Posted on 12-09-2021 06:36 AM
Here is a script I made to remove old installations of Cisco AnyConnect that were done back before a choices.xml file was used.
#!/bin/bash #This script will uninstall the full install of Cisco AnyConnect with all the modules # It will first look for the existance of the dart installer. If it is there, it will run. # then it will run the full anyconnect uninstaller. After that is completed, then we can install # the new version of Cisco Anywhere that only installs the VPN component. if [ -e "/opt/cisco/anyconnect/bin/dart_uninstall.sh" ] then /opt/cisco/anyconnect/bin/dart_uninstall.sh else echo "no DART to remove" fi /opt/cisco/anyconnect/bin/anyconnect_uninstall.sh exit 0
It works great... with the exception that in Big Sur and Mojave (I haven't tested other versions), it throws up the following dialog:
Obviously the point of running things in Self Service is so end users don't have to get an admin to authenticate for them. Does anyone know how I can make this alert not come up while running the Cisco-provided scripts for uninstallation?
Posted on 12-09-2021 06:44 AM
The policy log looks like this:
Script result: no DART to remove Exiting Cisco AnyConnect Secure Mobility Client Uninstalling Cisco AnyConnect Network Visibility Module... Successfully removed Cisco AnyConnect Network Visibility Module from the system. Uninstalling Cisco AnyConnect Secure Mobility Client... Executing: /usr/bin/kmutil showloaded No variant specified, falling back to release Successfully removed Cisco AnyConnect Secure Mobility Client from the system.
So it looks like /usr/bin/kmutil us being called upon for some reason, but if the Cisco uninstall script is running as root, why is that superuser privilege not extended to commands spun off from it? Or is it?
12-09-2021 07:21 AM - edited 12-09-2021 12:22 PM
JamfNation was slow to post my first comment, so I posted it again, then the first one showed up. Ignore this comment.
Posted on 12-16-2021 06:35 AM
Currently, there is no way around not having to input your credentials on Big Sur and Mojave.
Apple did add the ability to allow the removal of system extensions without a prompt but that is only with Monterey:
SystemExtensions.RemovableSystemExtensions | Apple Developer Documentation
I have not done it with Cisco AnyConnect but I have done it with Cisco AMP using info from here:
Cisco Secure Endpoint Mac Connector Advisory: System Extensions, MDM, and Orbital - Cisco
But the process should be the same with AnyConnect:
Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.9 - Appendix: AnyConnect Chan...
"During AnyConnect uinstallation, the user is prompted for administrator credentials to approve the system extension deactivation. On macOS 12 and later, the AnyConnect system extension can be silently removed after deploying a management profile with the addition of SystemExtensions payload to the RemovableSystemsExtensions property. This property must contain the bundle identifier of the AnyConnect system extension (com.cisco.anyconnect.macos.acsockext)."
What you would need to do in JAMF:
You, of course, need to make sure the profile has been pushed down before running the uninstall.
I know this isn't of any help for your computers on older OS but you could push them to the newest OS and then do it.
You could try a manual remove with the info here:
Cisco Anyconnect Manual uninstall Mac OS - Community Contributions - Hermes (mit.edu)
Posted on 08-18-2022 12:11 PM
I apologize fore reviving an old thread, but would there be any negatives to letting this removal profile exist on the machines rather than trying to time the config profile to come down before the uninstall script?
Posted on 12-15-2022 10:37 PM
@jwojda No, there are no negatives. The profile allows a script or user with admin rights to remove the extension. An ordinary user does not get any extra permission from the profile so they still can't remove the Cisco software outside of a Self Service policy.