Deploy Cisco AnyConnect VPN on macOS devices with 2FA

Background

This post is once again focused on macOS devices since, over the past few days, there have been discussions in various communities about installing the Cisco AnyConnect VPN solution on business-owned macOS machines. So, I thought of sharing my own experience of deploying the VPN solution with no user interaction required and, at the same time, securing it 2FA. Reason for 2FA – Ensure that users can only connect to this VPN solution from a corporate device, as anyone can easily download & connect the VPN client from their personal devices.

---

Cisco AnyConnect VPN Deployment

Like any other VPN solution, the Cisco AnyConnect VPN allows you to connect to the corporate network allowing access to specific allowed resources and services as if you are on the corporate network.

Deploying AnyConnect involves silently installing, configuring, and upgrading the AnyConnect client and its related files on end user’s devices:

The Cisco AnyConnect Secure Mobility Client can be deployed remotely to devices by the following methods:

• Predeploy – The end-user does new installations and upgrades, or it is pushed using an enterprise device management system.

• Web Deploy – The AnyConnect package is loaded on the headend, an ASA or FTD firewall, or an ISE server. When the user connects to a firewall or ISE, AnyConnect is deployed to the client.

You can include optional modules that enable supplemental features, client profiles that set up the VPN, and optional features when you deploy AnyConnect.

As we are focused on Intune as an enterprise device management system, in this article, we will focus on the first approach of deployment, i.e. “Predeploy”.

---

What Do You Need To Start With?

To start with, you need to have access to the following:

• AnyConnect package
• Modules to support extra features
• Client profiles that configure AnyConnect and the extra features, which you will create
• Language files, images, scripts, and help files for customizing the deployment
• AnyConnect ISE Posture and the compliance module

---

AnyConnect System Extension

AnyConnect uses a network system extension on macOS 11 (and later), bundled into an application named Cisco AnyConnect Socket Filter. The AnyConnect extension has the following three components that are visible in the macOS System Preferences-Network UI window:

• DNS proxy
• App/transparent proxy
• Content filter

AnyConnect requires its system extension and all its components to be active for proper operation, which implies that the mentioned components are all present and show as green (running) in the left pane of the macOS Network UI.

For installation in the system context, macOS requires the extension to be approved via MDM without end-user interaction.

---

Intune Configurations

To approve the AnyConnect system extension without end-user interaction, we need to push the system extension payload to the devices using Intune. To do so, follow these steps:

1. Login to Intune portal.

2. Navigate to Devices -> macOS -> Configuration Profiles and select create a profile.

3. From the profile type dropdown, select Templates ->Extensions profile

4. In Basics, enter the name & description to match the purpose of the profile.

5. In the System Extensions – Set the Team identification to “DE8Y96K9QP” and the Bundle identifier to “com.cisco.anyconnect.macos.acsockext“

7. Under Allowed system extension types, add a line to allow team identifier “DE8Y96K9QP” to provide “Network extensions”.

8. Next, review and assign it to the required group.

This is how the configuration profile should look like:

---

WebContentFilter Payload Settings

Sadly, there isn’t a way to accomplish this via the online UI of Microsoft Intune. You must first build an XML configuration and then upload it as a configuration profile. To do so, please follow the steps:

1. Login to Intune portal.

2. Navigate to Devices -> macOS -> Configuration Profiles and select create a profile.

3. From the profile type dropdown, select Templates ->Custom profile

4. In Basics, enter the name & description to match the purpose of the profile.

5. You can use the below table to create your XML file:

Or, you can copy-paste and save this as XML to upload to the profile:

PayloadContent


Enabled
FilterType
Plugin
AutoFilterEnabled

FilterBrowsers

FilterSockets
FilterPackets

FilterGrade
firewall
FilterDataProviderBundleIdentifier
com.cisco.anyconnect.macos.acsockext
FilterDataProviderDesignatedRequirement
anchor apple generic and identifier “com.cisco.anyconnect.macos.acsockext” and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = DE8Y96K9QP)
PluginBundleID
com.cisco.anyconnect.macos.acsock
VendorConfig

UserDefinedName
Cisco AnyConnect Content Filter
PayloadDisplayName
Cisco AnyConnect Content Filter
PayloadIdentifier
com.cisco.anyconnect.webcontentfilter.42B8BA0E-57F4-4E57-872B-1F5FCB8527EA.2512DB6A-B5EA-41DB-B6C6-3A07726C214E
PayloadType
com.apple.webcontent-filter
PayloadUUID
2512DB6A-B5EA-41DB-B6C6-3A07726C214E
PayloadVersion
1


PayloadDisplayName
Cisco AnyConnect Content Filter
PayloadIdentifier
com.cisco.anyconnect.webcontentfilter.42B8BA0E-57F4-4E57-872B-1F5FCB8527EA
PayloadScope
System
PayloadType
Configuration
PayloadUUID
42B8BA0E-57F4-4E57-872B-1F5FCB8527EA
PayloadVersion
1

---

Cisco AnyConnect Profile

As a next step, we will create the required profile for the VPN client and will push it to the devices as a shell script.

Shell Script for profile:

!/bin/sh

mkdir -p /opt/cisco/anyconnect/profile

cat </opt/cisco/anyconnect/profile/profile.xml




x.x.x.x
https://x.x.x.x



EOF

• Sign in to the Intune portal.

• Select Devices > macOS > Shell scripts > Add.

• In Basics, enter the name and description and click Next.

• In Script settings, upload the script and configure the parameters as follows:
  • Run the script as a signed-in user: No
  • Hide script notifications on devices: Not Configured
  • Script frequency: Not Configured
  • Max number of times to retry if script fails: 3 Times

• Assign the script to your device group

---

Cisco AnyConnect Package

When it comes to iOS/macOS devices, I prefer to push the corporate apps as LOB apps as it gives more control over the app.

P.S – The feature is in public preview

The following prerequisites must be met before a macOS DMG app is installed on macOS devices.

1. Intune manages devices.
2. DMG app is smaller than 2GB in size.
3. The Microsoft Intune management agent for macOS is installed.

Follow the steps to push the VPN client to the devices:

• Sign in to the Intune portal.

• Select Apps > All apps > Add.

• In the Select app type pane, under the Other app types, select macOS app (DMG).

• In the App package file pane, select the browse button. Then, select the Cisco AnyConnect VPN DMG file with the extension .dmg. The app details will be displayed.

• When you’re finished, select OK on the App package file pane to add the app.

• Once done, deploy the app to your device group.

---

Trespassing Not Allowed

Alright, so by now, you have deployed the VPN app and configured all the required settings so that the app gets installed without any user interaction.

Now, as the last part of this post, let’s control the configuration so that the connection can only be initiated from a corporate device.

And to achieve this, you need to define specific parameters in the Cisco ISE platform that ensures that the device initiating the connection is a corporate device. There are numerous ways of doing it; you just need to make sure that the parameter you define is unique and cannot be modified at the device level.

An example of configuration:

1. You check for your SHA1 signature of any signed/wrapped app deployed on the macOS devices.
2. You specify the path of a specific file that is hardcoded in the system preferences where user access is restricted.
3. Device latest patch level with MDE

So, when the user initiates the VPN connection, the device will be evaluated first and once passed, only then will it be allowed to access corporate resources.

---

Summary

You can easily deploy the Cisco Anyconnect VPN client to your corporate macOS devices.

I’d love to know what you think, so do leave your comments below, and if you liked it, then do share it.

Cheers/

Somesh