Skip to main content
Question

Deny System extension

  • April 11, 2022
  • 6 replies
  • 33 views
M
Forum|alt.badge.img+3

Is there a way to Deny/Block below system extension for cisco anyconnect client. 
Want that this extension is auto denied/blocked 

Configuration profile payload only has options to allow system extensions or approved kernel extension.

My need is to block it or deny it.

I need anyconnect app to install silently without this prompt. but do not want to allow the extension. 

    6 replies

    geoff_widdowson
    Forum|alt.badge.img+8

    If you want the application to be blocked from installation then add it the 'Restricted Software' list. Given you are wanting to block the systems extensions, which will stop it from working, it won't run anyway (some cases it may). 

    M
    Forum|alt.badge.img+3
    • madhavigandhi1
    • Author
    • New Contributor
    • April 12, 2022

    If you want the application to be blocked from installation then add it the 'Restricted Software' list. Given you are wanting to block the systems extensions, which will stop it from working, it won't run anyway (some cases it may). 


    Thanks for the reply.
    We do not want the application to be restricted, just the system extension of that app to be blocked.

    any solution regarding this is most welcome

    mm2270
    Forum|alt.badge.img+24
    • mm2270
    • Legendary Contributor
    • April 12, 2022

    Thanks for the reply.
    We do not want the application to be restricted, just the system extension of that app to be blocked.

    any solution regarding this is most welcome


    I don't understand this. If an application requires a System Extension to work, then blocking it will prevent the application from working (worst case) or limit the functionality of the application (best case). Yet you say you don't want to block the application. These 2 things aren't lining up. Either you want to allow it or not. It seems you're trying to have it both ways which doesn't seem like it would end up well to me.

    aparten11
    dlondon
    AVmcclint
    Forum|alt.badge.img+21
    • AVmcclint
    • Esteemed Contributor
    • April 12, 2022

    I think the point of the System Extension is that's what it needs to run.

    aparten11
    X
    Forum|alt.badge.img+4
    • xtian
    • New Contributor
    • May 25, 2022

    Try this 

    Save as .mobileconfig and upload

    <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>NotificationSettings</key> <array> <dict> <key>AlertType</key> <integer>1</integer> <key>BadgesEnabled</key> <true/> <key>BundleIdentifier</key> <string>com.cisco.anyconnect.notification</string> <key>CriticalAlertEnabled</key> <true/> <key>NotificationsEnabled</key> <true/> <key>ShowInLockScreen</key> <false/> <key>ShowInNotificationCenter</key> <true/> <key>SoundsEnabled</key> <true/> </dict> </array> <key>PayloadDisplayName</key> <string>Notifications Payload</string> <key>PayloadIdentifier</key> <string>com.apple.notificationsettings.E909DDCC-3AE1-4363-BBBC-3A8F32178DA0</string> <key>PayloadOrganization</key> <string>JAMF Software</string> <key>PayloadType</key> <string>com.apple.notificationsettings</string> <key>PayloadUUID</key> <string>E909DDCC-3AE1-4363-BBBC-3A8F32178DA0</string> <key>PayloadVersion</key> <integer>1</integer> </dict> <dict> <key>FilterDataProviderBundleIdentifier</key> <string>com.cisco.anyconnect.macos.acsockext</string> <key>FilterDataProviderDesignatedRequirement</key> <string>anchor apple generic and identifier "com.cisco.anyconnect.macos.acsockext" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = DE8Y96K9QP)</string> <key>FilterPackets</key> <false/> <key>FilterSockets</key> <true/> <key>FilterType</key> <string>Plugin</string> <key>PayloadDisplayName</key> <string>Web Content Filter Payload</string> <key>PayloadIdentifier</key> <string>com.apple.webcontent-filter.576F7B34-7116-405B-B752-3986D84CE9FA</string> <key>PayloadOrganization</key> <string>JAMF Software</string> <key>PayloadType</key> <string>com.apple.webcontent-filter</string> <key>PayloadUUID</key> <string>576F7B34-7116-405B-B752-3986D84CE9FA</string> <key>PayloadVersion</key> <integer>1</integer> <key>PluginBundleID</key> <string>com.cisco.anyconnect.macos.acsock</string> <key>UserDefinedName</key> <string>Cisco AnyConnect Content Filter</string> <key>VendorConfig</key> <dict/> </dict> <dict> <key>AllowUserOverrides</key> <true/> <key>AllowedSystemExtensionTypes</key> <dict> <key>DE8Y96K9QP</key> <array> <string>NetworkExtension</string> </array> </dict> <key>AllowedSystemExtensions</key> <dict> <key>DE8Y96K9QP</key> <array> <string>com.cisco.anyconnect.macos.acsockext</string> </array> </dict> <key>PayloadDescription</key> <string></string> <key>PayloadDisplayName</key> <string>System Extensions</string> <key>PayloadEnabled</key> <true/> <key>PayloadIdentifier</key> <string>com.apple.system-extension-policy.DA8EB2BF-4B5F-47B4-AD9B-BC1EC8A1A07E</string> <key>PayloadOrganization</key> <string>New York University Abu Dhabi</string> <key>PayloadType</key> <string>com.apple.system-extension-policy</string> <key>PayloadUUID</key> <string>DA8EB2BF-4B5F-47B4-AD9B-BC1EC8A1A07E</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </array> <key>PayloadDescription</key> <string></string> <key>PayloadDisplayName</key> <string>AnyConnect Unified Configuration Profile - ARM64/AMD64</string> <key>PayloadEnabled</key> <true/> <key>PayloadIdentifier</key> <string>com.tano.profile</string> <key>PayloadRemovalDisallowed</key> <true/> <key>PayloadScope</key> <string>System</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>175D2627-860F-41A6-B385-038DF2BCA063</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>

     

    X
    Forum|alt.badge.img+4
    • xtian
    • New Contributor
    • May 25, 2022

    Try this 

    Save as .mobileconfig and upload

    <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>NotificationSettings</key> <array> <dict> <key>AlertType</key> <integer>1</integer> <key>BadgesEnabled</key> <true/> <key>BundleIdentifier</key> <string>com.cisco.anyconnect.notification</string> <key>CriticalAlertEnabled</key> <true/> <key>NotificationsEnabled</key> <true/> <key>ShowInLockScreen</key> <false/> <key>ShowInNotificationCenter</key> <true/> <key>SoundsEnabled</key> <true/> </dict> </array> <key>PayloadDisplayName</key> <string>Notifications Payload</string> <key>PayloadIdentifier</key> <string>com.apple.notificationsettings.E909DDCC-3AE1-4363-BBBC-3A8F32178DA0</string> <key>PayloadOrganization</key> <string>JAMF Software</string> <key>PayloadType</key> <string>com.apple.notificationsettings</string> <key>PayloadUUID</key> <string>E909DDCC-3AE1-4363-BBBC-3A8F32178DA0</string> <key>PayloadVersion</key> <integer>1</integer> </dict> <dict> <key>FilterDataProviderBundleIdentifier</key> <string>com.cisco.anyconnect.macos.acsockext</string> <key>FilterDataProviderDesignatedRequirement</key> <string>anchor apple generic and identifier "com.cisco.anyconnect.macos.acsockext" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = DE8Y96K9QP)</string> <key>FilterPackets</key> <false/> <key>FilterSockets</key> <true/> <key>FilterType</key> <string>Plugin</string> <key>PayloadDisplayName</key> <string>Web Content Filter Payload</string> <key>PayloadIdentifier</key> <string>com.apple.webcontent-filter.576F7B34-7116-405B-B752-3986D84CE9FA</string> <key>PayloadOrganization</key> <string>JAMF Software</string> <key>PayloadType</key> <string>com.apple.webcontent-filter</string> <key>PayloadUUID</key> <string>576F7B34-7116-405B-B752-3986D84CE9FA</string> <key>PayloadVersion</key> <integer>1</integer> <key>PluginBundleID</key> <string>com.cisco.anyconnect.macos.acsock</string> <key>UserDefinedName</key> <string>Cisco AnyConnect Content Filter</string> <key>VendorConfig</key> <dict/> </dict> <dict> <key>AllowUserOverrides</key> <true/> <key>AllowedSystemExtensionTypes</key> <dict> <key>DE8Y96K9QP</key> <array> <string>NetworkExtension</string> </array> </dict> <key>AllowedSystemExtensions</key> <dict> <key>DE8Y96K9QP</key> <array> <string>com.cisco.anyconnect.macos.acsockext</string> </array> </dict> <key>PayloadDescription</key> <string></string> <key>PayloadDisplayName</key> <string>System Extensions</string> <key>PayloadEnabled</key> <true/> <key>PayloadIdentifier</key> <string>com.apple.system-extension-policy.DA8EB2BF-4B5F-47B4-AD9B-BC1EC8A1A07E</string> <key>PayloadOrganization</key> <string>New York University Abu Dhabi</string> <key>PayloadType</key> <string>com.apple.system-extension-policy</string> <key>PayloadUUID</key> <string>DA8EB2BF-4B5F-47B4-AD9B-BC1EC8A1A07E</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </array> <key>PayloadDescription</key> <string></string> <key>PayloadDisplayName</key> <string>AnyConnect Unified Configuration Profile - ARM64/AMD64</string> <key>PayloadEnabled</key> <true/> <key>PayloadIdentifier</key> <string>com.tano.profile</string> <key>PayloadRemovalDisallowed</key> <true/> <key>PayloadScope</key> <string>System</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>175D2627-860F-41A6-B385-038DF2BCA063</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>

     


    Add this entries manually if settings not picked up after upload

     

    Terms & ConditionsCookie settingsAccessibility statement