CISCO system Extension blocking page.

You cannot block the page. You need to deploy a configuration profile with an "Approved Kernel Extensions" payload for Cisco AnyConnect. The Team ID for Cisco AnyConnect is DE8Y96K9QP

Hello , Thanks..

I have tried this and seems extension are blocking ..

But when we rollout to large form many user's will get this alert. Can we do something from the source file itself ?

That profile will only work on machines where the machine is in a User Approved MDM state. There is nothing that can be done on the AnyConnect side. This is a macOS setting.

I have updated the tag from Jamf Nation to Configuration Profiles to better reflect the discussion.

Very odd, I have both a KEXT and SYSEXT Profile set for this vendor and team ID, and the System im testing on is User approved MDM, however the prompt still showed regardless and did not allow it automatically even tho the config profile is present

Same I have added the profile and am still getting the prompt pop up and even if I select the system preferences button, there is nothing to allow. Anyone have a way around this at the moment.

@JarvisUno Hello. Is this because you are pushing out a Kernel Extension for a app which needs a System Extension? Big Sur uses System Extensions now. Cisco has a website about enabling System Extensions for AnyConnect

I am in the process of converting all my Kernel Extensions over to System Extensions for apps like Team Viewer, FireEye, AnyConnect to name a few.
.a

Hi there - does anyone have a completed working Cisco AnyConnect system extension Configuration Profile created for macOS Big Sur? I'm sure this can be done with 1 config profile to apply to a computer.

I'm trying to create one using the AnyConnect_macOS_BigSur_Advisory.pdf that they provide but i'm not sure i'm setting it up correctly.

For macOS prior to Big Sur i have the approved kernel extension with team id that has worked with no issues 10.14/10.15, now with System Extensions for Big Sur i'm prepping for Cisco AnyConnect 4.9.04xxx

I'v included some images of my preliminary System Extenstion settings along with the Cisco information that is in the pdf.

I added the Web Content filter section to the Config Profiiles system configuration settings but I am not sure where to put that data the the Cisco pdf displays.

@tcandela Did you manage to enter the data for the web content filter. If you have managed to add it in can you post a picture of how you added the data into which fields.

@Tildo check this out ,im going to test the config profike web content filter settings posted by @kgam on his 12/8/2020

https://www.jamf.com/jamf-nation/discussions/36637/cisco-vpn-anyconnect

I am getting the system extension is blocked on 10.14.6 for Cisco. It has Anyconnect installed 4.9.04053 and i have a config profile with system extension configured.

anyone else getting this?

@tcandela , system extension configuration is for macOS Big Sur.. You would need to configure a Kernel Extension payload for previous OS's

@JustDeWon yes, that's what i thought but why is the popup message about 'system extension' and not 'kernel extension'?

shouldn't the pop up message say 'kernel extension'? if it's running 10.14.6?

@tcandela , that is just a default wording by Cisco.. It's always been the same "message" since High Sierra as far as I can remember..

Because technically they are both system extensions per Apple

I had the Cisco Anyconnect Kernel extension installed on Mojave and it worked fine and then I did an in place upgrade to Big Sur and once the new macOS version was picked up by RECON a system extension configuration profile for Cisco Anyconnect was applied, but it now has that ATTENTION REQUIRED popup (just like this posts topic) telling me the AnyConnect system extension blocked.

So even though the System Extension is now applied to Big Sur it doesn't matter since Cisco Anyconnect was installed before the system extension was applied??????

is this how it works??? system extensions have to be configured before the application gets installed??

if done the other way around you will be prompted to 'allow'??

The configuration profile MUST be installed BEFORE the system extension is installed. A config profile cannot retro approve a SysExt as it could a kext. This is Apple's design. If done the other way around you will be prompted to approve, yes. If the config profile is in place and AnyConnect was already there you can also uninstall and reinstall. Highly suggest the profile is scoped to ALL machines that are UAMDM/Supervised no matter the OS version so it is in place before an upgrade causes issues such as this.