- Jamf Nation Community
- Products
- Jamf Pro
- Unload AnyConnect with script
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-04-2021 08:04 AM
Hi all,
My employer users AnyConnects Always On function which is a nuisance with functions that require graceful shutdowns of macOS like upgrading from Big Sur to Monterey. In the past I have used a script to unload AnyConnects LaunchAgent and kill its PID.
- The script still works fine if run locally, the script kills AnyConnect and it stays dead.
- If run from JAMF Pro via policy with a script payload, AnyConnect opens right back up as soon as the policy finishes.
Maybe some nuance has changed with JAMF and the space at which it runs scrips? Any ideas?
#!/usr/bin/env bash
#* FileName: Cisco-AnyConnect-4-TempDisable.sh
#*=============================================================================
#* Script Name: Cisco-AnyConnect-4-TempDisable
#* Created: []
#* Author:
#*=============================================================================
#* Purpose: Temporarily diable Cisco AnyConnect in order to prevent OS
#* intallations problems, among other uses.
#*=============================================================================
#*=============================================================================
#* REVISION HISTORY
#*=============================================================================
#* Date: []
#* Author:
#* Issue:
#* Solution:
#*=============================================================================
#*=============================================================================
#* FUNCTION LISTINGS
#*=============================================================================
## Unload Cisco AnyConnect Daemon
unloadDaemon()
{
echo " Unloading Cisco AnyConnect Daemon..."
sudo launchctl unload /Library/LaunchAgents/com.cisco.anyconnect.gui.plist
}
killProcess()
{
procList=("AnyConnect")
echo " Killing Cisco AnyConnect process..."
for proc in "${procList[@]}"; do
runningProc=$(ps axc | grep -i "$proc" | awk '{print $1}')
if [[ $runningProc ]]; then
echo " ...Found running process $proc with PID: ${runningProc}. Killing it..."
kill $runningProc
else
echo " ...$proc is not currently running"
fi
done
}
#*=============================================================================
#* SCRIPT BODY
#*=============================================================================
echo "######################################"
echo "Temporarily disabling Cisco Anyconnect"
echo "######################################"
unloadDaemon
killProcess
echo "######################################"
#*=============================================================================
#* END OF SCRIPT
#*=============================================================================
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-04-2021 08:21 AM
It works when you run locally since it's running as the logged-in user. When you run from Jamf, it's running as root, so the LaunchAgent (loaded by the user) doesn't unload since it's a different user space. You can leverage launchctl asuser to run the unload command in the logged-in user space.
#!/bin/bash
currentUser=$(/bin/echo 'show State:/Users/ConsoleUser' | /usr/sbin/scutil | /usr/bin/awk '/Name / { print $3 }')
userUID=$(/usr/bin/id -u "$currentUser")
## Kill AnyConnect so it doesn't interrupt reboot
/bin/echo "Quitting Cisco AnyConnect"
/bin/launchctl unload -F /Library/LaunchDaemons/com.cisco.anyconnect.vpnagentd.plist
/bin/launchctl asuser "$userUID" launchctl unload -F Library/LaunchAgents/com.cisco.anyconnect.gui.plist
/bin/launchctl asuser "$userUID" launchctl unload -F Library/LaunchAgents/com.cisco.anyconnect.notification.plist
isRunning=$(pgrep "Cisco AnyConnect Secure Mobility Client")
if [ "$isRunning" != "" ]; then
/bin/echo "AnyConnect is running; killing process"
/usr/bin/killall "Cisco AnyConnect Secure Mobility Client"
fi
exit 0
Reply
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-04-2021 08:21 AM
It works when you run locally since it's running as the logged-in user. When you run from Jamf, it's running as root, so the LaunchAgent (loaded by the user) doesn't unload since it's a different user space. You can leverage launchctl asuser to run the unload command in the logged-in user space.
#!/bin/bash
currentUser=$(/bin/echo 'show State:/Users/ConsoleUser' | /usr/sbin/scutil | /usr/bin/awk '/Name / { print $3 }')
userUID=$(/usr/bin/id -u "$currentUser")
## Kill AnyConnect so it doesn't interrupt reboot
/bin/echo "Quitting Cisco AnyConnect"
/bin/launchctl unload -F /Library/LaunchDaemons/com.cisco.anyconnect.vpnagentd.plist
/bin/launchctl asuser "$userUID" launchctl unload -F Library/LaunchAgents/com.cisco.anyconnect.gui.plist
/bin/launchctl asuser "$userUID" launchctl unload -F Library/LaunchAgents/com.cisco.anyconnect.notification.plist
isRunning=$(pgrep "Cisco AnyConnect Secure Mobility Client")
if [ "$isRunning" != "" ]; then
/bin/echo "AnyConnect is running; killing process"
/usr/bin/killall "Cisco AnyConnect Secure Mobility Client"
fi
exit 0
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-04-2021 08:26 AM - edited 11-04-2021 08:28 AM
that makes perfect sense, don't know why I did not think of that. Any idea of when this changed? (Not the JAMF running as root thing, but needing to be current suer to unload the agent) I had this bit in our Mojave > Catalina upgrade script and it worked fine, we are really far behind and just getting to upgrading to Big Sur. I suppose a lot did change with Catalina, now I'm wondering lol.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-04-2021 10:10 AM
We use Always On VPN with AnyConnect at my employer as well, and I haven't seen any issues with it messing up OS upgrades. I'm using the macOSUpgrade.sh script to kick off upgrades and they always go through. At least that's been my experience.
@AJPinto wrote:Any idea of when this changed? (Not the JAMF running as root thing, but needing to be current suer to unload the agent)
It's been that way for a good many OS versions actually. This didn't just start with Catalina. I recall needing to script running commands as the user to do something with a LaunchAgent as far back as I can remember. I know you said it was working on Mojave, but maybe you just got lucky.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-04-2021 11:50 AM
@mm2270 wrote:We use Always On VPN with AnyConnect at my employer as well, and I haven't seen any issues with it messing up OS upgrades. I'm using the macOSUpgrade.sh script to kick off upgrades and they always go through. At least that's been my experience.
Updating with Script and using the -R for the force reboot will get around anyconnects always on. However, with Apple Silicon you cannot use softwareupdate to automate updates without user interaction. AnyConnect's always on does stop the "graceful" reboot that comes with JAMFs installASAP command for updates and can prevent the Mac from running updates.
As of this point JAMF is still using installASAP without InstallForceRestart, and of course does not use MaxUserDiferrals yet which automatically uses installForceRestart once the deferral limit has been met.
