Skip to main content
Solved

Unload AnyConnect with script


AJPinto
Forum|alt.badge.img+26
  • Legendary Contributor
  • 2728 replies

Hi all,

 

My employer users AnyConnects Always On function which is a nuisance with functions that require graceful shutdowns of macOS like upgrading from Big Sur to Monterey. In the past I have used a script to unload AnyConnects LaunchAgent and kill its PID.

 

  • The script still works fine if run locally, the script kills AnyConnect and it stays dead.
  • If run from JAMF Pro via policy with a script payload, AnyConnect opens right back up as soon as the policy finishes.

 

Maybe some nuance has changed with JAMF and the space at which it runs scrips? Any ideas?

 

 

#!/usr/bin/env bash #* FileName: Cisco-AnyConnect-4-TempDisable.sh #*============================================================================= #* Script Name: Cisco-AnyConnect-4-TempDisable #* Created: [] #* Author: #*============================================================================= #* Purpose: Temporarily diable Cisco AnyConnect in order to prevent OS #* intallations problems, among other uses. #*============================================================================= #*============================================================================= #* REVISION HISTORY #*============================================================================= #* Date: [] #* Author: #* Issue: #* Solution: #*============================================================================= #*============================================================================= #* FUNCTION LISTINGS #*============================================================================= ## Unload Cisco AnyConnect Daemon unloadDaemon() { echo " Unloading Cisco AnyConnect Daemon..." sudo launchctl unload /Library/LaunchAgents/com.cisco.anyconnect.gui.plist } killProcess() { procList=("AnyConnect") echo " Killing Cisco AnyConnect process..." for proc in "${procList[@]}"; do runningProc=$(ps axc | grep -i "$proc" | awk '{print $1}') if [[ $runningProc ]]; then echo " ...Found running process $proc with PID: ${runningProc}. Killing it..." kill $runningProc else echo " ...$proc is not currently running" fi done } #*============================================================================= #* SCRIPT BODY #*============================================================================= echo "######################################" echo "Temporarily disabling Cisco Anyconnect" echo "######################################" unloadDaemon killProcess echo "######################################" #*============================================================================= #* END OF SCRIPT #*=============================================================================

 

Best answer by cdev

It works when you run locally since it's running as the logged-in user. When you run from Jamf, it's running as root, so the LaunchAgent (loaded by the user) doesn't unload since it's a different user space. You can leverage launchctl asuser to run the unload command in the logged-in user space.

 

#!/bin/bash

currentUser=$(/bin/echo 'show State:/Users/ConsoleUser' | /usr/sbin/scutil | /usr/bin/awk '/Name / { print $3 }')

userUID=$(/usr/bin/id -u "$currentUser")

## Kill AnyConnect so it doesn't interrupt reboot
/bin/echo "Quitting Cisco AnyConnect"
/bin/launchctl unload -F /Library/LaunchDaemons/com.cisco.anyconnect.vpnagentd.plist
/bin/launchctl asuser "$userUID" launchctl unload -F Library/LaunchAgents/com.cisco.anyconnect.gui.plist
/bin/launchctl asuser "$userUID" launchctl unload -F Library/LaunchAgents/com.cisco.anyconnect.notification.plist

isRunning=$(pgrep "Cisco AnyConnect Secure Mobility Client")

if [ "$isRunning" != "" ]; then
/bin/echo "AnyConnect is running; killing process"
/usr/bin/killall "Cisco AnyConnect Secure Mobility Client"
fi

exit 0

 

View original
Did this topic help you find an answer to your question?

4 replies

cdev
Forum|alt.badge.img+14
  • Contributor
  • 135 replies
  • Answer
  • November 4, 2021

It works when you run locally since it's running as the logged-in user. When you run from Jamf, it's running as root, so the LaunchAgent (loaded by the user) doesn't unload since it's a different user space. You can leverage launchctl asuser to run the unload command in the logged-in user space.

 

#!/bin/bash

currentUser=$(/bin/echo 'show State:/Users/ConsoleUser' | /usr/sbin/scutil | /usr/bin/awk '/Name / { print $3 }')

userUID=$(/usr/bin/id -u "$currentUser")

## Kill AnyConnect so it doesn't interrupt reboot
/bin/echo "Quitting Cisco AnyConnect"
/bin/launchctl unload -F /Library/LaunchDaemons/com.cisco.anyconnect.vpnagentd.plist
/bin/launchctl asuser "$userUID" launchctl unload -F Library/LaunchAgents/com.cisco.anyconnect.gui.plist
/bin/launchctl asuser "$userUID" launchctl unload -F Library/LaunchAgents/com.cisco.anyconnect.notification.plist

isRunning=$(pgrep "Cisco AnyConnect Secure Mobility Client")

if [ "$isRunning" != "" ]; then
/bin/echo "AnyConnect is running; killing process"
/usr/bin/killall "Cisco AnyConnect Secure Mobility Client"
fi

exit 0

 


AJPinto
Forum|alt.badge.img+26
  • Author
  • Legendary Contributor
  • 2728 replies
  • November 4, 2021
cdev wrote:

It works when you run locally since it's running as the logged-in user. When you run from Jamf, it's running as root, so the LaunchAgent (loaded by the user) doesn't unload since it's a different user space. You can leverage launchctl asuser to run the unload command in the logged-in user space.

 

#!/bin/bash

currentUser=$(/bin/echo 'show State:/Users/ConsoleUser' | /usr/sbin/scutil | /usr/bin/awk '/Name / { print $3 }')

userUID=$(/usr/bin/id -u "$currentUser")

## Kill AnyConnect so it doesn't interrupt reboot
/bin/echo "Quitting Cisco AnyConnect"
/bin/launchctl unload -F /Library/LaunchDaemons/com.cisco.anyconnect.vpnagentd.plist
/bin/launchctl asuser "$userUID" launchctl unload -F Library/LaunchAgents/com.cisco.anyconnect.gui.plist
/bin/launchctl asuser "$userUID" launchctl unload -F Library/LaunchAgents/com.cisco.anyconnect.notification.plist

isRunning=$(pgrep "Cisco AnyConnect Secure Mobility Client")

if [ "$isRunning" != "" ]; then
/bin/echo "AnyConnect is running; killing process"
/usr/bin/killall "Cisco AnyConnect Secure Mobility Client"
fi

exit 0

 


that makes perfect sense, don't know why I did not think of that. Any idea of when this changed? (Not the JAMF running as root thing, but needing to be current suer to unload the agent) I had this bit in our Mojave > Catalina upgrade script and it worked fine, we are really far behind and just getting to upgrading to Big Sur. I suppose a lot did change with Catalina, now I'm wondering lol. 


mm2270
Forum|alt.badge.img+24
  • Legendary Contributor
  • 7881 replies
  • November 4, 2021
AJPinto wrote:

that makes perfect sense, don't know why I did not think of that. Any idea of when this changed? (Not the JAMF running as root thing, but needing to be current suer to unload the agent) I had this bit in our Mojave > Catalina upgrade script and it worked fine, we are really far behind and just getting to upgrading to Big Sur. I suppose a lot did change with Catalina, now I'm wondering lol. 


We use Always On VPN with AnyConnect at my employer as well, and I haven't seen any issues with it messing up OS upgrades. I'm using the macOSUpgrade.sh script to kick off upgrades and they always go through. At least that's been my experience.

 


@AJPinto wrote:

Any idea of when this changed? (Not the JAMF running as root thing, but needing to be current suer to unload the agent)


It's been that way for a good many OS versions actually. This didn't just start with Catalina. I recall needing to script running commands as the user to do something with a LaunchAgent as far back as I can remember. I know you said it was working on Mojave, but maybe you just got lucky.


AJPinto
Forum|alt.badge.img+26
  • Author
  • Legendary Contributor
  • 2728 replies
  • November 4, 2021
mm2270 wrote:

We use Always On VPN with AnyConnect at my employer as well, and I haven't seen any issues with it messing up OS upgrades. I'm using the macOSUpgrade.sh script to kick off upgrades and they always go through. At least that's been my experience.

 


@AJPinto wrote:

Any idea of when this changed? (Not the JAMF running as root thing, but needing to be current suer to unload the agent)


It's been that way for a good many OS versions actually. This didn't just start with Catalina. I recall needing to script running commands as the user to do something with a LaunchAgent as far back as I can remember. I know you said it was working on Mojave, but maybe you just got lucky.



@mm2270 wrote:

We use Always On VPN with AnyConnect at my employer as well, and I haven't seen any issues with it messing up OS upgrades. I'm using the macOSUpgrade.sh script to kick off upgrades and they always go through. At least that's been my experience.


Updating with Script and using the -R for the force reboot will get around anyconnects always on. However, with Apple Silicon you cannot use softwareupdate to automate updates without user interaction. AnyConnect's always on does stop the "graceful" reboot that comes with JAMFs installASAP command for updates and can prevent the Mac from running updates.

 

As of this point JAMF is still using installASAP without InstallForceRestart, and of course does not use MaxUserDiferrals yet which automatically uses installForceRestart once the deferral limit has been met. 


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings