[MacTUG] AnyConnect and MacOS Big Sur

Dave Aldwinckle daldwinc at uwaterloo.ca
Thu Nov 19 10:33:07 EST 2020 

We’re going to deploy the new package before updating the firewall software. You will see a banner on the VPN now:

 

*** AnyConnect client update ***

 

On Tuesday November 24th at 7:00 AM, the Cisco AnyConnect client will be updated automatically when a connection is made to the VPN. This message will persist until Wednesday November 25th, even if you have already updated.

 

The new client introduces support for MacOS Big Sur as well as bug fixes and enhancements for all operating systems. Deployment packages will be available through the usual IST release channels.

 

--

Dave

 

Dave Aldwinckle 
Networks Supervisor | Network Services
Information Systems and Technology | University of Waterloo
200 University Ave W | Waterloo, ON | N2L 3G1
519-888-4567 Ext. 41145 | daldwinc at uwaterloo.ca

 

 

From: MacTUG <mactug-bounces at lists.uwaterloo.ca> on behalf of Dave Aldwinckle <daldwinc at uwaterloo.ca>
Date: Saturday, November 14, 2020 at 2:40 PM
To: "mactug at lists.uwaterloo.ca" <MacTUG at lists.uwaterloo.ca>
Subject: [MacTUG] AnyConnect and MacOS Big Sur

 

Hi MacTUG,

 

We have been aware of the AnyConnect warnings for some time, and we do have a strategy for updating the client. Our firewall platform that runs the VPN endpoint is capable of offering the 4.9.x AnyConnect revisions, so there is nothing to worry about in that department. There are more daily users on the VPN due to the pandemic than ever before, so we are being cautious, while also navigating around a few bugs in newer client versions and other obstacles. My goal is to keep as many clients as possible working without issues, while we determine the best way to offer a client that is compatible with BigSur.

 

Before upgrading the AnyConnect client, we will be looking at doing a firmware upgrade on the firewall platform. This will introduce a number of enhancements, including DTLS1.2 which should increase VPN performance. The upgrade has been delayed for two reasons. First, we were waiting for it to be marked as the recommended version from the vendor, which generally happens when they consider it the best, most stable release. We also did not want this update to take place too close to the implementation of 2FA, as to minimize any issues that may arise from either change. When the 2FA deployment was pushed back, as was the firmware upgrade. 

 

I’ll be able to give additional details next week once the 2FA VPN change is applied, and I have a Big Sur device in my possession. 

 

Regards,

Dave

 

Dave Aldwinckle 
Networks Supervisor | Network Services
Information Systems and Technology | University of Waterloo
200 University Ave W | Waterloo, ON | N2L 3G1
519-888-4567 Ext. 41145 | daldwinc at uwaterloo.ca

 

 

From: MacTUG <mactug-bounces at lists.uwaterloo.ca> on behalf of "jjohnston at uwaterloo.ca" <jjohnston at uwaterloo.ca>
Date: Friday, November 13, 2020 at 4:38 PM
To: "mactug at lists.uwaterloo.ca" <MacTUG at lists.uwaterloo.ca>
Subject: Re: [MacTUG] FW: Software Update - MacOS Big Sur & Safari 14.0.1

 

AnyConnect will work under Big Sur, but it has different failure modes.  Sometimes it:

  - Works fine

  - the OS flags it as a 32-bit app and won't even let you uninstall it (run a manual uninstallation as mentioned below, then reinstall app)

  - the OS doesn't trust the System Extension (repeatedly).  Go to system preferences, enable it, reboot -- repeat until the system preferences no longer complains (took 3 tries on one machine). Could also just reinstall.

  - Installs fine, launches fine then the GUI gets into a tight loop demanding that you enter a valid server address, but the pop-ups block access to the input field AND you cannot kill it through normal methods (GUI is too busy).  So, do a 'ps' and kill it from a command prompt.  It will work fine on the next launch.

These are all of the cases that I've encountered/debugged so far.  There are probably more.

 

All of the above is happening on classic Macs with Intel chips ... I haven't tried Apple Silicon yet.

 

Jim

 

From: MacTUG <mactug-bounces at lists.uwaterloo.ca> On Behalf Of jjohnston at uwaterloo.ca
Sent: November 13, 2020 3:04 PM
To: mactug at lists.uwaterloo.ca
Subject: Re: [MacTUG] FW: Software Update - MacOS Big Sur & Safari 14.0.1

 

 

On my Big Sur test Mac, I ran (as root):

 

root at mfcfmac41 ~ # /opt/cisco/vpn/bin/vpn_uninstall.sh 

Uninstalling Cisco AnyConnect Secure Mobility Client...

/opt/cisco/vpn/bin/vpn_uninstall.sh: line 88: /opt/cisco/anyconnect/bin/manifesttool: Bad CPU type in executable

Executing: /usr/bin/kmutil showloaded

No variant specified, falling back to release

Successfully removed Cisco AnyConnect Secure Mobility Client from the system.

 

Then I clean installed the VPN client again and it works fine now.

In this case I installed the client via JAMF policy, but 

that policy literally runs the installer that we grabbed from

cn-vpn.uwaterloo.ca, so it should work for anyone.

 

This version of the client still asks for the Cisco system extension to

be approved, and a reboot to activate it once the user has approved it.

  System Preferences -> Security & Privacy -> New system extension... (at bottom)

 

So, as long as the end user has local admin rights (or you can screen share),

or the Mac is managed and MDM/DEP is configured correctly, then this will be

a nuisance but not insurmountable.

 

Jim

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.uwaterloo.ca/pipermail/mactug/attachments/20201119/1fe73709/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4179 bytes
Desc: not available
URL: <http://lists.uwaterloo.ca/pipermail/mactug/attachments/20201119/1fe73709/attachment-0001.p7s>

More information about the MacTUG mailing list