from Cisco being activated enabled]

Do you see the same behaviour?

The sample profile at the end of the cisco doc starting working when I got the 4.9.04043 installer. FYI