MacOS Cisco Anyconnect System Extension

About the AnyConnect System Extension

AnyConnect uses a network system extension on macOS 11, bundled into an application named Cisco AnyConnect Socket Filter. (This app controls the extension activation and deactivation and is installed under /Applications/Cisco.)

The AnyConnect extension has the following three components:

• DNS proxy
• App/Transparent proxy
• Content filter

These components are visible in the macOS System Preferences – Network UI window:

‌AnyConnect requires its system extension and all its components to be active in order to operate properly, which implies that the mentioned components are all present and show up as green/running in the left pane of the macOS Network UI, as per above screenshots.

Approving the AnyConnect System Extension

The AnyConnect system extension and its content filter component can be approved by the end user, following either the OS prompts, or the more explicit AnyConnect Notification app’s instructions.

After opening the Security & Privacy Preferences window, click the bottom-left lock and provide the requested credentials, as prompted, to unlock it and allow changes. The window’s appearance depends on whether the AnyConnect extension is the only one requiring approval. If that’s the case, simply click the Allow button.

Otherwise click the Details button, then select the Cisco AnyConnect Socket Filter check box and click OK.

Shortly after approving the AnyConnect extension, the user is shown another popup, this time for approving the extension’s content filter component.

After the extension’s content filter approval is complete, the extension and its components should be active, as confirmed by the AnyConnect Notification app.

During AnyConnect removal, the user is prompted for admin credentials in order to approve the system extension deactivation:‌