Enable or Disable AnyConnect SWG Agent and Roaming Security Module on macOS

Introduction

This document describes how to enable or disable AnyConnect SWG Agent and Roaming Security Module on macOS.

Problem

After installing AnyConnect 4.8.x with the Umbrella Roaming Security module, customers with Umbrella SIG Essentials, SIG add-on, or ELA including SIG, endpoints start forwarding DNS traffic and web traffic to Umbrella Roaming Security Module and SWG with no clear method to disable these behavior.

AnyConnect 4.8 MR1 was the first release to support Umbrella SWG from the endpoint, but rather than the SWG Agent having its own binary to install from, it was bundled with the same binary that installs Umbrella Roaming Security Agent.  Currently the SWG Agent can be controlled from the Umbrella dashboard, but this is a global setting that affects all endpoint installs. SWG selective sync can now be completed in the dashboard, 100 at a time.

Solution

Since macOS does not have the ability to control the state of Roaming Security Module and SWG Agent locally, this must be managed using a scripted method. The Cisco Umbrella team have developed few scripts to disable SWG Agent and one to enable SWG Agent and to disable Roaming security Module and enable Roaming Security Module, which make the state persistent. 

The scripts must be executed as root, but no reboot is required. Upgrading or re-installing AnyConnect re-enables Roaming Security Module and SWG Agent and the script must be executed again. Scripts can be found attached to the bottom of this article.

Checking the Status of the AnyConnect RSM Agent

 To ensure that the status of your AnyConnect RSM Agent is correct:

1. Open the Cisco AnyConnect Secure Mobility Client
2. Click Statistics360054989191
3. Scroll down to "DNS Protection Status" 
   4403216788116

4403216786708

Note: When disabling Umbrella Roaming Security Module, this also disables the SWG agent as well since SWG agent is dependent on the Umbrella Roaming Security Module.

Checking the Status of the AnyConnect SWG Agent

 To ensure that the status of your AnyConnect SWG Agent is correct:

1. Open the Cisco AnyConnect Secure Mobility Client
2. Click Statistics360054989191
3. Scroll down to "Web Protection Status" 
   360054865132360054865112

Scripts Usage

 To run the scripts in macOS: 

1. Make sure the scripts have sufficient privilege, especially write privilege.

You can edit the script privilege from MAC terminal using this command example:

chmod 777 umbrella_swg_disable.sh    

2. To run the script, you can use example command:

sudo ./umbrella_swg_disable.sh

Sample successful output:

4403216844180

4403216851604

Note: Adding additional scripts for MAC OS 13+ with Secure Client Version 5.1.X.XXX and later and scripts for macOS prior 13 with Secure Client 5.0.x

EFT for SWG Device Settings API

Using a curl for a single machine:

curl --location 'https://api.umbrella.com/deployments/v2/deviceSettings/SWGEnabled/set' \--header 'Content-Type: application/json' \--header 'Accept: application/json' \--header 'Authorization: Bearer <your-token-here>' \--data '{    "value": "0",    "originIds": [ 123456789 ]}'

Using a file with multiple machines:

curl --location 'https://api.umbrella.com/deployments/v2/deviceSettings/SWGEnabled/set' \--header 'Content-Type: application/json' \--header 'Accept: application/json' \--header 'Authorization: Bearer <your-token-here>' \--data 'your-path/swg-stat.json'

More information can be found on our official developer documentation here.