Migrating to Cisco Secure Client 5

Cisco has announced the end-of-life for Cisco AnyConnect Secure Mobility Client 4 as March 31, 2024. Over the next year, customers should move to its replacement: Cisco Secure Client 5.

While Cisco Secure Client 5 will upgrade AnyConnect 4.x in-place, this action is more of a migration than an in-place upgrade because so many of the places have changed. Names, file paths, icons, and launch agents & daemons are all different.

Bundle identifiers and Cisco’s Team ID have remained the same, thankfully. Therefore, system extension approvals and login item management (based on Team ID) should work without changes.

Here’s an in-depth look at the changes, comparing AnyConnect 4.10.06090 and Secure Client 5.0.02075.

The Application

“Cisco AnyConnect Secure Mobility Client” is the full formal name of AnyConnect 4 and earlier. “Cisco Secure Client” could be seen as a simplification of that name, but it’s also quite generic. I tend to search for “AnyConnect” in Spotlight to launch that client, and I will have to retrain myself.

Applications in /Applications/Cisco are renamed as follows:

AnyConnect 4.10 nameSecure Client 5 name
Cisco AnyConnect Secure Mobility Client.appCisco Secure Client.app
Cisco AnyConnect DART.appCisco Secure Client – DART.app
Cisco AnyConnect Socket Filter.appCisco Secure Client – Socket Filter.app
Uninstall AnyConnect.appUninstall Cisco Secure Client.app
Uninstall AnyConnect DART.appUninstall Cisco Secure Client – DART.app

Obviously these new names change the path to any files contained within. The executables are also renamed, but the bundle identifiers are the same as AnyConnect 4.10. The renamed apps all have updated icons:

Icons within the client also have an updated look:


In AnyConnect 4.10, the disk image file had a name patterned like:
In Secure Client 5, it’s now:

Inside the disk image, the package is now named Cisco Secure Client.pkg rather than AnyConnect.pkg.

The Profiles folder is still present on the disk image and, after converting the dmg to read-write, can be used to seed profiles and configuration for the different AnyConnect Secure Client modules.

Speaking of the modules, many customers do not install all the modules and need to customize their installation with a choice changes xml file. The default XML is still generated with a command like installer -showChoiceChangesXML -pkg "/Volumes/Cisco Secure Client 5.0.02075/Cisco Secure Client.pkg", but the critical thing to know here is that the names of the choices are updated to reflect some branding changes.

AnyConnect 4.10 choiceSecure Client 5 choice

Changes in /opt

AnyConnect and Secure Client both install resources in /opt. The main change here is that where AnyConnect used /opt/cisco/anyconnect and /opt/cisco/hostscan, Secure Client uses /opt/cisco/secureclient. /opt/cisco/hostscan is moved to /opt/cisco/secureclient/securefirewallposture.

The new /opt paths changes the path of every built-in uninstall script but none so more than
which is now

(Ok I write that and then I realize that
is now

VPN profiles can now be placed in /opt/cisco/secureclient/vpn/profile if they weren’t supplied during package installation.

The command-line VPN client is now /opt/cisco/secureclient/bin/vpn.

Launch Agents/Daemons

Launch Agents and Daemons have updated labels and paths to reflect the new product name. (The labels were slightly different than shown here in the initial 5.0.00556 release but were made more consistent in 5.0.01242.)

Launch Agents 4.10Launch Agents 5.0
Launch Daemons 4.10Launch Daemons 5.0

The 5.0 Launch Agents/Daemons use macOS 13’s new AssociatedBundleIdentifiers key to match them with applications.

Kernel extension

The (deprecated) kernel extension is now installed in /Library/Application Support/Cisco/Cisco Secure Client.

Migration considerations

  • Cisco’s disk image and package will perform a migration. It will uninstall AnyConnect components, move configuration files, etc.
  • Repackaging Cisco Secure Client will skip the built-in migrations of the factory package.
  • A significant risk, and one of the primary reasons I call this a migration, is that when Cisco Secure Client is installed, Cisco AnyConnect should not be re-installed. Updating the logic in one’s device management that determines if AnyConnect should be (re-)installed is critical. For example, a Jamf Smart Group that scopes AnyConnect install policies, needs to be updated to exclude Macs with Cisco Secure Client installed.
  • Any scripting around AnyConnect, including custom inventory items, needs to be audited and updated to deal with the new file paths and possibly handle both old and new paths.
  • Custom choice changes XML files must be updated to must match the new choice names listed above.

Good luck with your migration!

I have written a new script for installing Cisco Secure Client 5. In my next post, I’ll describe how it handles the user side of this migration.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Website Powered by WordPress.com.

%d bloggers like this: