CISCO system Extension blocking page.

SGN
New Contributor III

Hello All,

Can anyone guide me to block this page alone, i am able to block cisco system extension, even though still the page pop up comes..

63f30dc4b50d45d696b50281f50dceb6

17 REPLIES 17

iJake
Valued Contributor

You cannot block the page. You need to deploy a configuration profile with an "Approved Kernel Extensions" payload for Cisco AnyConnect. The Team ID for Cisco AnyConnect is DE8Y96K9QP
16d3336548964a7ba9bf6e4d02fa3c1a

SGN
New Contributor III

Hello , Thanks..

I have tried this and seems extension are blocking ..

But when we rollout to large form many user's will get this alert. Can we do something from the source file itself ?

iJake
Valued Contributor

That profile will only work on machines where the machine is in a User Approved MDM state. There is nothing that can be done on the AnyConnect side. This is a macOS setting.

bradsschroeder
New Contributor III
New Contributor III

I have updated the tag from Jamf Nation to Configuration Profiles to better reflect the discussion.

Stubakka
Contributor II

Very odd, I have both a KEXT and SYSEXT Profile set for this vendor and team ID, and the System im testing on is User approved MDM, however the prompt still showed regardless and did not allow it automatically even tho the config profile is present

Heavy_D
Contributor III

Same I have added the profile and am still getting the prompt pop up and even if I select the system preferences button, there is nothing to allow. Anyone have a way around this at the moment.
bb5126ca6124487d8e3421c47d9eff87

154e64eadd79472cae5645854db386a2

pueo
Contributor II

@JarvisUno Hello. Is this because you are pushing out a Kernel Extension for a app which needs a System Extension? Big Sur uses System Extensions now. Cisco has a website about enabling System Extensions for AnyConnect

I am in the process of converting all my Kernel Extensions over to System Extensions for apps like Team Viewer, FireEye, AnyConnect to name a few.
.a

tcandela
Valued Contributor II

Hi there - does anyone have a completed working Cisco AnyConnect system extension Configuration Profile created for macOS Big Sur? I'm sure this can be done with 1 config profile to apply to a computer.

I'm trying to create one using the AnyConnect_macOS_BigSur_Advisory.pdf that they provide but i'm not sure i'm setting it up correctly.

For macOS prior to Big Sur i have the approved kernel extension with team id that has worked with no issues 10.14/10.15, now with System Extensions for Big Sur i'm prepping for Cisco AnyConnect 4.9.04xxx

I'v included some images of my preliminary System Extenstion settings along with the Cisco information that is in the pdf.

I added the Web Content filter section to the Config Profiiles system configuration settings but I am not sure where to put that data the the Cisco pdf displays.
26f8e0512124495e9451227ffdb94a2a

19cfd697046d44e4bf98c7f1d83b188d

b7ef0097e7b64034b1b1a0af4dc9427e

Tildo
New Contributor III

@tcandela Did you manage to enter the data for the web content filter. If you have managed to add it in can you post a picture of how you added the data into which fields.

tcandela
Valued Contributor II

@Tildo check this out ,im going to test the config profike web content filter settings posted by @kgam on his 12/8/2020

https://www.jamf.com/jamf-nation/discussions/36637/cisco-vpn-anyconnect

tcandela
Valued Contributor II

I am getting the system extension is blocked on 10.14.6 for Cisco. It has Anyconnect installed 4.9.04053 and i have a config profile with system extension configured.

anyone else getting this?

JustDeWon
Contributor III

@tcandela , system extension configuration is for macOS Big Sur.. You would need to configure a Kernel Extension payload for previous OS's

tcandela
Valued Contributor II

@JustDeWon yes, that's what i thought but why is the popup message about 'system extension' and not 'kernel extension'?

shouldn't the pop up message say 'kernel extension'? if it's running 10.14.6?

JustDeWon
Contributor III

@tcandela , that is just a default wording by Cisco.. It's always been the same "message" since High Sierra as far as I can remember..

iJake
Valued Contributor

Because technically they are both system extensions per Apple

tcandela
Valued Contributor II

I had the Cisco Anyconnect Kernel extension installed on Mojave and it worked fine and then I did an in place upgrade to Big Sur and once the new macOS version was picked up by RECON a system extension configuration profile for Cisco Anyconnect was applied, but it now has that ATTENTION REQUIRED popup (just like this posts topic) telling me the AnyConnect system extension blocked.

So even though the System Extension is now applied to Big Sur it doesn't matter since Cisco Anyconnect was installed before the system extension was applied??????

is this how it works??? system extensions have to be configured before the application gets installed??

if done the other way around you will be prompted to 'allow'??

iJake
Valued Contributor

The configuration profile MUST be installed BEFORE the system extension is installed. A config profile cannot retro approve a SysExt as it could a kext. This is Apple's design. If done the other way around you will be prompted to approve, yes. If the config profile is in place and AnyConnect was already there you can also uninstall and reinstall. Highly suggest the profile is scoped to ALL machines that are UAMDM/Supervised no matter the OS version so it is in place before an upgrade causes issues such as this.