MacOS Cisco Anyconnect System Extension
Introduction
The latest version of AnyConnect leverages the System Extension framework available in macOS 11 (Big Sur) and above. There are important changes in approving the AnyConnect system extension, as detailed in the next section.
About the AnyConnect System Extension
AnyConnect uses a network system extension on macOS 11, bundled into an application named Cisco AnyConnect Socket Filter. (This app controls the extension activation and deactivation and is installed under /Applications/Cisco.)
The AnyConnect extension has the following three components:
- DNS proxy
- App/Transparent proxy
- Content filter
These components are visible in the macOS System Preferences – Network UI window:
AnyConnect requires its system extension and all its components to be active in order to operate properly, which implies that the mentioned components are all present and show up as green/running in the left pane of the macOS Network UI, as per above screenshots.
Approving the AnyConnect System Extension
The AnyConnect system extension and its content filter component can be approved by the end user, following either the OS prompts, or the more explicit AnyConnect Notification app’s instructions.
After opening the Security & Privacy Preferences window, click the bottom-left lock and provide the requested credentials, as prompted, to unlock it and allow changes. The window’s appearance depends on whether the AnyConnect extension is the only one requiring approval. If that’s the case, simply click the Allow button.
Otherwise click the Details button, then select the Cisco AnyConnect Socket Filter check box and click OK.
Shortly after approving the AnyConnect extension, the user is shown another popup, this time for approving the extension’s content filter component.
After the extension’s content filter approval is complete, the extension and its components should be active, as confirmed by the AnyConnect Notification app.
AnyConnect Extension Deactivation
During AnyConnect removal, the user is prompted for admin credentials in order to approve the system extension deactivation: