Cisco Secure Client Changes Related to macOS 11 (And Later)

On macOS 11 and later, Cisco Secure Client leverages the macOS System Extension framework, while it formerly used the now-deprecated Kernel Extension Framework. An administrator must approve the Cisco Secure Client system extension as described in the sections below.

About the Cisco Secure Client System Extension

Cisco Secure Client uses a network system extension on macOS 11 (and later), bundled into an application named Cisco Secure Client - Socket Filter. The app controls the extension activation and deactivation and is installed under /Applications/Cisco.

The Cisco Secure Client extension has the following three components that are visible in the macOS System Preferences-Network UI window:

  • DNS proxy

  • App/transparent proxy

  • Content filter

Cisco Secure Client requires its system extension and all its components to be active for proper operation, which implies that the mentioned components are all present and show as green (running) in the left pane of the macOS Network UI.

If a third-party product is employing a system extension with DNS proxy capabilities, either Cisco Secure Client or the third-party product (or both), may not function properly. macOS only supports one active DNS proxy extension at a time.

Approving the Cisco Secure Client System Extension

The Cisco Secure Client system extension activation requires either approval by an end user with administrator rights or MDM approval:

Approve the System Extension Loading/Activation

Approve the Cisco Secure Client system extension and its content filter component by following the OS prompts or the more explicit Cisco Secure Client - Notification application's instructions.

Procedure

Step 1

When you receive the "System Extension Blocked" message from macOS, perform this operation:

  • For macOS 15 (and later), click the Open System Settings button in the Cisco Secure Client - Notification app and then choose Network Extensions in System Settings > General > Login Items & Extensions section.
  • For macOS 13 and 14, click the Open Preferences button in the Cisco Secure Client - Notification app, or the Open Security Preferences button. You can also navigate to the System Preferences application and go to the Security&Privacy window.

Step 2

Click the bottom-left lock and provide the requested credentials to unlock.

Step 3

For macOS 15, click to allow the Cisco Secure Client Socket Filter. For macOS 13 or 14, click Allow on the Security & Privacy window to accept the Cisco Secure Client - Socket Filter extension.

You will receive a "System Extension Enabled" message.

Approve the System Extension Using MDM

Approve the Cisco Secure Client system extension without end user interaction using a management profile's SystemExtensions payload with the following settings:

Property

Value

Team Identifier

DE8Y96K9QP

Bundle Identifier

com.cisco.anyconnect.macos.acsockext

System Extension Type

NetworkExtension

Approve the extension's content filter component with the following WebContentFilter payload settings:

Property

Value

AutoFilterEnabled

false

FilterBrowsers

false

FilterSockets

true

FilterPackets

false

FilterGrade

firewall

FilterDataProviderBundleIdentifier

com.cisco.anyconnect.macos.acsockext

FilterDataProviderDesignatedRequirement

anchor apple generic and identifier "com.cisco.anyconnect.macos.acsockext" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = DE8Y96K9QP)

PluginBundleID

com.cisco.anyconnect.macos.acsock

VendorConfig

UserDefinedName

Cisco AnyConnect Content Filter

Confirm Activation of Cisco Secure Client System Extension

To confirm that the Cisco Secure Client system extension has been approved and activated, run the systemextensionsctl list command: 

% systemextensionsctl list
1 extension(s)
--- com.apple.system_extension.network_extension
enabled active teamID bundleID (version) name [state]
* * DE8Y96K9QP com.cisco.anyconnect.macos.acsockext
(5.0.00xxx/5.0..00xxx) Cisco Secure Client - Socket Filter Extension
[activated enabled]

You can also check the System Preferences network UI to confirm that all three Cisco Secure Client extension components are active.

Deactivate the Cisco Secure Client System Extension

During Cisco Secure Client uninstallation, the user is prompted for administrator credentials to approve the system extension deactivation. On macOS 12 and later, the Cisco Secure Client system extension can be silently removed after deploying a management profile with the RemovableSystemExtensions property added to the SystemExtensions payload. This property must contain the bundle identifier of the Cisco Secure Client system extension (com.cisco.anyconnect.macos.acsockext).


Note

You should only use this management profile configuration when the administrator wants to automate the Cisco Secure Client uninstallation, as it grants any user or process with root privileges the ability to remove the Cisco Secure Client system extension, without prompting the user for a password.

Sample MDM Configuration Profile for Cisco Secure Client System Extension Approval

Use the following MDM configuration profile to load both the Cisco Secure Client system and the kernel extensions, including the system extension's content filter component. 

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

      <dict>

      <key>PayloadContent</key>

      <array>

       </plist>

Managed Login Items

For macOS 13 (and later) and Secure Client 5.1, the VPN and ZTA module requires user approval before they can function. To perform approval without user intervention, or prevent users from disabling the Login Items owned by the Secure Client, you must push an MDM profile with these attributes for Managed Login Items:

  • Bundle Identifier Prefix: com.cisco.secureclient

  • Team Identifier: DE8Y96K9QP

Refer to Web Deploy Upgrade on macOS 13 (or Later) Requires Admin Privileges or Apple Platform Deployment documentation for additional information.

Sample MDM Configuration Profile for Cisco Secure Client Managed Login Items

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadIdentifier</key>
            <string>com.example.myservicemanagementpayload</string>
            <key>PayloadUUID</key>
            <string>0d4e2ece-dfa7-4103-97ff-e91a9f842a1d</string>
            <key>PayloadType</key>
            <string>com.apple.servicemanagement</string>
            <key>Rules</key>
            <array>
                <dict>
                    <key>RuleType</key>
                    <string>BundleIdentifierPrefix</string>
                    <key>RuleValue</key>
                    <string>com.cisco.secureclient</string>
                    <key>Comment</key>
                    <string>All apps from CSC</string>
                </dict>
            </array>
        </dict>
    </array>
    <key>PayloadDisplayName</key>
    <string>Service Management</string>
    <key>PayloadIdentifier</key>
    <string>com.example.myprofile</string>
    <key>PayloadUUID</key>
    <string>03cca12c-a610-44c2-96f9-fdabe3acd47d</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadScope</key>
    <string>System</string>
</dict>
</plist>