If you need to deploy/manage Cisco AnyConnect clients on macOS: you can find a great script here written by @Fulgubbe - which is working as expected for me. It just tweaked the XML for the profile a bit to my own needs. As an example, I bumped the AuthenticationTimeout to 60 seconds so that the users are able to respond to the Push-MFA. (How to use Push-MFA with RADIUS -> here and here) <AuthenticationTimeout>60</AuthenticationTimeout>
anchor apple generic and identifier "com.cisco.anyconnect.macos.acsockext" and (certificate leaf[field.1.2.840.1136126.96.36.199.9] /* exists */ or certificate 1[field.1.2.840.1136188.8.131.52.6] /* exists */ and certificate leaf[field.1.2.840.1136184.108.40.206.13] /* exists */ and certificate leaf[subject.OU] = DE8Y96K9QP)
Cisco AnyConnect Content Filter
Post deploying the client & profile via Command and enforcing the policy, I have configured and ready-to-use AnyConnect-VPN.