AnyConnect Socket Filter on Big Sur

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-25-2021 05:07 AM
I have seen several discussions on this topic but so far following them I have not been able to get rid of the Cisco AnyConnect Socket Filter PPPC pop. I have a few configuration profiles for AnyConnect following other people and Ciscos generic documentation and it looks like they have installed correctly. However the popup persists. Anyone got any ideas?
https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/upgrade/AnyConnect_macOS_BigSur_Advisory.html#_Toc52277857

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-25-2021 06:02 AM
It looks like you have a typo in the Socket Filter Bundle Identifier
. It should be com.cisco.anyconnect.macos.acsock
. Try changing that and see if makes any difference.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-25-2021 09:16 AM
@RBlount I fixed that but it still wont move past "activated waiting for user". I copy pasted Socket Filter Designated Requirement so that should be right.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-28-2021 08:06 AM
This is related, but not exactly the same thing. Are you aware if there is a way to either delete the socket filter on install, or use jamf to remove it completely? We are running into an issue where the Anyconnect socket filter in causing issues when it is installed on systems with SEP installed. The socket filter on Anyconnect doesn't like having the SEP socket filter installed too. We have to have the SEP one per organization ISO, and manually removing the Anyconnect one on each mac is proving troublesome.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-28-2021 09:25 AM
only difference I can see is that in our identifier its: com.cisco.anyconnect.macos.acsock
Attaching our info.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-24-2021 07:35 AM
there is a difference, filter Order is set.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-24-2021 08:06 AM
Is the System Extension in a different config profile? Probably need both to get it approved without user interaction.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-06-2021 06:16 AM
we're experiencing similar issues. I went through and changed per the suggestions above, but still doesn't seem to want to enable it automatically (still prompting the user).
I also went through this KB article and at the bottom is the text for their premade mobileconfig, which I put into jamf and it still prompting.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-12-2021 03:23 AM
Deleting these worked for me. AnyConnect still works fine.
/Library/LaunchAgents/com.cisco.anyconnect.vpnagent.plist/Library/LaunchDaemons/com.cisco.anyconnect.gui.plist/Library/LaunchAgents/com.cisco.anyconnect.notification.plist
You might be able to get away with deleting just the last one, though.
EDIT: Confirmed that this is the only one you need to delete:
/Library/LaunchAgents/com.cisco.anyconnect.notification.plist

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-15-2021 10:23 AM
This was added o install script to prevent RunAtLoad (startup) >
rm -f /Library/LaunchAgents/com.cisco.anyconnect.gui.plist
echo "Prevent RunAtLoad"

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-15-2021 10:22 AM
Anyone having any luck with a silent uninstall?
"/opt/cisco/anyconnect/bin/anyconnect_uninstall.sh"
"/opt/cisco/anyconnect/bin/dart_uninstall.sh"
Is throwing a user-prompt to remove content filter.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-15-2021 10:42 AM - edited 11-15-2021 10:47 AM
I know this is a bit late but this might be useful to some: I got rid of the Secure socket message during Uninstall:
In my use case I needed the AnyConnect app to be force quit before, you can comment that line out if not needed.
#/bin/bash
#Force Quit AnyConnect
pkill -x "Cisco AnyConnect Secure Mobility Client"
# get the current user
loggedInUser=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/Name "> && ! /loginwindow/ { print $3 }' )
# test if a user is logged in
if [ -n "$loggedInUser" ]; then
# Run Uninstall script as end user
uid=$(id -u "$loggedInUser")
launchctl asuser "$uid" sudo -u /opt/cisco/anyconnect/bin/vpn_uninstall.sh
else
echo "no user logged in, Cannot Uninstall"
fi
exit 0

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-12-2022 07:05 AM - edited 03-12-2022 07:07 AM
@markdmatthews did you ever find out how to resolve this? I'm getting the same popup when using the uninstall.sh
I have a configuration profile configured for the content filter

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-13-2022 04:16 AM
did you ever find out how to resolve this? I'm getting the same popup when using the uninstall.sh

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-13-2022 05:41 AM
Currently Apple Requires a user interaction to remove system extensions like Cisco’s Socket Filter. To remove System extension via CLI Apple requires SIP to be disabled. According to the terminal binary this is temporary, but its been temporarily 4 years without any comments about this changing any time soon. Just another management item Apple is forcing user I interaction on unfortunately.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-13-2022 01:06 PM
I see many people say "web content filter" are they referring to the "content filter" payload?
from what i'm reading here CISCO section 3.2 brings up information that looks like this has to be configured in the system extension --> RemovableSystemExtensions property in order to remove it . So when the uninstall.sh is run then maybe this property being set will stop that popup.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-10-2024 05:41 PM - edited 01-10-2024 05:43 PM
Is there an equivalent elegant way to stop the popup notification for Cisco Secure Client v5.1.x.x? The command
rm -f /Library/LaunchAgents/com.cisco.anyconnect.gui.plist
no longer works as that file is no longer there to delete. I do have an alternative method.
rm -rf /opt/cisco/secureclient/bin/Cisco\ Secure\ Client\ -\ Notification.app
Deleting the notification app works, but it seems so brute-forced.
