Since the last time I wrote, Cisco Secure Client continues to evolve. Here’s a survey of important changes since 5.0.02075 that affect Mac Admins.
New modules
Cisco has added three new modules to Secure Client:
| Name | Installer choice identifier | New in |
| ThousandEyes | choice_thousandeyes | 5.0.05040 |
| Duo | choice_duo | 5.1.0.136 |
| Zero Trust Access | choice_zta | 5.1.0.136 |
ThousandEyes installs components in /Applications/Cisco and in /opt/cisco. It can be uninstalled with
/Applications/Cisco/Cisco Secure Client – ThousandEyes Endpoint Agent.app/Contents/Resources/uninstall.sh
Duo installs Duo Desktop.app in /Applications and does not appear to have an uninstaller.
Zero Trust Access installs components only in /opt/cisco and and be uninstalled by
/opt/cisco/secureclient/bin/zta_uninstall.sh
Version numbering
Cisco Secure Client 5.1 has a revised version numbering scheme. There are now four dot-separated integers and no leading zeros.
There have only been two releases of CSC 5.1 thus far, and it remains to be seen what numbers will be incremented when. If I had to guess at the scheme, I’d say it’s:<major>.<minor>.<maintenance>.<build>
Bundle identifiers
In my last article on this topic, I was thankful that Cisco hadn’t changed any of the bundle identifiers when renaming from AnyConnect to Secure Client. Reader Søren Theilgaard wrote in to let me know that some of them now have. 😞
The following bundle identifiers have changed:
Cisco Secure Client.app was com.cisco.anyconnect.gui
now com.cisco.secureclient.gui
Cisco Secure Client – DART.app was com.cisco.anyconnect.dart
now com.cisco.secureclient.dart
Uninstall Cisco Secure Client.app was com.cisco.anyconnect.uninstaller
now com.cisco.secureclient.uninstaller
Cisco Secure Client – Web Browser.app was com.cisco.anyconnect.acwebhelper
now com.cisco.secureclient.acwebhelper
Cisco Secure Client – Notification.app was com.cisco.anyconnect.notification
now com.cisco.secureclient.vpn.notification
Bundle identifiers for Cisco Secure Client – ThousandEyes Endpoint Agent.app and Cisco Secure Client – Socket Filter.app, including the system extension, have not changed.
Launch Daemons/Agents
Oh, boy. This is the most problematic of the changes. Three of the five Launch Daemons and Agents have moved into various application bundles. Starting in macOS Ventura 13, applications can include Launch Daemons and Agents inside an app bundle and register them when the app is run1.
Having placed the plists for these daemons and agents in application bundles, Cisco has updated the package’s postinstall script to copy them back to /Library on macOS 12 and earlier2.
com.cisco.secureclient.gui.plist
The launch agent for the GUI client has moved into the Cisco Secure Client.app bundle. The change makes sense in the macOS 13 login item paradigm. Users that connect to VPN are familiar with opening the app. Opening the app allows the launch agent to be registered.
The launch agent’s label (com.cisco.secureclient.gui) is unchanged from 5.0.
com.cisco.secureclient.vpn.notification.plist and com.cisco.secureclient.vpn.service.agent.plist
The notification agent and VPN service daemon are bundled in the new /opt/cisco/secureclient/bin/Cisco Secure Client – AnyConnect VPN Service.app. The package’s postinstall script attempts to launch this app as the logged-in user. Of course, there may not be a logged-in user. In fact, if Cisco Secure 5.1.1.42 is installed while no one is logged in, the VPN Agent does not start. Cisco has a bug (CSCwi20597) for this. Both the bug record and the release notes say this is fixed in 5.1.1.42, but I and others can still reproduce it3.
Fortunately, there are multiple workarounds:
Workaround 1: Install Cisco Secure Client only when a user is logged in. This may mean changing one’s provisioning process, or checking for a logged-in user before installation.
Workaround 2: Automatically or manually run /opt/cisco/secureclient/bin/Cisco Secure Client – AnyConnect VPN Service.app as a logged-in user
Workaround 3: As suggested in the bug record, revert to the old way of installing the LaunchDaemon:
sudo cp /opt/cisco/secureclient/bin/Cisco\ Secure\ Client\ -\ AnyConnect\ VPN\ Service.app/Contents/Resources/com.cisco.secureclient.vpnagentd.plist /Library/LaunchDaemons/
sudo launchctl bootstrap system /Library/LaunchDaemons/com.cisco.secureclient.vpnagentd.plist
However, none of these workarounds will work well if the new labels are not managed by a Managed Login Items configuration profile. (I largely manage login items by Team ID and did not have to make any changes.)
| 5.0 Labels | 5.1 Labels |
| com.cisco.secureclient.notification | com.cisco.secureclient.vpn.notification |
| com.cisco.secureclient.vpnagentd | com.cisco.secureclient.vpn.service.agent |
Notifications
Cisco Secure Client 5.1 finally uses macOS native notifications4. Native notifications are tasteful, stack up, respond to Focus modes and Do Not Disturb, and administrators can control them with a configuration profile. The bundle identifier to use in such a profile is the new com.cisco.secureclient.gui.
That change is almost worth the price of admission.
macadmin.fraserhess.com 
Leave a comment