Cisco has announced the end-of-life for Cisco AnyConnect Secure Mobility Client 4 as March 31, 2024. Over the next year, customers should move to its replacement: Cisco Secure Client 5.
While Cisco Secure Client 5 will upgrade AnyConnect 4.x in-place, this action is more of a migration than an in-place upgrade because so many of the places have changed. Names, file paths, icons, and launch agents & daemons are all different.
Bundle identifiers and Cisco’s Team ID have remained the same, thankfully. Therefore, system extension approvals and login item management (based on Team ID) should work without changes.
Here’s an in-depth look at the changes, comparing AnyConnect 4.10.06090 and Secure Client 5.0.02075.
The Application
“Cisco AnyConnect Secure Mobility Client” is the full formal name of AnyConnect 4 and earlier. “Cisco Secure Client” could be seen as a simplification of that name, but it’s also quite generic. I tend to search for “AnyConnect” in Spotlight to launch that client, and I will have to retrain myself.
Applications in /Applications/Cisco are renamed as follows:
| AnyConnect 4.10 name | Secure Client 5 name |
| Cisco AnyConnect Secure Mobility Client.app | Cisco Secure Client.app |
| Cisco AnyConnect DART.app | Cisco Secure Client – DART.app |
| Cisco AnyConnect Socket Filter.app | Cisco Secure Client – Socket Filter.app |
| Uninstall AnyConnect.app | Uninstall Cisco Secure Client.app |
| Uninstall AnyConnect DART.app | Uninstall Cisco Secure Client – DART.app |
Obviously these new names change the path to any files contained within. The executables are also renamed, but the bundle identifiers are the same as AnyConnect 4.10. The renamed apps all have updated icons:
Icons within the client also have an updated look:
Installation
In AnyConnect 4.10, the disk image file had a name patterned like:
anyconnect-macos-4.10.z-predeploy-k9.dmg
In Secure Client 5, it’s now:
cisco-secure-client-macos-5.y.z-predeploy-k9.dmg
Inside the disk image, the package is now named Cisco Secure Client.pkg rather than AnyConnect.pkg.
The Profiles folder is still present on the disk image and, after converting the dmg to read-write, can be used to seed profiles and configuration for the different AnyConnect Secure Client modules.
Speaking of the modules, many customers do not install all the modules and need to customize their installation with a choice changes xml file. The default XML is still generated with a command like installer -showChoiceChangesXML -pkg "/Volumes/Cisco Secure Client 5.0.02075/Cisco Secure Client.pkg", but the critical thing to know here is that the names of the choices are updated to reflect some branding changes.
| AnyConnect 4.10 choice | Secure Client 5 choice |
| choice_vpn | choice_anyconnect_vpn |
| choice_fireamp | choice_fireamp |
| choice_dart | choice_dart |
| choice_posture | choice_secure_firewall_posture |
| choice_iseposture | choice_iseposture |
| choice_nvm | choice_nvm |
| choice_umbrella | choice_secure_umbrella |
Changes in /opt
AnyConnect and Secure Client both install resources in /opt. The main change here is that where AnyConnect used /opt/cisco/anyconnect and /opt/cisco/hostscan, Secure Client uses /opt/cisco/secureclient. /opt/cisco/hostscan is moved to /opt/cisco/secureclient/securefirewallposture.
The new /opt paths changes the path of every built-in uninstall script but none so more than
/opt/cisco/anyconnect/bin/anyconnect_uninstall.sh
which is now
/opt/cisco/secureclient/bin/cisco_secure_client_uninstall.sh
(Ok I write that and then I realize that
/opt/cisco/hostscan/bin64/posture_uninstall.sh
is now
/opt/cisco/secureclient/securefirewallposture/bin64/posture_uninstall.sh)
VPN profiles can now be placed in /opt/cisco/secureclient/vpn/profile if they weren’t supplied during package installation.
The command-line VPN client is now /opt/cisco/secureclient/bin/vpn.
Launch Agents/Daemons
Launch Agents and Daemons have updated labels and paths to reflect the new product name. (The labels were slightly different than shown here in the initial 5.0.00556 release but were made more consistent in 5.0.01242.)
| Launch Agents 4.10 | Launch Agents 5.0 |
| com.cisco.anyconnect.gui | com.cisco.secureclient.gui |
| com.cisco.anyconnect.aciseposture | com.cisco.secureclient.iseposture |
| com.cisco.anyconnect.notification | com.cisco.secureclient.notification |
| Launch Daemons 4.10 | Launch Daemons 5.0 |
| com.cisco.anyconnect.ciscod64 | com.cisco.secureclient.ciscod64 |
| com.cisco.anyconnect.vpnagentd | com.cisco.secureclient.vpnagentd |
The 5.0 Launch Agents/Daemons use macOS 13’s new AssociatedBundleIdentifiers key to match them with applications.
Kernel extension
The (deprecated) kernel extension is now installed in /Library/Application Support/Cisco/Cisco Secure Client.
Migration considerations
- Cisco’s disk image and package will perform a migration. It will uninstall AnyConnect components, move configuration files, etc.
- Repackaging Cisco Secure Client will skip the built-in migrations of the factory package.
- A significant risk, and one of the primary reasons I call this a migration, is that when Cisco Secure Client is installed, Cisco AnyConnect should not be re-installed. Updating the logic in one’s device management that determines if AnyConnect should be (re-)installed is critical. For example, a Jamf Smart Group that scopes AnyConnect install policies, needs to be updated to exclude Macs with Cisco Secure Client installed.
- Any scripting around AnyConnect, including custom inventory items, needs to be audited and updated to deal with the new file paths and possibly handle both old and new paths.
- Custom choice changes XML files must be updated to must match the new choice names listed above.
Good luck with your migration!
I have written a new script for installing Cisco Secure Client 5. In my next post, I’ll describe how it handles the user side of this migration.
macadmin.fraserhess.com 
Leave a Reply