Big Sur and Cisco Anyconnect

NOVELLUS
Contributor

First a warm "hello" to the community πŸ™‚
I hope you're well and stable in this unstable times.

Now my theme, bounded to my hope, that someone can help me to find a solution:

We are using Cisco Anyconnect and our install procedure for macOS Catalina (and Mojave) was working very well. We had created a configuration profile with the needed kernel exceptions and with this configuration profile we installed Cisco Anyconnect "silent".

Big Sur has modifyed security options and these changes are the reason, that the former well working procedure is no more working.

Now the User has to accept some security questions (like "is Cisco Anyconnect allowed to filter the network traffic") and has to enable them in the system settings.

Has anyone found a way to install Cisco Anyconnect without this conditions ?

Thank you very much for answering and

kind regards,

Michael

51 REPLIES 51

Tribruin
Contributor III
Contributor III

With Big Sur you need to approve the System Extension instead of the Kernel extension. In addition, you need to add a Web Content Filter profile to approve the Web Filter.

For the System Extension, create a new Configuration Profile in Jamf. Select System Extensions and choose Allowed System Extensions. Add the Team ID: DE8Y96K9QP and add approved system extension id com.cisco.anyconnect.macos.acsockext.

For the web filter it is a little harder because Jamf Pro 10.25.2 does not currently support the Web Filter Content Filter payload. You can use Profile Creator or iMazing Profile editor to create the Web Content filter. Cisco provides the correct setting in this document:

Cisco AnyConnect

Just remember, if you create your profile and upload it to Jamf Pro, you should sign it before you upload it to ensure that Jamf does not modify it.

_gsm
New Contributor III

Hi Michael,

There is the text of a configuration profile in the following advisory document. You can copy it into a text edit and save it as a .mobileconfig. I had to sign it using ProfileCreator and a certificate generated from Jamf.

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/upgrade/AnyConnect_macOS_BigSur_Advisory.html

Instructions for signing the profile.

https://www.jamf.com/jamf-nation/articles/649/creating-a-signing-certificate-using-jamf-pro-s-built-in-certificate-authority

jameson
Contributor II

Anyone can share a working profile from profilecreator (of course it does not need to be signed). I canΒ΄t get the socket filter working to automatically enable without popup. Trying on a brand new Macbook Pro with M1 chipset

_gsm
New Contributor III

There’s one in the Cisco document on page 10. Copy and paste it into a text editor and save as a mobileconfig. Then you can sign it and upload to Jamf.

EdLuo
Contributor

I copied and saved as a mobileconfig file. Uploaded it to our Jamf Pro v10.26 server as a config profile and deployed to my M1 MBA. The config profile failed to load. I then proceed to remove the kernel extension piece, leaving the system extension and content filtering. The profile loaded successfully on the M1 but it failed to bypass the user popup prompt to allow Cisco Socket Filter to load. Is the Kernel Extension portion needed on Big Sur? Can someone share their screenshots of their working config profile for Cisco AnyConnect?

Tribruin
Contributor III
Contributor III

Kernel Extension approval should not be needed for Big Sur (I don't have it enabled in my test computer.) But, my understanding is that if you push Anyconnect to Catalina or lower it will still use a KEXT instead SysExt. You will probably want create two Anyconnect profiles: one for KEXT approval on Catalina or lower and one for SysExt on Big Sur (or higher) and create the appropriate Smart Groups and scopes.

EdLuo
Contributor

@RBlount Thanks for confirming that Kernal Extension is not needed for Big Sur.

It seems like my test config profile worked only for Big Sur 11.0.1 running on Intel CPU and not the ARM CPU. Running this command

systemextensionsctl list

shows [activated enabled] for the Intel CPU and [activated waiting for user] on the M1 CPU. I ran

tccutil reset All

on both computer and reapplied the config profile just to confirm my previous result.
Is there anyone that can test this policy with an Apple Silicon computer?

EdLuo
Contributor

Issue resolved with Big Sur on Apple Silicon. I had to reinsatll the same version of Cisco AnyConnect to resolve the issue. Nothing else changed. πŸ™‚

oliverr
Contributor

It does appear that the configuration profile needs to be pushed before the AnyConnect install happens.

KyleEricson
Valued Contributor

I copied the text from the PDF and the Cisco website and code signed this profile. I get this error.
5d2f469ba0254b2ca47543c05664e47c

KyleEricson
Valued Contributor

This is my file I'm trying to upload.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
      <dict>
      <key>PayloadContent</key>
      <array>
            <dict>
                  <key>AllowUserOverrides</key>
                  <true/>
                  <key>AllowedKernelExtensions</key>
                  <dict>
                        <key>DE8Y96K9QP</key>
                        <array>
                        <string>com.cisco.kext.acsock</string>
                        </array>
                  </dict>
                  <key>PayloadDescription</key>
                  <string></string>
                  <key>PayloadDisplayName</key>
                  <string>AnyConnect Kernel Extension</string>
                  <key>PayloadEnabled</key>
                  <true/>
                  <key>PayloadIdentifier</key>
                  <string>37C29CF2-A783-411D-B2C7-100EDDFBE223</string>
                  <key>PayloadOrganization</key>
                  <string>Cisco Systems, Inc.</string>
                  <key>PayloadType</key>
                  <string>com.apple.syspolicy.kernel-extension-policy</string>
                  <key>PayloadUUID</key>
                  <string>37C29CF2-A783-411D-B2C7-100EDDFBE223</string>
                  <key>PayloadVersion</key>
                  <integer>1</integer>
            </dict>
            <dict>
                  <key>AllowUserOverrides</key>
                  <true/>
                  <key>AllowedSystemExtensions</key>
                  <dict>
                        <key>DE8Y96K9QP</key>
                        <array>
                        <string>com.cisco.anyconnect.macos.acsockext</string>
                        </array>
                  </dict>
                  <key>PayloadDescription</key>
                  <string></string>
                  <key>PayloadDisplayName</key>
                  <string>AnyConnect System Extension</string>
                  <key>PayloadEnabled</key>
                  <true/>
                  <key>PayloadIdentifier</key>
                  <string>A8364220-5D8D-40A9-Af66-1Fbfef94E116</string>
                  <key>PayloadOrganization</key>
                  <string>Cisco Systems, Inc.</string>
                  <key>PayloadType</key>
                  <string>com.apple.system-extension-policy</string>
                  <key>PayloadUUID</key>
                  <string>A8364220-5D8D-40A9-Af66-1Fbfef94E116</string>
                  <key>PayloadVersion</key>
                  <integer>1</integer>
            </dict>
            <dict>
                  <key>Enabled</key>
                  <true/>
                  <key>AutoFilterEnabled</key>
                  <false/>
                  <key>FilterBrowsers</key>
                  <false/>
                  <key>FilterSockets</key>
                  <true/>
                  <key>FilterPackets</key>
                  <false/>
                  <key>FilterType</key>
                  <string>Plugin</string>
                  <key>FilterGrade</key>
                  <string>firewall</string>
                  <key>PayloadDescription</key>
                  <string></string>
                  <key>PayloadDisplayName</key>
                  <string>Cisco AnyConnect Content Filter</string>
                  <key>PayloadIdentifier</key>
                  <string>com.apple.webcontent-filter.339Ec532-9Ada-480A-Bf3D-A535F0F0B665</string>
                  <key>PayloadType</key>
                  <string>com.apple.webcontent-filter</string>
                  <key>PayloadUUID</key>
                  <string>339Ec532-9Ada-480A-Bf3D-A535F0F0B665</string>
                  <key>PayloadVersion</key>
                  <integer>1</integer>
                  <key>FilterDataProviderBundleIdentifier</key>
                  <string>com.cisco.anyconnect.macos.acsockext</string>
                  <key>FilterDataProviderDesignatedRequirement</key>
                  <string>anchor apple generic and identifier "com.cisco.anyconnect.macos.acsockext" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = DE8Y96K9QP)</string>
                  <key>PluginBundleID</key>
                  <string>com.cisco.anyconnect.macos.acsock</string>
                  <key>UserDefinedName</key>
                  <string>Cisco AnyConnect Content Filter</string>
            </dict>
      </array>
      <key>PayloadDescription</key>
      <string></string>
      <key>PayloadDisplayName</key>
      <string>Approved AnyConnect System and Kernel Extensions</string>
      <key>PayloadEnabled</key>
      <true/>
      <key>PayloadIdentifier</key>
      <string>A401Bdc2-4Ab1-4406-A143-11F077Baf52B</string>
      <key>PayloadOrganization</key>
      <string>Cisco Systems, Inc.</string>
      <key>PayloadRemovalDisallowed</key>
      <true/>
      <key>PayloadScope</key>
      <string>System</string>
      <key>PayloadType</key>
      <string>Configuration</string>
      <key>PayloadUUID</key>
      <string>A401Bdc2-4Ab1-4406-A143-11F077Baf52B</string>
      <key>PayloadVersion</key>
      <integer>1</integer>
</dict>
</plist>

merps
Contributor III

Check to see if you've already got a version uploaded, or if you have an unsigned profile with the same UUID already on the server. If so, delete the existing items and try uploading again.

KyleEricson
Valued Contributor

@merps Thanks this fixed my issue.

sgiesbrecht
Contributor

Still newish to Jamf / macOS but having issues with Cisco 4.9
Here is my Configuration Profile. What am I missing?
Jamf Pro 10.26.0
dc8f5628a545422cb5e58cda2b81b7fa

2106749960e24d92a041ffbe66111908

NOVELLUS
Contributor

@sgiesbrecht: Hello sgiesbrecht, first, I wish you a great and healthy 2021 πŸ™‚ I think, the issues, you write about, are pointed on Big Sur, but you do not write, what kind of issues they are. It would be helpful, to know what kind of issues you face, to be able to help you to find a solution.
Are there any messages appearing? What does the logfile content say?

sgiesbrecht
Contributor

@NOVELLUS I have it solved and is now working with 1 minor issue, which I think it is more of the application than the installation. My issue was the System Extension setup. I will post my settings when my server is back up (if anyone wants the screenshots) - doing changes right now.

MacJunior
Contributor

@sgiesbrecht yes could you please share your profile and some screenshots if it's possible, still doesn't work on M1 Mac running BIg Sur 11.1 !

MacJunior
Contributor

@NOVELLUS Could you please the config profile that worked for you ? I'm testing on M1 mac running BIg Sur 11.1 using the sample profile provided by Cisoc and still no success.
any thoughts ?

MacJunior
Contributor

@NOVELLUS could you please share the profile you deployed, for me that sample config profile from Cisco didn't work on M1 Mac running Big Sur 11.1 !!

NOVELLUS
Contributor

@MacJunior Hi, please excuse my late response, I am not here every day. I am sorry, we do not have any Mac M1 - Machines, so there is no profile for it, I could share.

KyleEricson
Valued Contributor

This is what I have for my profile and I still get the warning about the "Socket Filter"
Any ideas?

9c0f4e5a050342a1b60c9a7f73c60ba7
ef471f1d4f7c4a1e96b429281493888f
9825f8e64e7b4109825c99b7f53fc5ea

tcandela
Valued Contributor

@keric @sgiesbrecht @NOVELLUS are you only installing this cisco anyconnect system extension on Big Sur systems?

does it matter if it also gets installed on 10.14 Mojave and 10.15 Catalina systems?

Berrier
Contributor

So, my content filter settings like just like the ones above from @ericsontech but I'm still having issues on Big Sur. When the profile is installed I only get one new entry in the network adapters list. When install Anyconnect 4.9, I'm still prompted to allow the filtering and then I get 3 items added to the network adapters list. Anyone get the filtering part working?

Berrier
Contributor

Scratch that. I re-uploaded the profile again and that seems to have resolved the issue

Atmos
New Contributor

I just started testing with Big Sur 11.2.2 and AnyConnect 4.9.04043 on intel architecture and I can't get the System Extension to be allowed without user prompt. I've tried with just team id, with the NetworkExtension extension type, and with the extension name and it will never stop prompting. I've rebooted between every attempt, even tried a fresh system.

I haven't even got to the web filtering part yet. The SentinelOne entry at the bottom of the screenshot worked with no problem. At this point I wonder if it's an app issue. Any advice?

73cf6045f08a4a7b83d0a68569f70c3e

NOVELLUS
Contributor

This is, how I get the installation of Cisco AnyConnect without any user prompt.
We only install the VPN Client. (Cico AnyConnect VPN)
1d4dddde1782409ebbc87390cbaf4cde

jon_verret
New Contributor II

Has anyone figured out how to configure the notification payload?
(Can't seem to find the correct App Name & Bundle ID combination...)

AJPinto
Contributor III

@jon.verret We have it configured this way. One thing I learned is the Configuration Profile has to be installed on the Mac BEFORE AnyConnect drops the system extension. If the system extension is on their first the user must approve. Its just how system extensions work and is kinda dumb, its not a JAMF thing. It is possible to remove a System Extension but you have to disable SIP first, at least for now according to the binaries notification. The screenshot below is the configuration profile that resulted from a JAMF ticket on this matter.

5a163707603c43dea5a09f7ba3137869

6de5f1da444c449e9c0a8a1b12b18714

602be05c785c4f5aa68e6351dbce6826

95b2efc02fc44c0bb1aa978daecb1349

jon_verret
New Contributor II

@AJPinto Hey thanks for the response. I appreciate the screen caps, those are helpful to validate what I'm already deploying, which is working.

I was curious if anyone had managed to successfully configure the Notifications payload in the same profile for AnyConnect notification settings. Have you played with that at all?

ScottyBeach
Contributor

I've got a related problem in that the Configuration Profile supplied by an Apple Engineer works perfectly in Big Sur on Intel but deploys and doesn't work on Big Sur M1 Macs. I opened a ticket with AppleCare and was told to try AnyConnect 4.9.06037.
I'm looking forward to getting my hands on it to test.
Anyone tried it yet?
- Scott

ScottyBeach
Contributor

4.10 Fixes it.

jfriedel
New Contributor

I got everything in place based on this Cisco guide:

AnyConnect Changes Related to macOS 11 (Big Sur)

Installed 4.10.00093 just a minute ago but no joy, it still requires for the extension to be approved manually. 😞

jexon
New Contributor

@NOVELLUS Can you explain, how you managed to install AnyConnect without socket filter? Since you don't use a content filter policy it looks like you really just have the VPN Client installed. Even when we install manually and unselect all options, the socket filter app gets installed along with the security mobility client.

regards
jeremias

NOVELLUS
Contributor

@jexon we are using the "anyconnect-macos-4.9.04043-core-vpn-webdeploy-k9.pkg" This is installing only the vpn client.
In addition to this , we are deploying a configuration profile with settings for system extensions ans content filtering as seen below. This works for us. The installation is running silent.
If the user will be connected with our VPN , the newest version of anyconnect will be downloaded and installed automaticly.
We do not have any M1 Macs at this time.
282bdf2b1dbc483da2189b75b61532da

e9f4433a283240e48522c8b853278521

ostrowsp
Contributor

For M1 macs I had to remove the Kernel extension settings from the config profile and then it installed with out error.
Still have the popup but I think its because AnyConnect was already installed. One odd thing is if I run systemextensionsctl list it does not show up. (sophos one I have does show up) So not really sure this is working correctly. This is anyconnect 4.9.04043

jameson
Contributor II

At the moment there seems to be DNS issues with big sur 11.4 and Cisco anyconnect 4.10.01075 - randomly works on- off and cisco rapport it is a known issue

user-CdUbDHwWrY
New Contributor II

seems like all the anyconnect profiles that worked till now are no longer compatible with 11.4 , throwing errors . running 4.10.00093.

Error Code 10 The operation couldn’t be completed. (SPErrorDomain error 10.)

the good news is they work again in 11.5 according to the devices that we have deployed in the field running beta with the same client version. havent verified if they actually apply, but just not seeing the same errors.

JustDeWon
Contributor III

The Socket Filter is causing the DNS issues.. after removing the Socket Filter payload, the DNS issues stopped for me. And we're able to still manage as we did with Kernel Extensions and macOS 10.x

Were you able to confirm this?  We are seeing the VPN/DNS error and are wondering if this is our issue as well.  Just want to make sure someone confirmed it for sure before removing this profile.  Were running AnyConnect 4.10.02086