Unload AnyConnect with script

AJPinto
Valued Contributor

Hi all,

 

My employer users AnyConnects Always On function which is a nuisance with functions that require graceful shutdowns of macOS like upgrading from Big Sur to Monterey. In the past I have used a script to unload AnyConnects LaunchAgent and kill its PID.

 

  • The script still works fine if run locally, the script kills AnyConnect and it stays dead.
  • If run from JAMF Pro via policy with a script payload, AnyConnect opens right back up as soon as the policy finishes.

 

Maybe some nuance has changed with JAMF and the space at which it runs scrips? Any ideas?

 

 

#!/usr/bin/env bash
 
#* FileName: Cisco-AnyConnect-4-TempDisable.sh
#*=============================================================================
#* Script Name: Cisco-AnyConnect-4-TempDisable
#* Created: []
#* Author: 
#*=============================================================================
#* Purpose: Temporarily diable Cisco AnyConnect in order to prevent OS
#* intallations problems, among other uses.
#*=============================================================================
 
#*=============================================================================
#* REVISION HISTORY
#*=============================================================================
#* Date: []
#* Author: 
#* Issue: 
#* Solution: 
#*=============================================================================
 
#*=============================================================================
#* FUNCTION LISTINGS
#*=============================================================================
 
## Unload Cisco AnyConnect Daemon
unloadDaemon()
    {
    echo " Unloading Cisco AnyConnect Daemon..."
    sudo launchctl unload /Library/LaunchAgents/com.cisco.anyconnect.gui.plist 
    }
 
killProcess()
    {
    procList=("AnyConnect")
 
    echo " Killing Cisco AnyConnect process..."
    for proc in "${procList[@]}"; do
        runningProc=$(ps axc | grep -i "$proc" | awk '{print $1}')
        if [[ $runningProc ]]; then
            echo "  ...Found running process $proc with PID: ${runningProc}. Killing it..."
            kill $runningProc
        else
            echo "  ...$proc is not currently running"
        fi
    done
    }
 
#*=============================================================================
#* SCRIPT BODY
#*=============================================================================
 
echo "######################################"
echo "Temporarily disabling Cisco Anyconnect"
echo "######################################"
unloadDaemon
killProcess
echo "######################################"
 
#*=============================================================================
#* END OF SCRIPT
#*=============================================================================

 

1 ACCEPTED SOLUTION

cdev
Contributor II

It works when you run locally since it's running as the logged-in user. When you run from Jamf, it's running as root, so the LaunchAgent (loaded by the user) doesn't unload since it's a different user space. You can leverage launchctl asuser to run the unload command in the logged-in user space.

 

#!/bin/bash

currentUser=$(/bin/echo 'show State:/Users/ConsoleUser' | /usr/sbin/scutil | /usr/bin/awk '/Name / { print $3 }')

userUID=$(/usr/bin/id -u "$currentUser")

## Kill AnyConnect so it doesn't interrupt reboot
/bin/echo "Quitting Cisco AnyConnect"
/bin/launchctl unload -F /Library/LaunchDaemons/com.cisco.anyconnect.vpnagentd.plist
/bin/launchctl asuser "$userUID" launchctl unload -F Library/LaunchAgents/com.cisco.anyconnect.gui.plist
/bin/launchctl asuser "$userUID" launchctl unload -F Library/LaunchAgents/com.cisco.anyconnect.notification.plist

isRunning=$(pgrep "Cisco AnyConnect Secure Mobility Client")

if [ "$isRunning" != "" ]; then
/bin/echo "AnyConnect is running; killing process"
/usr/bin/killall "Cisco AnyConnect Secure Mobility Client"
fi

exit 0

 

View solution in original post

4 REPLIES 4

cdev
Contributor II

It works when you run locally since it's running as the logged-in user. When you run from Jamf, it's running as root, so the LaunchAgent (loaded by the user) doesn't unload since it's a different user space. You can leverage launchctl asuser to run the unload command in the logged-in user space.

 

#!/bin/bash

currentUser=$(/bin/echo 'show State:/Users/ConsoleUser' | /usr/sbin/scutil | /usr/bin/awk '/Name / { print $3 }')

userUID=$(/usr/bin/id -u "$currentUser")

## Kill AnyConnect so it doesn't interrupt reboot
/bin/echo "Quitting Cisco AnyConnect"
/bin/launchctl unload -F /Library/LaunchDaemons/com.cisco.anyconnect.vpnagentd.plist
/bin/launchctl asuser "$userUID" launchctl unload -F Library/LaunchAgents/com.cisco.anyconnect.gui.plist
/bin/launchctl asuser "$userUID" launchctl unload -F Library/LaunchAgents/com.cisco.anyconnect.notification.plist

isRunning=$(pgrep "Cisco AnyConnect Secure Mobility Client")

if [ "$isRunning" != "" ]; then
/bin/echo "AnyConnect is running; killing process"
/usr/bin/killall "Cisco AnyConnect Secure Mobility Client"
fi

exit 0

 

AJPinto
Valued Contributor

that makes perfect sense, don't know why I did not think of that. Any idea of when this changed? (Not the JAMF running as root thing, but needing to be current suer to unload the agent) I had this bit in our Mojave > Catalina upgrade script and it worked fine, we are really far behind and just getting to upgrading to Big Sur. I suppose a lot did change with Catalina, now I'm wondering lol. 

mm2270
Legendary Contributor III

We use Always On VPN with AnyConnect at my employer as well, and I haven't seen any issues with it messing up OS upgrades. I'm using the macOSUpgrade.sh script to kick off upgrades and they always go through. At least that's been my experience.

 


@AJPinto wrote:

Any idea of when this changed? (Not the JAMF running as root thing, but needing to be current suer to unload the agent)


It's been that way for a good many OS versions actually. This didn't just start with Catalina. I recall needing to script running commands as the user to do something with a LaunchAgent as far back as I can remember. I know you said it was working on Mojave, but maybe you just got lucky.

AJPinto
Valued Contributor

@mm2270 wrote:

We use Always On VPN with AnyConnect at my employer as well, and I haven't seen any issues with it messing up OS upgrades. I'm using the macOSUpgrade.sh script to kick off upgrades and they always go through. At least that's been my experience.


Updating with Script and using the -R for the force reboot will get around anyconnects always on. However, with Apple Silicon you cannot use softwareupdate to automate updates without user interaction. AnyConnect's always on does stop the "graceful" reboot that comes with JAMFs installASAP command for updates and can prevent the Mac from running updates.

 

As of this point JAMF is still using installASAP without InstallForceRestart, and of course does not use MaxUserDiferrals yet which automatically uses installForceRestart once the deferral limit has been met.