Big Sur and Cisco Anyconnect

Anonymous
Not applicable

First a warm "hello" to the community :-)
I hope you're well and stable in this unstable times.

Now my theme, bounded to my hope, that someone can help me to find a solution:

We are using Cisco Anyconnect and our install procedure for macOS Catalina (and Mojave) was working very well. We had created a configuration profile with the needed kernel exceptions and with this configuration profile we installed Cisco Anyconnect "silent".

Big Sur has modifyed security options and these changes are the reason, that the former well working procedure is no more working.

Now the User has to accept some security questions (like "is Cisco Anyconnect allowed to filter the network traffic") and has to enable them in the system settings.

Has anyone found a way to install Cisco Anyconnect without this conditions ?

Thank you very much for answering and

kind regards,

Michael

55 REPLIES 55

jameson
Contributor II

-

mickl089
Contributor III

That can´t be a solution for the Cisco Support, or am I mistaken? I have a different view of support quality...

jameson
Contributor II

Seems disabling Umbrella also do the trick - even it is not a very good workarround. But simply also cannot understand how Cisco are not up-to-date with their software. They have several month to test new versions comming for Mac and it seems they first test their software after the releases have been made. And now they just point to Apple and say they should fix it in a new version

mickl089
Contributor III

We have the same problems and umbrella is not in use... but apparently this is the trend of developers nowadays. Example: Big Sur was released in the fall of 2020, only in March 2021 was a final compatible version of Sophos Endpoint rolled out, until then Sophos was not running under Big Sur. Sad story if you think about how long the Big Sur beta versions were already available.

jameson
Contributor II

Yes Umbrella removal is also not a workarround. DId some testing where it worked without umbrella - but it is just random as it sometimes can work temporary if you like re-install or restart the client, but later it then fails again.

So really difficult to find an error that is happening random.

jameson
Contributor II

11.5 Beta Big sur also does not solve anything. It worked some hours, but now again I cannot connect to server names

mickl089
Contributor III

Our company is changing from Cisco to Forti, not only because of these errors...

Ditto here as well.   I'm sad the org (merger of 5 companies from last year) that I'm part of is going away from Global Protect.

julesj
New Contributor

@jameson am experiencing same, after Jamf Pro pushes config profile. We can no longer ping out AD FQ'd domain name. Have submitted a support request to Cisco, have spent much time on this as many other Jamfers out there.

rlindenmuth
New Contributor III

I've got AnyConnect running on Big Sur thanks to the tips here, but am having issues reinstalling the app if it's been removed. Has anyone had success reinstalling?

In testing I had a user uninstall AnyConnect and DART using the uninstallers in the Applications folder. We performed the testing needed and then pushed the app back out. Now we are getting the errors in the attached screenshots. There are no system extensions to install, and we did not remove the config profile during the uninstall process, it's all still in place from the initial install. The system extension warning pops-up every 10 seconds or so making the Mac unusable. I can repeat this on other Macs as well.

dcb1359cb43d4b2a922b5ead32ba073f

408603f274384522ad33e8fc9a2ab802

891a94e7d4354e288d460f926c5626d9

Anonymous
Not applicable

@rlindenmuth Hi,, did you restart after installing and removing the Anyconnect client? As far as I know, a reboot is required for Anyconnect to work.

Maybe this link will help you for removing the client: http://kb.mit.edu/confluence/display/mitcontrib/Cisco+Anyconnect+Manual+uninstall+Mac+OS

rlindenmuth
New Contributor III

We've rebooted and have tried both manual uninstall and uninstall via the app, both with no avail.

bmee
Contributor

Anyone having issue with AnyConnect denying the system from pulling softwareupdate list?
Below are the error message I saw in the console

System Policy: com.cisco.anycon(306) deny(1) system-privilege 10006

Violation:       deny(1) system-privilege 10006

Process:         com.cisco.anycon [306]

Path:            /Library/SystemExtensions/4EBB3FEE-890F-4AA7-9628-1DDAF928C676/com.cisco.anyconnect.macos.acsockext.systemextension/Contents/MacOS/com.cisco.anyconnect.macos.acsockext

Load Address:    0x10eddd000

Identifier:      com.cisco.anyconnect.macos.acsockext

Version:         4.10.03104 (4.10.03104)

Code Type:       x86_64 (Native)

gloper1977
Contributor

Don't know if people are still struggling to create a custom Anyconnect PKG but I found this from someone awhile ago and saved it to a text file and keep it a folder on our share .  Don't remember the source.  Obviously you can use any temp directory I just do it from my Downloads folder.

Use directory: cd /Library/Application\ Support/tmp

  1. Download anyconnect-macos-4.10.03104-predeploy-k9.dmg from Cisco (or your vendor) and open it via installer (Double Click it in finder).
  2. Drag the AnyConnect.pkg file inside the .dmg to your tmp (for simplicity) and then do @MikeF's steps (4-9 below):
  3. Open Terminal and cd /Library/Application\ Support/tmp
  4. Pkgutil --expand AnyConnect.pkg AnyConnectVPN
  5. Went to the tmp folder, opened the AnyConnectVPN folder
  6. opened the AnyConnectVPN/Distribution file
  7. Look for <choices-outline> <line choice="choice_vpn"/> lines starting around line. Delete the ones you don't need, and Save. (I Used Xcode to edit the file)
  8. pkgutil --flatten AnyConnectVPN AnyConnect_4.10.03104.pkg
  9. Upload that pkg file to JSS and go from there in however you want to deploy it.

Anonymous
Not applicable

We don't need to pack a custom package. We can download our Anyconnect package by entering the URL of our VPN in a web browser. After login the site, Anyconnect is provided for the operating system of the connected client (Mac or Windows). The package contains only the needed part of anyconnect (the VPN client, without the other peaces).
We face problems with the detection of the update server, too. After disconnecting the "Cisco AnyConnect Socket Filter" the update server is reachable and the macOS updates can be run.

That sounds more like a Cisco problem than a Mac problem.