Jamf Nation Community

@c.kay thanks for the reply. I tried many time and restarted but the error still appearing. the Kernel extension was my first thought too. :)

Big Sur is only supported on 4.9.02028, released 9/1/20, and it should be using the new System Extensions, rather than Kernel Extensions in that version.

I would do a full uninstall and then a re-install to make sure there aren't any legacy Cisco AnyConnect files anywhere that could be causing the errors...

We are seeing very high CPU load with the Big Sur version of Cisco AnyConnect, look for vpnagentd in Activity Monitor. Even with the app closed and no VPN conenction its sitting at 70%

@takayuki Thanks. it worked perfectly fine. I created system extension with the values you suggested and deployed it to my test computer and it is working fine.

I didn't have that updated kext approval (thanks @takayuki), but I'm seeing 4.9 cut off all traffic after about 15 seconds and then rebooting my device with a KP when disconnecting.

Where can I download Cisco AnyConnonect 4.9.02028? there is no access to the offsite. (

@sukharev I believe you'll need a registered login to the customer downloads section of Cisco's web site.

4.9.03047 was released today FYI. No longer has an issue where the KEXT would get loaded on systems that don’t need it.

If you can’t access the downloads site yourself you’ll need to speak with whomever at your company has access. It is not publicly accessible.

@iJake can you share the .pkg to 4.9.03047 version for us, please?

@1729patrick You can send an email to ask-anyconnect@cisco.com to see if the beta is still open otherwise you'll need to get it from someone at your company that has access to the Cisco downloads portal. I cannot share the file.

@raghdasi @takayuki I see this was "Solved" but I don't actually see any solution here and the post that was marked solved is just a question if anyone was able to get it to work.

We currently have 4.9.01095 deployed and I have run into the same issue as the OP when testing on BS. As suggested, this version may not be fully supported but it does work on systems where AnyConnect was installed prior to updating to BS. New installs, however, are coming up with the error about being unable to create the DNS plugin.

To add to this, we had an instance of someone who was running on 10.15.5 run into the same problem. If anyone has managed to fix this, I would really love some insight into how you got around this.

Thanks!

-Dan

Hi @engh

The solution is documented by Cisco here. See the following section:

3.2 Extension Approval using MDM

The 'WebContentFilter' payload may not be supported yet by your JAMF Pro version. Contact JAMF Support for confirmation.

We are running Jamf Pro 10.25.0. I uploaded and deployed the sample profile from the end of the cisco document but the system extension does not get loaded in big sur beta 11.0.1, and as one would expect the user still gets prompts to approve the system extension. So whats the deal ? Has anyone got the Cisco Anyconnect system extension profile working in Big Sur beta ?

I haven't tried the sample profile but got the system extension approved using the following profile:

@kgam Curious.
Thats the first thing I tried. Along with a couple other variants of the built in System Extensions payload. None of it worked for me.
Thats all you did ? Nothing with the WebContentFilter payload referenced in the Cisco doc ?
systemextensionsctl list, reports your cisco extension is loaded ?

At first I had an additional entry which only allowed the team identifier but read somewhere that it may not be necessary so now I only have the one entry to allow the "com.cisco.anyconnect.macos.acsockext" extension which seems to work as I'm no longer prompted to allow the extension and 'systemextensionsctl list' shows the extension as enabled and active:

enabled active teamID bundleID (version) name [state]
DE8Y96K9QP com.cisco.anyconnect.macos.acsockext (4.9.03047/4.9.03047) Cisco AnyConnect Socket Filter Extension [activated enabled]

But yes I also had to create a configuration profile for the WebContentFilter payload. I used ProfileCreator and the .mobileconfig file gets created correctly but I'm having some problems signing the profile.

I used this guide: https://www.macblog.org/post/signing-configuration-profiles/

The finished configuration profile works but it's signed using a wong certificate so I'll have to look into that.

OK, so I can get the System Extension working by duplicating the image above. But I've still not found a solution for the WebContentFilter requirement....

Has anyone a workaround since this payload isn't supported by JAMF?

@kgam, can you share the config profile that you're using?

Seems like a lot of people going to a lot of workarounds for lack of just using the correct software. AnyConnect (and Umbrella) are fully supported from 4.9.03047 and above. I'll add that there's a CVE where every version other than 4.9.03047 has a major vulnerability that was released last week, so y'all are working hard to get a security hole installed. https://www.cisco.com/c/en/us/support/security/anyconnect-secure-mobility-client/products-security-advisories-list.html

@wolftech I used the sample MDM Configuration Profile found at the end of this PDF file:
https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/upgrade/AnyConnect_macOS_BigSur_Advisory.pdf

Saved it as 'AnyConnect.mobileconfig' and signed it using the procedure outlined here:
https://www.macblog.org/post/signing-configuration-profiles/

Go to the section: "Signing Profiles for Trust Only by Jamf-enrolled Clients"

Due to a possible bug in Catalina I ended up using the following command to sign the certificate:

/usr/bin/security cms -S -Z 9CCE397F5491E9C6D70D305D0922687AAC2EA379 -i "AnyConnect.mobileconfig" -o "AnyConnect-signed.mobileconfig"

where the "-Z" value is "Subject Key Identifier" from the self-signed certificate in Keychain.app without <spaces> with the certificate set to "Use System Defaults" under "Trust".

You can also use "openssl x509 -in <.pem file> -noout -text" on the downloaded .pem file from Jamf Pro's 'Create Certificate from CSR'

After the .mobileconfig file had been signed I could upload it to Jamf Pro and scope it.

I was able to get it working following the documentation provided by Cisco here.

1) I made sure that the System Extension payload had both the bundleID and the type.

2) Since Jamf doesn't have the WebContentFilter payload yet, I was able to strip away the Kernel and System Extension attributes from the Sample Configuration Profile (#5 in the Cisco documentation). Leaving just the dictionary that shows the settings for the content filter and upload that as a Custom Setting within the same config profile. I gave it the same name as the PayloadType attribute inside the plist.

All looks good for me. Hope that helps.

@a.feliciano

Thank you for your post here!

I have done the same as you describe and I get the network extension to work without a problem but I do have to restart before the WebContentFilter payload kicks in and the dialog "Cisco AnyConnect Socket Filter Would Like to Filter Network Content" don't show anymore and the additional items are visible in System Preferences -> Network

I´m not loading Kernel Extension (verified with "kextstat") and the "systemextensionsctl list" gives the correct answer for System Extensions from Cisco being [activated enabled]

Do you see the same behaviour?

The sample profile at the end of the cisco doc starting working when I got the 4.9.04043 installer. FYI

@jwaltonen How did you download the mobileconfig from the Cisco doc?
Just curious on the easiest method to get it uploaded into Jamf

@a.feliciano It is not working for me with just the system extensions (in Catalina), so i assume you need the webcontenfilter part also. I am not sure what to strip out of the mobileconfig - can you please expand?
@jwalton I am also trying to use the mobileconfig from the doc, but using the whole mobileconfig fails to save for some unknown reason:

[HTMLResponse ] - An unhandled exception occurred during a save operation
java.lang.NullPointerException

any ideas anyone?

@cingalls See my post earlier from 11/14/2020. You can copy/paste the content of the sample mobile config into a text file and call it e.g. "AnyConnect.mobileconfig". After you have signed it and uploaded it to Jamf this will approve both kernel extensions, system extensions and the webcontentfilter. But since Jamf Pro is being updated to 10.26 soon (during the weekend for us) and this version will support the webcontentfilter you could wait for this and then just use the previous mentioned configuration profile to approve the system extensions.

@kgam Thanks. Using your steps & signing the profile allowed me to upload to Jamf Pro w/o seeing exception errors or signing errors, but the content itself is still blank for some reason..

Not a big deal, though, since I just used Jamf Pro's GUI to create the profile & copy the entries manually instead of uploading. That handled the kernel & system extensions successfully. I'll update to 10.26 to handle the webcontentfilter tomorrow.
My other big problem was the order of install. I had to install this config profile before upgrading to AnyConnect 4.9.04043. Trying to push the profile after 4.9.04043 was already installed would not remove the System Prefs prompt for enabling the system extension manually w/ admin rights

Yes, my profile is empty as well. This is to be expected. I believe it's because the profile is signed in order to protect it from Jamf removing the parts it doesn't support by default.

Hi there - does anyone have a completed working Cisco AnyConnect system extension Configuration Profile created for macOS Big Sur? I'm sure this can be done with 1 config profile to apply to a computer.

I'm trying to create one using the AnyConnect_macOS_BigSur_Advisory.pdf that they provide but i'm not sure i'm setting it up correctly.

For macOS prior to Big Sur i have the approved kernel extension with team id that has worked with no issues 10.14/10.15, now with System Extensions for Big Sur i'm prepping for Cisco AnyConnect 4.9.04xxx

I'v included some images of my preliminary System Extenstion settings along with the Cisco information that is in the pdf.

I added the Web Content filter section to the Config Profiiles system configuration settings but I am not sure where to put that data the the Cisco pdf displays.

@tcandela In order to have both system extensions and the WebContentFilter in the same profile you can put the entire content of the example profile from the Cisco advisory into a signed .mobileconfig file and upload it to Jamf Pro. I did this prior to Jamf Pro v. 10.26 and it worked but since 10.26 now supports the WebContentFilter configuration profile I have switched to this in order to avoid signing the profile.

I'm using the following two configuration profiles:

@kgam - just curious, why can't you put the content filter and the system extension payloads in the same config profile?

you didn't include the 'Allow System Extension Types' ---> 'Network Extension' in your systems extensions payload settings?

is that all 4 keys you need for the Custom Data section of the web content filter?

also, how do you apply your config profiles? to each computer immediately or self service?

thanks

Sorry, I misunderstood your original post. I have one configuration profile for each but there should be nothing wrong as far as I can see with putting them in the same profile. We only use the VPN part of Cisco AnyConnect so it has not been necessary to include the Network Extension payload. You may need to add it if you use more of the modules in AnyConnect.

Yes, those four custom keys has been enough in our case but again we only use VPN.

I'm using a "macOS 11" smart group to automatically deploy the profiles when a Mac is upgraded to Big Sur.

@kgam thanks, we only use the VPN part also, none of those other modules get installed. I'll try it all in one config profile.

Here is a link to the supplemental for Big Sur configuration from Cisco Anyconnect
https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/upgrade/AnyConnect_macOS_BigSur_Advisory.pdf

@tcandela Did you managed to put it all in one profile? when I downloaded the sample config profile from Cisco, I noticed the key values are not added so it doesn't work for me yet!

Any advice?

I'm still having issues with deploying that sample profile on M1 Mac running BIg Sur 11.1 ! any thoughts ?

it worked!