Uninstall Cisco AnyConnect in BigSur and up

AVmcclint
Honored Contributor

Here is a script I made to remove old installations of Cisco AnyConnect that were done back before a choices.xml file was used.

 

#!/bin/bash
#This script will uninstall the full install of Cisco AnyConnect with all the modules
# It will first look for the existance of the dart installer. If it is there, it will run.
# then it will run the full anyconnect uninstaller. After that is completed, then we can install
# the new version of Cisco Anywhere that only installs the VPN component.

if [ -e "/opt/cisco/anyconnect/bin/dart_uninstall.sh" ]
then
	/opt/cisco/anyconnect/bin/dart_uninstall.sh
else echo "no DART to remove"	
fi
/opt/cisco/anyconnect/bin/anyconnect_uninstall.sh
exit 0

 

It works great... with the exception that in Big Sur and Mojave (I haven't tested other versions), it throws up the following dialog:

Screen Shot 2021-12-09 at 9.25.53 AM.png

 Obviously the point of running things in Self Service is so end users don't have to get an admin to authenticate for them. Does anyone know how I can make this alert not come up while running the Cisco-provided scripts for uninstallation?

6 REPLIES 6

AVmcclint
Honored Contributor

The policy log looks like this:

Script result: no DART to remove
Exiting Cisco AnyConnect Secure Mobility Client
Uninstalling Cisco AnyConnect Network Visibility Module...
Successfully removed Cisco AnyConnect Network Visibility Module from the system.
Uninstalling Cisco AnyConnect Secure Mobility Client...
Executing: /usr/bin/kmutil showloaded
No variant specified, falling back to release
Successfully removed Cisco AnyConnect Secure Mobility Client from the system.

So it looks like /usr/bin/kmutil us being called upon for some reason, but if the Cisco uninstall script is running as root, why is that superuser privilege not extended to commands spun off from it? Or is it?

AVmcclint
Honored Contributor

JamfNation was slow to post my first comment, so I posted it again, then the first one showed up.  Ignore this comment.

vonnn
New Contributor

Currently, there is no way around not having to input your credentials on Big Sur and Mojave.
Apple did add the ability to allow the removal of system extensions without a prompt but that is only with Monterey:

SystemExtensions.RemovableSystemExtensions | Apple Developer Documentation

I have not done it with Cisco AnyConnect but I have done it with Cisco AMP using info from here:

Cisco Secure Endpoint Mac Connector Advisory: System Extensions, MDM, and Orbital - Cisco

But the process should be the same with AnyConnect:

Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.9 - Appendix: AnyConnect Chan...

"During AnyConnect uinstallation, the user is prompted for administrator credentials to approve the system extension deactivation. On macOS 12 and later, the AnyConnect system extension can be silently removed after deploying a management profile with the addition of SystemExtensions payload to the RemovableSystemsExtensions property. This property must contain the bundle identifier of the AnyConnect system extension (com.cisco.anyconnect.macos.acsockext)."

What you would need to do in JAMF:

  1. Created a new Configuration Profile
  2. Configure a new System Extensions payload
  3. System Extension Types: Removable System Extensions
  4. Team Identifier: DE8Y96K9QP
  5. Add Removable System Extensions: com.cisco.anyconnect.macos.acsockext

You, of course, need to make sure the profile has been pushed down before running the uninstall.

I know this isn't of any help for your computers on older OS but you could push them to the newest OS and then do it.

You could try a manual remove with the info here:

Cisco Anyconnect Manual uninstall Mac OS - Community Contributions - Hermes (mit.edu)

jwojda
Valued Contributor II

I apologize fore reviving an old thread, but would there be any negatives to letting this removal profile exist on the machines rather than trying to time the config profile to come down before the uninstall script?

 

 

honestpuck
Contributor

@jwojda No, there are no negatives. The profile allows a script or user with admin rights to remove the extension. An ordinary user does not get any extra permission from the profile so they still can't remove the Cisco software outside of a Self Service policy.

markopolo
Contributor

Thanks for the script! Works well and no longer requires user interaction in Sonoma!