Help

macOS Monterey and Cisco AnyConnect System Extension Issue

nsbickhart
Contributor

‎10-29-2021 03:31 AM - edited ‎10-29-2021 04:12 PM

We have Cisco AnyConnect 4.10.03104 working great on Mojave-Big Sur, with users not receiving any popups.  When upgrading from any OS to macOS Monterey, we receive the popup below, regarding a system extension being blocked.  Our configuration profile is scoped to all devices.  When reloading a Mac fresh from Monterey, users do not see the message below.  It only appears to be happening after an upgrade.  Just wondering if anyone has a solution. 

nsbickhart_0-1635503325345.png

any1.pngany2.png

Reply
6 REPLIES 6

dtommey
New Contributor III

Posted on ‎10-29-2021 08:17 AM

Pushing a configuration profile allowing System Extensions will only be processed by the OS one time on install. For any OS below 10.15.4, as they do not know about the preference key, nothing is done. You would need to ensure that the profile is only pushed to systems that are 10.15.4+

Reply

mhasman
Valued Contributor

Posted on ‎01-04-2022 12:05 PM

Does AnyConnect require anything being added to PPPC section in Config Profile? 

0 Kudos
Reply

Anonymous
Not applicable
In response to mhasman

‎02-10-2022 03:55 AM - edited ‎02-10-2022 04:02 AM

There is nothing to set to PPPC. We only configure "System Extensions, Content Filter" and for the older Macs "Approved Kernel Extensions" in a configuration profile. We have different configuration profiles:
one for MacOS earlier than Monterey one for Intel Mac and one for M1 Mac.

Reply

EddyLara
New Contributor III
In response to Anonymous

Posted on ‎03-15-2022 06:49 AM

Hi Novellus, could you please share how do you create a profile for each macOS earlier than Monterey one for Intel Mac, and one for M1 Mac

0 Kudos
Reply

Anonymous
Not applicable
In response to EddyLara

‎03-29-2022 05:51 AM - edited ‎03-29-2022 05:55 AM

@EddyLara sorry for my late reply.
1st, I create a smart computer group for each platform (M1 and INTEL)

Then I create a configuration profile for these two platforms and assign the profiles (in "Targets") to the corresponding smart groups, that's all.

The other way is, to exclude the unwanted smart computer group (in "Exclusions"), so that you can scope the policy to any other wanted computer group.

0 Kudos
Reply

JalalM
New Contributor

Posted on ‎10-30-2022 12:44 PM

Thanks for sharing your setup! how did you get the cert info and the syntax of the Socket Filter Designated Requirement?

0 Kudos
Reply