12-08-2022 04:16 AM - edited 12-09-2022 07:13 PM
Hi
If you need to deploy/manage Cisco AnyConnect clients on macOS: you can find a great script here written by @Fulgubbe - which is working as expected for me. It just tweaked the XML for the profile a bit to my own needs. As an example, I bumped the AuthenticationTimeout to 60 seconds so that the users are able to respond to the Push-MFA. (How to use Push-MFA with RADIUS -> here and here)
<AuthenticationTimeout>60</AuthenticationTimeout>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/">
<ClientInitialization>
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>
<AuthenticationTimeout>60</AuthenticationTimeout>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>$companyName</HostName>
<HostAddress>$vpnHostname</HostAddress>
<PrimaryProtocol>IPsec
<StandardAuthenticationOnly>true
<AuthMethodDuringIKENegotiation>IKE-RSA</AuthMethodDuringIKENegotiation>
</StandardAuthenticationOnly>
</PrimaryProtocol>
</HostEntry>
</ServerList>
</AnyConnectProfile>
Besides the deployment of the AnyConnect Client and the profile, it's recommended to configure the SystemExtension within a MDM-Policy.
I configured the policy based on this guidance by Cisco for macOS 11:
Property | Value |
Team Identifier | DE8Y96K9QP |
Bundle Identifier | com.cisco.anyconnect.macos.acsockext |
System Extension Type | NetworkExtension |
Property | Value |
AutoFilerEnabled | false |
FilterBrowsers | false |
FilterSockets | true |
FilterPackets | false |
FilterGrade | firewall |
FilterDataProviderBundleIdentifier | com.cisco.anyconnect.macos.acsockext |
FilterDataProviderDesignatedRequirement | anchor apple generic and identifier "com.cisco.anyconnect.macos.acsockext" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = DE8Y96K9QP) |
PluginBundleID | com.cisco.anyconnect.macos.acsockext |
UserDefinedName | Cisco AnyConnect Content Filter |
Post deploying the client & profile via Command and enforcing the policy, I have configured and ready-to-use AnyConnect-VPN.
New to the site? Take a look at these additional resources:
Ready to join us? You can register here.