This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Disclaimer
JUMPCLOUD EXPRESSLY DISCLAIMS ALL REPRESENTATIONS, WARRANTIES, CONDITIONS, AND LIABILITIES OF ANY KIND ARISING FROM OR RELATED TO THIRD-PARTY SOFTWARE, SCRIPTS, REPOSITORIES, AND APIS. JUMPCLOUD IS NOT REQUIRED TO SUPPORT ANY SUCH THIRD-PARTY MATERIALS AND ALL RISKS RELATED TO THIRD-PARTY MATERIALS ARE YOUR RESPONSIBILITY. PLEASE ALSO REVIEW THE JUMPCLOUD TOS.

Deploy and manage Cisco AnyConnect clients on macOS

JuergenKlaassen
Rising Star III
Rising Star III

‎12-08-2022 04:16 AM - edited ‎12-09-2022 07:13 PM

Hi

If you need to deploy/manage Cisco AnyConnect clients on macOS: you can find a great script here written by @Fulgubbe - which is working as expected for me. It just tweaked the XML for the profile a bit to my own needs. As an example, I bumped the AuthenticationTimeout to 60 seconds so that the users are able to respond to the Push-MFA. (How to use Push-MFA with RADIUS -> here and here)
<AuthenticationTimeout>60</AuthenticationTimeout>

 

 

 

 

<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/">
  <ClientInitialization>
    <WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
    <WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>
    <AuthenticationTimeout>60</AuthenticationTimeout>
  </ClientInitialization>
  <ServerList>
    <HostEntry>
        <HostName>$companyName</HostName>
        <HostAddress>$vpnHostname</HostAddress>
        <PrimaryProtocol>IPsec
	        <StandardAuthenticationOnly>true
	            <AuthMethodDuringIKENegotiation>IKE-RSA</AuthMethodDuringIKENegotiation>
		    </StandardAuthenticationOnly>
	    </PrimaryProtocol>
    </HostEntry>
  </ServerList>
</AnyConnectProfile>

 

 

 

 

Besides the deployment of the AnyConnect Client and the profile, it's recommended to configure the SystemExtension within a MDM-Policy
I configured the policy based on this guidance by Cisco for macOS 11:

Property Value
Team Identifier DE8Y96K9QP
Bundle Identifier com.cisco.anyconnect.macos.acsockext
System Extension Type NetworkExtension

 

Property Value
AutoFilerEnabled false
FilterBrowsers false
FilterSockets true
FilterPackets false
FilterGrade firewall
FilterDataProviderBundleIdentifier com.cisco.anyconnect.macos.acsockext
FilterDataProviderDesignatedRequirement anchor apple generic and identifier
"com.cisco.anyconnect.macos.acsockext"
and (certificate
leaf[field.1.2.840.113635.100.6.1.9]
/* exists */ or certificate
1[field.1.2.840.113635.100.6.2.6] /*
exists */ and certificate
leaf[field.1.2.840.113635.100.6.1.13]
/* exists */ and certificate
leaf[subject.OU] = DE8Y96K9QP)
PluginBundleID com.cisco.anyconnect.macos.acsockext
UserDefinedName Cisco AnyConnect Content Filter


Screenshot 2022-12-08 at 16.53.59.pngScreenshot 2022-12-08 at 16.54.23.png

Post deploying the client & profile via Command and enforcing the policy, I have configured and ready-to-use AnyConnect-VPN.
Screenshot 2022-12-08 at 17.04.43.png


Labels:
0 REPLIES 0
You Might Like

New to the site? Take a look at these additional resources:

Community created scripts:

Our new Radical Admin blog:

Keep up with Product News:

Read our community guidelines

Ready to join us? You can register here.