@jwaltonen How did you download the mobileconfig from the Cisco doc?
Just curious on the easiest method to get it uploaded into Jamf

@a.feliciano It is not working for me with just the system extensions (in Catalina), so i assume you need the webcontenfilter part also. I am not sure what to strip out of the mobileconfig - can you please expand?
@jwalton I am also trying to use the mobileconfig from the doc, but using the whole mobileconfig fails to save for some unknown reason:

[HTMLResponse ] - An unhandled exception occurred during a save operation
java.lang.NullPointerException

any ideas anyone?

@cingalls See my post earlier from 11/14/2020. You can copy/paste the content of the sample mobile config into a text file and call it e.g. "AnyConnect.mobileconfig". After you have signed it and uploaded it to Jamf this will approve both kernel extensions, system extensions and the webcontentfilter. But since Jamf Pro is being updated to 10.26 soon (during the weekend for us) and this version will support the webcontentfilter you could wait for this and then just use the previous mentioned configuration profile to approve the system extensions.

@kgam Thanks. Using your steps & signing the profile allowed me to upload to Jamf Pro w/o seeing exception errors or signing errors, but the content itself is still blank for some reason..

Not a big deal, though, since I just used Jamf Pro's GUI to create the profile & copy the entries manually instead of uploading. That handled the kernel & system extensions successfully. I'll update to 10.26 to handle the webcontentfilter tomorrow.
My other big problem was the order of install. I had to install this config profile before upgrading to AnyConnect 4.9.04043. Trying to push the profile after 4.9.04043 was already installed would not remove the System Prefs prompt for enabling the system extension manually w/ admin rights

Yes, my profile is empty as well. This is to be expected. I believe it's because the profile is signed in order to protect it from Jamf removing the parts it doesn't support by default.

Hi there - does anyone have a completed working Cisco AnyConnect system extension Configuration Profile created for macOS Big Sur? I'm sure this can be done with 1 config profile to apply to a computer.

I'm trying to create one using the AnyConnect_macOS_BigSur_Advisory.pdf that they provide but i'm not sure i'm setting it up correctly.

For macOS prior to Big Sur i have the approved kernel extension with team id that has worked with no issues 10.14/10.15, now with System Extensions for Big Sur i'm prepping for Cisco AnyConnect 4.9.04xxx

I'v included some images of my preliminary System Extenstion settings along with the Cisco information that is in the pdf.

I added the Web Content filter section to the Config Profiiles system configuration settings but I am not sure where to put that data the the Cisco pdf displays.

@tcandela In order to have both system extensions and the WebContentFilter in the same profile you can put the entire content of the example profile from the Cisco advisory into a signed .mobileconfig file and upload it to Jamf Pro. I did this prior to Jamf Pro v. 10.26 and it worked but since 10.26 now supports the WebContentFilter configuration profile I have switched to this in order to avoid signing the profile.

I'm using the following two configuration profiles:

@kgam - just curious, why can't you put the content filter and the system extension payloads in the same config profile?

you didn't include the 'Allow System Extension Types' ---> 'Network Extension' in your systems extensions payload settings?

is that all 4 keys you need for the Custom Data section of the web content filter?

also, how do you apply your config profiles? to each computer immediately or self service?

thanks

Sorry, I misunderstood your original post. I have one configuration profile for each but there should be nothing wrong as far as I can see with putting them in the same profile. We only use the VPN part of Cisco AnyConnect so it has not been necessary to include the Network Extension payload. You may need to add it if you use more of the modules in AnyConnect.

Yes, those four custom keys has been enough in our case but again we only use VPN.

I'm using a "macOS 11" smart group to automatically deploy the profiles when a Mac is upgraded to Big Sur.

@kgam thanks, we only use the VPN part also, none of those other modules get installed. I'll try it all in one config profile.

Here is a link to the supplemental for Big Sur configuration from Cisco Anyconnect
https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/upgrade/AnyConnect_macOS_BigSur_Advisory.pdf

@tcandela Did you managed to put it all in one profile? when I downloaded the sample config profile from Cisco, I noticed the key values are not added so it doesn't work for me yet!

Any advice?

I'm still having issues with deploying that sample profile on M1 Mac running BIg Sur 11.1 ! any thoughts ?

it worked!

@MacJunior I'm going to be using the configuration profile settings not that file from any connect.
What did you end up doing?

I ended up creating a config profile like this one and it worked!

@kgam kudos for the Content Filter screenshot it's working great

Has anyone figured out a way to supress the notification dialog so that it does not show on first launch?

It worked for me .. I had to specify system extension "com.cisco.anyconnect.macos.acsockext", here are my config profiles :

does this system extension have to get installed on Big Sur even if the mac is having an in place upgrade from Mojave or Catalina and has AnyConnect 4.9.04053 currently installed?

yeah it has to be added since that mac is running Big Sur now.

The order is really important, you install the profile first then the app.

@MacJunior yeah but what if you're doing an in place upgrade to Big Sur and these applications that require system extensions are already installed?
What about applications like Box, Google drive file stream? These i setup kernel extensions for previously, not what happens with Big Sur? Especially if all these applications are installed prior to the in place upgrade to Big Sur?

tbh I haven't tried it yet but since Apple has deprecated KEXTs in Big Sur and moved to System extensions then -1 vendor needs to update their app and we need to approve their system extension.

Speaking of Drive File Stream .. how did you approved its kernel extension?

Like everyone here, we are in the same boat plus additional fun! I have all the system extensions and content filter deployed, but our AnyConnect VPN (only portion of pkg we install & use) is stuck at v4.9.00086. We went to Cisco to download an updated version to deploy to our M1/BigSur users, but rudely found we need to pony up $$ to them for a new software service contract ~ despite already having all the Cisco hardware and VPN licenses. We do not want to spend money we don't need to (public ed) so hoping someone here can send me a download link for v4.9.04xxx+ which is required for "leveraging the System Extension framework available in macOS 11".

The sample profile at the end of the cisco doc starting working when I got the 4.9.04043 installer. FYI

Please - anyone out there who can send our district a copy of this package?