Need help with xattr command

madhavigandhi1
New Contributor II

I need to deploy Cisco anyconnect VPN client on MAC endpoints, however post installation, it gives prompt to end user to allow the app from system preferences.

I want to bypass this step so that post deployment end user does not have to go to system pref to allow the app

Xattr command i am using is 

sudo xattr -d -r com.apple.quarantine /Users/username/Downloads/AnyConnectClient

where the AnyConnectClient is a folder where the anyconnect.dmg file resides

However, the command is not working for me. post installation, it still asks for user to allow the app from system preferences
Does xattr work on .dmg file? 
Do i need to install the app first then run the command and then give path to some app system file? 
If so, how do it create package of the installer which is free of this restriction?

1 ACCEPTED SOLUTION

sdagley
Esteemed Contributor II

@madhavigandhi1 Note that you normally do not need (or want) to have both the Approved Kernel Extensions and System Extensions payloads in the same profile.

I do not have any personal experience configuring AnyConnect, and the Cisco doc I referenced indicates that the Kernel Extension is only used as a fallback for macOS 11 or later, so you might want to have 2 different Configuration Profiles - one for macOS versions <11.0 which include the Approved Kernel Extensions payload, and one for macOS 11.0 and > which does not.

You _definitely_ do not want to include an Approved Kernel Extensions payload if deploying the Configuration Profile to Macs with an Apple Silicon processor.

View solution in original post

6 REPLIES 6

sdagley
Esteemed Contributor II

@madhavigandhi1 You shouldn't need to modify the xattrs on the AnyConnectApp if you ran the installer, but you do need to install a Configuration Profile with a System Extensions payload to approve it, and the details on that can be found at: https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/upgrade/AnyConnect...

 

madhavigandhi1
New Contributor II

@sdagley 

Thank you for the cisco URL shared.
I tried to add the configuration profile with mentioned payloads, the profile is getting added to scoped computer successfully.
However, post configuration profile being added to computer, when the anyconnect  dmg is installed, it still prompts for allowing the extension from system preference.
do you have any other way auto allowing this "system software from application "cisco anyconnect socket filter" was blocked from loading". so that the end user does not have to do it go to sys preference to allow it

If it can be done, I haven't found a way. The systems extensions for PPPC make so a non-admin user can approve, but not completely eliminate. MAC OS has an user space centric approach to security. Only good note is usually a one time deal .. as long as the vendor does not change the app or  extension names across versions it sticks. 

sdagley
Esteemed Contributor II

You can definitely approve System Extensions so that the user never sees a prompt to enable them in System Preferences->Security & Privacy, but it's not a PPPC payload that does that, it the System Extensions payload.

madhavigandhi1
New Contributor II

Hi, i was able to create configuration profile with below payloads and post that installed anyconnect client. this time it did not prompt for allow from system preference . thank you for your support.
Screenshot 2022-03-24 at 8.26.04 PM.pngScreenshot 2022-03-24 at 8.26.14 PM.pngScreenshot 2022-03-24 at 8.26.24 PM.pngScreenshot 2022-03-24 at 8.26.41 PM.png

sdagley
Esteemed Contributor II

@madhavigandhi1 Note that you normally do not need (or want) to have both the Approved Kernel Extensions and System Extensions payloads in the same profile.

I do not have any personal experience configuring AnyConnect, and the Cisco doc I referenced indicates that the Kernel Extension is only used as a fallback for macOS 11 or later, so you might want to have 2 different Configuration Profiles - one for macOS versions <11.0 which include the Approved Kernel Extensions payload, and one for macOS 11.0 and > which does not.

You _definitely_ do not want to include an Approved Kernel Extensions payload if deploying the Configuration Profile to Macs with an Apple Silicon processor.