cancel
Showing results for 
Search instead for 
Did you mean: 

Deploy and manage Cisco AnyConnect clients on macOS

JuergenKlaassen
Rising Star III
Rising Star III

Hi

If you need to deploy/manage Cisco AnyConnect clients on macOS: you can find a great script here written by @Fulgubbe - which is working as expected for me. It just tweaked the XML for the profile a bit to my own needs. As an example, I bumped the AuthenticationTimeout to 60 seconds so that the users are able to respond to the Push-MFA. (How to use Push-MFA with RADIUS -> here and here)
<AuthenticationTimeout>60</AuthenticationTimeout>

 

 

 

 

<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/">
  <ClientInitialization>
    <WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
    <WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>
    <AuthenticationTimeout>60</AuthenticationTimeout>
  </ClientInitialization>
  <ServerList>
    <HostEntry>
        <HostName>$companyName</HostName>
        <HostAddress>$vpnHostname</HostAddress>
        <PrimaryProtocol>IPsec
	        <StandardAuthenticationOnly>true
	            <AuthMethodDuringIKENegotiation>IKE-RSA</AuthMethodDuringIKENegotiation>
		    </StandardAuthenticationOnly>
	    </PrimaryProtocol>
    </HostEntry>
  </ServerList>
</AnyConnectProfile>

 

 

 

 

Besides the deployment of the AnyConnect Client and the profile, it's recommended to configure the SystemExtension within a MDM-Policy
I configured the policy based on this guidance by Cisco for macOS 11:

Property Value
Team Identifier DE8Y96K9QP
Bundle Identifier com.cisco.anyconnect.macos.acsockext
System Extension Type NetworkExtension

 

Property Value
AutoFilerEnabled false
FilterBrowsers false
FilterSockets true
FilterPackets false
FilterGrade firewall
FilterDataProviderBundleIdentifier com.cisco.anyconnect.macos.acsockext
FilterDataProviderDesignatedRequirement anchor apple generic and identifier
"com.cisco.anyconnect.macos.acsockext"
and (certificate
leaf[field.1.2.840.113635.100.6.1.9]
/* exists */ or certificate
1[field.1.2.840.113635.100.6.2.6] /*
exists */ and certificate
leaf[field.1.2.840.113635.100.6.1.13]
/* exists */ and certificate
leaf[subject.OU] = DE8Y96K9QP)
PluginBundleID com.cisco.anyconnect.macos.acsockext
UserDefinedName Cisco AnyConnect Content Filter


Screenshot 2022-12-08 at 16.53.59.pngScreenshot 2022-12-08 at 16.54.23.png

Post deploying the client & profile via Command and enforcing the policy, I have configured and ready-to-use AnyConnect-VPN.
Screenshot 2022-12-08 at 17.04.43.png


0 REPLIES 0
You Might Like

New to the site? Take a look at these additional resources:

Community created scripts:

Our new Radical Admin blog:

Keep up with Product News:

Read our community guidelines

Ready to join us? You can register here.