Re: Cisco Anyconnect Profile Editor Download
Alfonzo Liebenstein
Using the profile editor: The VPN profile editor can be downloaded from the AnyConnect Settings page on dashboard or on Cisco.com. The profile editor only runs on Windows operating systems. The screenshot below shows a configured server with the Server List Entry option.
5. At least 1 Trusted DNS Domain or 1 Trusted DNS server is required when configuring Always-On VPN (More information regarding these Trusted DNS settings can be found on the Cisco AnyConnect Secure Mobility Client Administrator Guide).
8. Click File, Save the profile, then upload it on the Dashboard > Security & SD-WAN > AnyConnect Settings > "Profile Update option" and save your configuration. Profiles can also be pushed to users via other methods e.g. via Systems Manager.
1. Install the AnyConnect Start Before Logon Module. There is a separate executable called "sbl-predeploy" file in the AnyConnect for Windows installation folder as shown below.
2. Once the SBL installation is complete, enable Start Before Logon (SBL) in the AnyConnect Profile and push profile to client.
Click File, Save the profile, then upload it on the Dashboard > Security & SD-WAN > AnyConnect Settings > "Profile Update option" and save your configuration. Profiles can also be pushed to users via other methods e.g. via Systems Manager.
The profile will get updated on the client after successfully connecting to the VPN or if manually updated on the client. Please note that profiles get overridden on the client if the new profile and the old one on the client share the same file name. Please note, the user must reboot the remote computer before SBL takes effect. After a reboot, users can use the network sign-in option to launch and connect to AnyConnect VPN.
.
We've been using the AnyConnect client to connect VPN users to our MX84, and it works fine without any issues when just manually copy/pasting the ddns name for the VPN, but we have multiple sites, and are starting to get a few users that connect to multiple sites, so looking to add a profile that will list all of the available servers to connect to.
I used the VPN profile editor to create a profile, added our servers to the server list, and saved the "profile.xml" file to the "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile" folder on the workstation, but no matter what I do, nothing shows up in the AnyConnect GUI dropdown. I have rebooted and that didnt help either.
Any ideas? Most of my searches indicate this happening when the file is not in the correct folder, or a malformed xml file. I used the VPN editor, so I'm assuming that the XML file is good, but I dont really know how to verify that.
One of the last issues we are trying to resolve is getting the vpn profiles to work with the client, when the profile is downloaded from our MX68 appliance it works, and the dropdown box populates with multiple gateways. however the powers that be require the profiles to be set before our users connect to the VPN for the first time.
however, after manually placing the .xml file in the profile folder it doesn't populate. I have restarted the services, rebooted, reinstalled, renamed the .xml, remade the file via the profile builder, but nothing I've tried so far has gotten this to work.
##EDIT: to anyone who stumbles on this in the future, the "Profile.xml" is case sensitive. If you attempt to use "profile.xml" for the cisco VPN client, it will not work. @alemabrahao had the solution dead on, this is just a reminder to double check the case of your file.
It's weird because I have been scouring looking for info and what is provided is generally what I have / had done.
@alemabrahao I used your exact profile format posted above thinking maybe its my file, but still the same result.
When you upload the profile in the Meraki dashboard, it ALWAYS appends .XML when it is downloaded by AnyConnect. So if you upload company.xml, it gets downloaded as company.xml.xml. So I tend to upload the profiles without an extension.
Next, if you have another Cisco product, such as Cisco Umbrella, you get to use Cisco SecureX. You can buy just a single licence for Cisco Umbrella (cheap) and not even use it, to get access to SecureX.
Why might you want to use Cisco SecureX? Because it cloud manages AnyConnect. You no longer use profiles - you control the settings in the Cisco SecureX dashboard. You can automate software updates, create test profiles, etc. Basically, this is the way you want to be rolling out new AnyConnect deployments.
I am trying to figure out a way to attach the .xml file I created with the profile editor in Kace. I am able to deploy the client with no issues at all but I figured there would have to be a way to include the default ip that the client needs to connect to, right? Currently, I have the .xml file attached in the scripting tab as a dependancy but apparently I'm not doing something quite right. Any advise would be appreciated.
We are using Cisco Anyconnect and our install procedure for macOS Catalina (and Mojave) was working very well. We had created a configuration profile with the needed kernel exceptions and with this configuration profile we installed Cisco Anyconnect "silent".
For the System Extension, create a new Configuration Profile in Jamf. Select System Extensions and choose Allowed System Extensions. Add the Team ID: DE8Y96K9QP and add approved system extension id com.cisco.anyconnect.macos.acsockext.
For the web filter it is a little harder because Jamf Pro 10.25.2 does not currently support the Web Filter Content Filter payload. You can use Profile Creator or iMazing Profile editor to create the Web Content filter. Cisco provides the correct setting in this document:
There is the text of a configuration profile in the following advisory document. You can copy it into a text edit and save it as a .mobileconfig. I had to sign it using ProfileCreator and a certificate generated from Jamf.
Anyone can share a working profile from profilecreator (of course it does not need to be signed). I cant get the socket filter working to automatically enable without popup. Trying on a brand new Macbook Pro with M1 chipset
I copied and saved as a mobileconfig file. Uploaded it to our Jamf Pro v10.26 server as a config profile and deployed to my M1 MBA. The config profile failed to load. I then proceed to remove the kernel extension piece, leaving the system extension and content filtering. The profile loaded successfully on the M1 but it failed to bypass the user popup prompt to allow Cisco Socket Filter to load. Is the Kernel Extension portion needed on Big Sur? Can someone share their screenshots of their working config profile for Cisco AnyConnect?
Kernel Extension approval should not be needed for Big Sur (I don't have it enabled in my test computer.) But, my understanding is that if you push Anyconnect to Catalina or lower it will still use a KEXT instead SysExt. You will probably want create two Anyconnect profiles: one for KEXT approval on Catalina or lower and one for SysExt on Big Sur (or higher) and create the appropriate Smart Groups and scopes.
@sgiesbrecht: Hello sgiesbrecht, first, I wish you a great and healthy 2021 :-) I think, the issues, you write about, are pointed on Big Sur, but you do not write, what kind of issues they are. It would be helpful, to know what kind of issues you face, to be able to help you to find a solution.
Are there any messages appearing? What does the logfile content say?
@NOVELLUS I have it solved and is now working with 1 minor issue, which I think it is more of the application than the installation. My issue was the System Extension setup. I will post my settings when my server is back up (if anyone wants the screenshots) - doing changes right now.
So, my content filter settings like just like the ones above from @ericsontech but I'm still having issues on Big Sur. When the profile is installed I only get one new entry in the network adapters list. When install Anyconnect 4.9, I'm still prompted to allow the filtering and then I get 3 items added to the network adapters list. Anyone get the filtering part working?
I just started testing with Big Sur 11.2.2 and AnyConnect 4.9.04043 on intel architecture and I can't get the System Extension to be allowed without user prompt. I've tried with just team id, with the NetworkExtension extension type, and with the extension name and it will never stop prompting. I've rebooted between every attempt, even tried a fresh system.
@jon.verret We have it configured this way. One thing I learned is the Configuration Profile has to be installed on the Mac BEFORE AnyConnect drops the system extension. If the system extension is on their first the user must approve. Its just how system extensions work and is kinda dumb, its not a JAMF thing. It is possible to remove a System Extension but you have to disable SIP first, at least for now according to the binaries notification. The screenshot below is the configuration profile that resulted from a JAMF ticket on this matter.
I've got a related problem in that the Configuration Profile supplied by an Apple Engineer works perfectly in Big Sur on Intel but deploys and doesn't work on Big Sur M1 Macs. I opened a ticket with AppleCare and was told to try AnyConnect 4.9.06037.
I'm looking forward to getting my hands on it to test.
Anyone tried it yet?
- Scott
@NOVELLUS Can you explain, how you managed to install AnyConnect without socket filter? Since you don't use a content filter policy it looks like you really just have the VPN Client installed. Even when we install manually and unselect all options, the socket filter app gets installed along with the security mobility client.
@jexon we are using the "anyconnect-macos-4.9.04043-core-vpn-webdeploy-k9.pkg" This is installing only the vpn client.
In addition to this , we are deploying a configuration profile with settings for system extensions ans content filtering as seen below. This works for us. The installation is running silent.
If the user will be connected with our VPN , the newest version of anyconnect will be downloaded and installed automaticly.
We do not have any M1 Macs at this time.