Jamf Nation Community

Anonymous · ‎11-19-2020

First a warm "hello" to the community :-)
I hope you're well and stable in this unstable times.

Now my theme, bounded to my hope, that someone can help me to find a solution:

We are using Cisco Anyconnect and our install procedure for macOS Catalina (and Mojave) was working very well. We had created a configuration profile with the needed kernel exceptions and with this configuration profile we installed Cisco Anyconnect "silent".

Big Sur has modifyed security options and these changes are the reason, that the former well working procedure is no more working.

Now the User has to accept some security questions (like "is Cisco Anyconnect allowed to filter the network traffic") and has to enable them in the system settings.

Has anyone found a way to install Cisco Anyconnect without this conditions ?

Thank you very much for answering and

kind regards,

Michael

Tribruin · ‎11-19-2020

With Big Sur you need to approve the System Extension instead of the Kernel extension. In addition, you need to add a Web Content Filter profile to approve the Web Filter.

For the System Extension, create a new Configuration Profile in Jamf. Select System Extensions and choose Allowed System Extensions. Add the Team ID: DE8Y96K9QP and add approved system extension id com.cisco.anyconnect.macos.acsockext.

For the web filter it is a little harder because Jamf Pro 10.25.2 does not currently support the Web Filter Content Filter payload. You can use Profile Creator or iMazing Profile editor to create the Web Content filter. Cisco provides the correct setting in this document:

Cisco AnyConnect

Just remember, if you create your profile and upload it to Jamf Pro, you should sign it before you upload it to ensure that Jamf does not modify it.

_gsm · ‎11-19-2020

Hi Michael,

There is the text of a configuration profile in the following advisory document. You can copy it into a text edit and save it as a .mobileconfig. I had to sign it using ProfileCreator and a certificate generated from Jamf.

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/upgrade/AnyConnect_macOS_BigSur_Advisory.html

Instructions for signing the profile.

https://www.jamf.com/jamf-nation/articles/649/creating-a-signing-certificate-using-jamf-pro-s-built-in-certificate-authority

jameson · ‎11-30-2020

Anyone can share a working profile from profilecreator (of course it does not need to be signed). I can´t get the socket filter working to automatically enable without popup. Trying on a brand new Macbook Pro with M1 chipset

_gsm · ‎11-30-2020

There’s one in the Cisco document on page 10. Copy and paste it into a text editor and save as a mobileconfig. Then you can sign it and upload to Jamf.

EdLuo · ‎12-07-2020

I copied and saved as a mobileconfig file. Uploaded it to our Jamf Pro v10.26 server as a config profile and deployed to my M1 MBA. The config profile failed to load. I then proceed to remove the kernel extension piece, leaving the system extension and content filtering. The profile loaded successfully on the M1 but it failed to bypass the user popup prompt to allow Cisco Socket Filter to load. Is the Kernel Extension portion needed on Big Sur? Can someone share their screenshots of their working config profile for Cisco AnyConnect?

Tribruin · ‎12-07-2020

Kernel Extension approval should not be needed for Big Sur (I don't have it enabled in my test computer.) But, my understanding is that if you push Anyconnect to Catalina or lower it will still use a KEXT instead SysExt. You will probably want create two Anyconnect profiles: one for KEXT approval on Catalina or lower and one for SysExt on Big Sur (or higher) and create the appropriate Smart Groups and scopes.

EdLuo · ‎12-08-2020

@RBlount Thanks for confirming that Kernal Extension is not needed for Big Sur.

It seems like my test config profile worked only for Big Sur 11.0.1 running on Intel CPU and not the ARM CPU. Running this command

systemextensionsctl list

shows [activated enabled] for the Intel CPU and [activated waiting for user] on the M1 CPU. I ran

tccutil reset All

on both computer and reapplied the config profile just to confirm my previous result.
Is there anyone that can test this policy with an Apple Silicon computer?

EdLuo · ‎12-08-2020

Issue resolved with Big Sur on Apple Silicon. I had to reinsatll the same version of Cisco AnyConnect to resolve the issue. Nothing else changed. :)

isThisThing0n · ‎12-08-2020

It does appear that the configuration profile needs to be pushed before the AnyConnect install happens.

KyleEricson · ‎12-15-2020

I copied the text from the PDF and the Cisco website and code signed this profile. I get this error.

Read My Blog: https://www.ericsontech.com

KyleEricson · ‎12-15-2020

This is my file I'm trying to upload.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
      <dict>
      <key>PayloadContent</key>
      <array>
            <dict>
                  <key>AllowUserOverrides</key>
                  <true/>
                  <key>AllowedKernelExtensions</key>
                  <dict>
                        <key>DE8Y96K9QP</key>
                        <array>
                        <string>com.cisco.kext.acsock</string>
                        </array>
                  </dict>
                  <key>PayloadDescription</key>
                  <string></string>
                  <key>PayloadDisplayName</key>
                  <string>AnyConnect Kernel Extension</string>
                  <key>PayloadEnabled</key>
                  <true/>
                  <key>PayloadIdentifier</key>
                  <string>37C29CF2-A783-411D-B2C7-100EDDFBE223</string>
                  <key>PayloadOrganization</key>
                  <string>Cisco Systems, Inc.</string>
                  <key>PayloadType</key>
                  <string>com.apple.syspolicy.kernel-extension-policy</string>
                  <key>PayloadUUID</key>
                  <string>37C29CF2-A783-411D-B2C7-100EDDFBE223</string>
                  <key>PayloadVersion</key>
                  <integer>1</integer>
            </dict>
            <dict>
                  <key>AllowUserOverrides</key>
                  <true/>
                  <key>AllowedSystemExtensions</key>
                  <dict>
                        <key>DE8Y96K9QP</key>
                        <array>
                        <string>com.cisco.anyconnect.macos.acsockext</string>
                        </array>
                  </dict>
                  <key>PayloadDescription</key>
                  <string></string>
                  <key>PayloadDisplayName</key>
                  <string>AnyConnect System Extension</string>
                  <key>PayloadEnabled</key>
                  <true/>
                  <key>PayloadIdentifier</key>
                  <string>A8364220-5D8D-40A9-Af66-1Fbfef94E116</string>
                  <key>PayloadOrganization</key>
                  <string>Cisco Systems, Inc.</string>
                  <key>PayloadType</key>
                  <string>com.apple.system-extension-policy</string>
                  <key>PayloadUUID</key>
                  <string>A8364220-5D8D-40A9-Af66-1Fbfef94E116</string>
                  <key>PayloadVersion</key>
                  <integer>1</integer>
            </dict>
            <dict>
                  <key>Enabled</key>
                  <true/>
                  <key>AutoFilterEnabled</key>
                  <false/>
                  <key>FilterBrowsers</key>
                  <false/>
                  <key>FilterSockets</key>
                  <true/>
                  <key>FilterPackets</key>
                  <false/>
                  <key>FilterType</key>
                  <string>Plugin</string>
                  <key>FilterGrade</key>
                  <string>firewall</string>
                  <key>PayloadDescription</key>
                  <string></string>
                  <key>PayloadDisplayName</key>
                  <string>Cisco AnyConnect Content Filter</string>
                  <key>PayloadIdentifier</key>
                  <string>com.apple.webcontent-filter.339Ec532-9Ada-480A-Bf3D-A535F0F0B665</string>
                  <key>PayloadType</key>
                  <string>com.apple.webcontent-filter</string>
                  <key>PayloadUUID</key>
                  <string>339Ec532-9Ada-480A-Bf3D-A535F0F0B665</string>
                  <key>PayloadVersion</key>
                  <integer>1</integer>
                  <key>FilterDataProviderBundleIdentifier</key>
                  <string>com.cisco.anyconnect.macos.acsockext</string>
                  <key>FilterDataProviderDesignatedRequirement</key>
                  <string>anchor apple generic and identifier "com.cisco.anyconnect.macos.acsockext" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = DE8Y96K9QP)</string>
                  <key>PluginBundleID</key>
                  <string>com.cisco.anyconnect.macos.acsock</string>
                  <key>UserDefinedName</key>
                  <string>Cisco AnyConnect Content Filter</string>
            </dict>
      </array>
      <key>PayloadDescription</key>
      <string></string>
      <key>PayloadDisplayName</key>
      <string>Approved AnyConnect System and Kernel Extensions</string>
      <key>PayloadEnabled</key>
      <true/>
      <key>PayloadIdentifier</key>
      <string>A401Bdc2-4Ab1-4406-A143-11F077Baf52B</string>
      <key>PayloadOrganization</key>
      <string>Cisco Systems, Inc.</string>
      <key>PayloadRemovalDisallowed</key>
      <true/>
      <key>PayloadScope</key>
      <string>System</string>
      <key>PayloadType</key>
      <string>Configuration</string>
      <key>PayloadUUID</key>
      <string>A401Bdc2-4Ab1-4406-A143-11F077Baf52B</string>
      <key>PayloadVersion</key>
      <integer>1</integer>
</dict>
</plist>

Read My Blog: https://www.ericsontech.com

merps · ‎12-16-2020

Check to see if you've already got a version uploaded, or if you have an unsigned profile with the same UUID already on the server. If so, delete the existing items and try uploading again.

KyleEricson · ‎12-16-2020

@merps Thanks this fixed my issue.

Read My Blog: https://www.ericsontech.com

sgiesbrecht · ‎12-30-2020

Still newish to Jamf / macOS but having issues with Cisco 4.9
Here is my Configuration Profile. What am I missing?
Jamf Pro 10.26.0

Anonymous · ‎01-04-2021

@sgiesbrecht: Hello sgiesbrecht, first, I wish you a great and healthy 2021 :-) I think, the issues, you write about, are pointed on Big Sur, but you do not write, what kind of issues they are. It would be helpful, to know what kind of issues you face, to be able to help you to find a solution.
Are there any messages appearing? What does the logfile content say?

sgiesbrecht · ‎01-05-2021

@NOVELLUS I have it solved and is now working with 1 minor issue, which I think it is more of the application than the installation. My issue was the System Extension setup. I will post my settings when my server is back up (if anyone wants the screenshots) - doing changes right now.

MacJunior · ‎01-20-2021

@sgiesbrecht yes could you please share your profile and some screenshots if it's possible, still doesn't work on M1 Mac running BIg Sur 11.1 !

MacJunior · ‎01-20-2021

@NOVELLUS Could you please the config profile that worked for you ? I'm testing on M1 mac running BIg Sur 11.1 using the sample profile provided by Cisoc and still no success.
any thoughts ?

MacJunior · ‎01-20-2021

@NOVELLUS could you please share the profile you deployed, for me that sample config profile from Cisco didn't work on M1 Mac running Big Sur 11.1 !!

Anonymous · ‎01-25-2021

@MacJunior Hi, please excuse my late response, I am not here every day. I am sorry, we do not have any Mac M1 - Machines, so there is no profile for it, I could share.

KyleEricson · ‎01-26-2021

This is what I have for my profile and I still get the warning about the "Socket Filter"
Any ideas?

Read My Blog: https://www.ericsontech.com

tcandela · ‎02-01-2021

@keric @sgiesbrecht @NOVELLUS are you only installing this cisco anyconnect system extension on Big Sur systems?

does it matter if it also gets installed on 10.14 Mojave and 10.15 Catalina systems?

flyboy · ‎03-01-2021

So, my content filter settings like just like the ones above from @ericsontech but I'm still having issues on Big Sur. When the profile is installed I only get one new entry in the network adapters list. When install Anyconnect 4.9, I'm still prompted to allow the filtering and then I get 3 items added to the network adapters list. Anyone get the filtering part working?

flyboy · ‎03-01-2021

Scratch that. I re-uploaded the profile again and that seems to have resolved the issue

Atmos · ‎03-09-2021

I just started testing with Big Sur 11.2.2 and AnyConnect 4.9.04043 on intel architecture and I can't get the System Extension to be allowed without user prompt. I've tried with just team id, with the NetworkExtension extension type, and with the extension name and it will never stop prompting. I've rebooted between every attempt, even tried a fresh system.

I haven't even got to the web filtering part yet. The SentinelOne entry at the bottom of the screenshot worked with no problem. At this point I wonder if it's an app issue. Any advice?

Anonymous · ‎03-11-2021

This is, how I get the installation of Cisco AnyConnect without any user prompt.
We only install the VPN Client. (Cico AnyConnect VPN)

jon_verret · ‎03-24-2021

Has anyone figured out how to configure the notification payload?
(Can't seem to find the correct App Name & Bundle ID combination...)

AJPinto · ‎03-24-2021

@jon.verret We have it configured this way. One thing I learned is the Configuration Profile has to be installed on the Mac BEFORE AnyConnect drops the system extension. If the system extension is on their first the user must approve. Its just how system extensions work and is kinda dumb, its not a JAMF thing. It is possible to remove a System Extension but you have to disable SIP first, at least for now according to the binaries notification. The screenshot below is the configuration profile that resulted from a JAMF ticket on this matter.

jon_verret · ‎03-24-2021

@AJPinto Hey thanks for the response. I appreciate the screen caps, those are helpful to validate what I'm already deploying, which is working.

I was curious if anyone had managed to successfully configure the Notifications payload in the same profile for AnyConnect notification settings. Have you played with that at all?

ScottyBeach · ‎04-15-2021

I've got a related problem in that the Configuration Profile supplied by an Apple Engineer works perfectly in Big Sur on Intel but deploys and doesn't work on Big Sur M1 Macs. I opened a ticket with AppleCare and was told to try AnyConnect 4.9.06037.
I'm looking forward to getting my hands on it to test.
Anyone tried it yet?
- Scott

ScottyBeach · ‎04-21-2021

4.10 Fixes it.

jfriedel · ‎05-10-2021

I got everything in place based on this Cisco guide:

AnyConnect Changes Related to macOS 11 (Big Sur)

Installed 4.10.00093 just a minute ago but no joy, it still requires for the extension to be approved manually. :(

jexon · ‎05-12-2021

@NOVELLUS Can you explain, how you managed to install AnyConnect without socket filter? Since you don't use a content filter policy it looks like you really just have the VPN Client installed. Even when we install manually and unselect all options, the socket filter app gets installed along with the security mobility client.

regards
jeremias

Anonymous · ‎05-12-2021

@jexon we are using the "anyconnect-macos-4.9.04043-core-vpn-webdeploy-k9.pkg" This is installing only the vpn client.
In addition to this , we are deploying a configuration profile with settings for system extensions ans content filtering as seen below. This works for us. The installation is running silent.
If the user will be connected with our VPN , the newest version of anyconnect will be downloaded and installed automaticly.
We do not have any M1 Macs at this time.

BCPeteo · ‎05-18-2021

For M1 macs I had to remove the Kernel extension settings from the config profile and then it installed with out error.
Still have the popup but I think its because AnyConnect was already installed. One odd thing is if I run systemextensionsctl list it does not show up. (sophos one I have does show up) So not really sure this is working correctly. This is anyconnect 4.9.04043

jameson · ‎05-26-2021

At the moment there seems to be DNS issues with big sur 11.4 and Cisco anyconnect 4.10.01075 - randomly works on- off and cisco rapport it is a known issue

user-CdUbDHwWrY · ‎05-31-2021

seems like all the anyconnect profiles that worked till now are no longer compatible with 11.4 , throwing errors . running 4.10.00093.

Error Code 10 The operation couldn’t be completed. (SPErrorDomain error 10.)

the good news is they work again in 11.5 according to the devices that we have deployed in the field running beta with the same client version. havent verified if they actually apply, but just not seeing the same errors.

JustDeWon · ‎05-31-2021

The Socket Filter is causing the DNS issues.. after removing the Socket Filter payload, the DNS issues stopped for me. And we're able to still manage as we did with Kernel Extensions and macOS 10.x

daniel_ross · ‎09-24-2021

Were you able to confirm this? We are seeing the VPN/DNS error and are wondering if this is our issue as well. Just want to make sure someone confirmed it for sure before removing this profile. Were running AnyConnect 4.10.02086

Jamf Nation Community

Big Sur and Cisco Anyconnect