MacOS Cisco Anyconnect System Extension

Introduction

The latest version of AnyConnect leverages the System Extension framework available in macOS 11 (Big Sur) and above. There are important changes in approving the AnyConnect system extension, as detailed in the next section.

About the AnyConnect System Extension

AnyConnect uses a network system extension on macOS 11, bundled into an application named Cisco AnyConnect Socket Filter. (This app controls the extension activation and deactivation and is installed under /Applications/Cisco.)

The AnyConnect extension has the following three components:

  • DNS proxy
  • App/Transparent proxy
  • Content filter

These components are visible in the macOS System Preferences – Network UI window:

Network menu under system preferences
System preferences menu with VPN selected
System preferences Network menu with Content filter component selected

‌AnyConnect requires its system extension and all its components to be active in order to operate properly, which implies that the mentioned components are all present and show up as green/running in the left pane of the macOS Network UI, as per above screenshots.

Approving the AnyConnect System Extension

The AnyConnect system extension and its content filter component can be approved by the end user, following either the OS prompts, or the more explicit AnyConnect Notification app’s instructions.

System block extension image
Extension blocked with option to go to system preferences to change this

After opening the Security & Privacy Preferences window, click the bottom-left lock and provide the requested credentials, as prompted, to unlock it and allow changes. The window’s appearance depends on whether the AnyConnect extension is the only one requiring approval. If that’s the case, simply click the Allow button.

AnyConnect extension approval screen

Otherwise click the Details button, then select the Cisco AnyConnect Socket Filter check box and click OK.

AnyConnect extension approval showing multiple unapproved extensions

Shortly after approving the AnyConnect extension, the user is shown another popup, this time for approving the extension’s content filter component.

After the extension’s content filter approval is complete, the extension and its components should be active, as confirmed by the AnyConnect Notification app.

AnyConnect extension's content filter approval popup
AnyConnect extension approval confirmation popup

AnyConnect Extension Deactivation

During AnyConnect removal, the user is prompted for admin credentials in order to approve the system extension deactivation:‌

Extension deactivation prompt for user name and password