Jamf Nation Community

AJPinto · ‎01-25-2021

I have seen several discussions on this topic but so far following them I have not been able to get rid of the Cisco AnyConnect Socket Filter PPPC pop. I have a few configuration profiles for AnyConnect following other people and Ciscos generic documentation and it looks like they have installed correctly. However the popup persists. Anyone got any ideas?

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/upgrade/AnyConnect_macOS_BigSur_Advisory.html#_Toc52277857

8a3ce6d93d874315b8311d12b672f493

9293a64c6b974c3bb0af2fa7d8185057

29228126ebd441dcbc4e1d68dd1c0ffc

b6fc379517f5436f8f0a650594f12160

9534c71c31004ec78e20b62fff23a2b9

Tribruin · ‎01-25-2021

It looks like you have a typo in the Socket Filter Bundle Identifier. It should be com.cisco.anyconnect.macos.acsock. Try changing that and see if makes any difference.

AJPinto · ‎01-25-2021

@RBlount I fixed that but it still wont move past "activated waiting for user". I copy pasted Socket Filter Designated Requirement so that should be right.

cefe2885e9804c41b8c3e0057be1268b

d031a077f5e845a5947c45731844831d

u0019722 · ‎01-28-2021

This is related, but not exactly the same thing. Are you aware if there is a way to either delete the socket filter on install, or use jamf to remove it completely? We are running into an issue where the Anyconnect socket filter in causing issues when it is installed on systems with SEP installed. The socket filter on Anyconnect doesn't like having the SEP socket filter installed too. We have to have the SEP one per organization ISO, and manually removing the Anyconnect one on each mac is proving troublesome.

roiegat · ‎01-28-2021

only difference I can see is that in our identifier its: com.cisco.anyconnect.macos.acsock
Attaching our info.
40c3c7bdf19247fdb332a8d6df2a738a

Mark_Lamont · ‎03-24-2021

there is a difference, filter Order is set.

agrant · ‎03-24-2021

Is the System Extension in a different config profile? Probably need both to get it approved without user interaction.

ImAMacGuy · ‎04-06-2021

we're experiencing similar issues. I went through and changed per the suggestions above, but still doesn't seem to want to enable it automatically (still prompting the user).

I also went through this KB article and at the bottom is the text for their premade mobileconfig, which I put into jamf and it still prompting.

JAMAUAI · ‎06-12-2021

~~Deleting these worked for me. AnyConnect still works fine.~~

~~/Library/LaunchAgents/com.cisco.anyconnect.vpnagent.plist~~ ~~/Library/LaunchDaemons/com.cisco.anyconnect.gui.plist~~ ~~/Library/LaunchAgents/com.cisco.anyconnect.notification.plist~~

~~You might be able to get away with deleting just the last one, though.~~

EDIT: Confirmed that this is the only one you need to delete:

/Library/LaunchAgents/com.cisco.anyconnect.notification.plist

Source: https://apple.stackexchange.com/questions/202296/stop-cisco-anyconnect-secure-mobility-client-from-s...

markdmatthews · ‎10-15-2021

This was added o install script to prevent RunAtLoad (startup) >

rm -f /Library/LaunchAgents/com.cisco.anyconnect.gui.plist
echo "Prevent RunAtLoad"

markdmatthews · ‎10-15-2021

Anyone having any luck with a silent uninstall?

"/opt/cisco/anyconnect/bin/anyconnect_uninstall.sh"
"/opt/cisco/anyconnect/bin/dart_uninstall.sh"

Is throwing a user-prompt to remove content filter.

Geissbuhler · ‎11-15-2021

I know this is a bit late but this might be useful to some: I got rid of the Secure socket message during Uninstall:
In my use case I needed the AnyConnect app to be force quit before, you can comment that line out if not needed.

#/bin/bash
#Force Quit AnyConnect
pkill -x "Cisco AnyConnect Secure Mobility Client"

# get the current user
loggedInUser=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/Name ‌‌"> && ! /loginwindow/ { print $3 }' )

# test if a user is logged in
if [ -n "$loggedInUser" ]; then
# Run Uninstall script as end user
uid=$(id -u "$loggedInUser")
launchctl asuser "$uid" sudo -u /opt/cisco/anyconnect/bin/vpn_uninstall.sh
else
echo "no user logged in, Cannot Uninstall"
fi

exit 0

tcandela · ‎03-12-2022

@markdmatthews did you ever find out how to resolve this? I'm getting the same popup when using the uninstall.sh

I have a configuration profile configured for the content filter

tcandela · ‎03-13-2022

did you ever find out how to resolve this? I'm getting the same popup when using the uninstall.sh

AJPinto · ‎03-13-2022

Currently Apple Requires a user interaction to remove system extensions like Cisco’s Socket Filter. To remove System extension via CLI Apple requires SIP to be disabled. According to the terminal binary this is temporary, but its been temporarily 4 years without any comments about this changing any time soon. Just another management item Apple is forcing user I interaction on unfortunately.

tcandela · ‎03-13-2022

@AJPinto

I see many people say "web content filter" are they referring to the "content filter" payload?

from what i'm reading here CISCO section 3.2 brings up information that looks like this has to be configured in the system extension --> RemovableSystemExtensions property in order to remove it . So when the uninstall.sh is run then maybe this property being set will stop that popup.

EdLuo · ‎01-10-2024

Is there an equivalent elegant way to stop the popup notification for Cisco Secure Client v5.1.x.x? The command

rm -f /Library/LaunchAgents/com.cisco.anyconnect.gui.plist

no longer works as that file is no longer there to delete. I do have an alternative method.

rm -rf /opt/cisco/secureclient/bin/Cisco\ Secure\ Client\ -\ Notification.app

Deleting the notification app works, but it seems so brute-forced.

Jamf Nation Community

AnyConnect Socket Filter on Big Sur