macOS Monterey and Cisco AnyConnect System Extension Issue

nsbickhart
Contributor

We have Cisco AnyConnect 4.10.03104 working great on Mojave-Big Sur, with users not receiving any popups.  When upgrading from any OS to macOS Monterey, we receive the popup below, regarding a system extension being blocked.  Our configuration profile is scoped to all devices.  When reloading a Mac fresh from Monterey, users do not see the message below.  It only appears to be happening after an upgrade.  Just wondering if anyone has a solution. 

nsbickhart_0-1635503325345.png

any1.pngany2.png

6 REPLIES 6

dtommey
New Contributor III

Pushing a configuration profile allowing System Extensions will only be processed by the OS one time on install. For any OS below 10.15.4, as they do not know about the preference key, nothing is done. You would need to ensure that the profile is only pushed to systems that are 10.15.4+

mhasman
Valued Contributor

Does AnyConnect require anything being added to PPPC section in Config Profile? 

Anonymous
Not applicable

There is nothing to set to PPPC. We only configure "System Extensions, Content Filter" and for the older Macs "Approved Kernel Extensions" in a configuration profile. We have different configuration profiles:
one for MacOS earlier than Monterey one for Intel Mac and one for M1 Mac.

EddyLara
New Contributor III

Hi Novellus, could you please share how do you create a profile for each macOS earlier than Monterey one for Intel Mac, and one for M1 Mac

Anonymous
Not applicable

@EddyLara sorry for my late reply.
1st, I create a smart computer group for each platform (M1 and INTEL)

Then I create a configuration profile for these two platforms and assign the profiles (in "Targets") to the corresponding smart groups, that's all.

The other way is, to exclude the unwanted smart computer group (in "Exclusions"), so that you can scope the policy to any other wanted computer group.

JalalM
New Contributor

Thanks for sharing your setup! how did you get the cert info and the syntax of the Socket Filter Designated Requirement?