browse
Problem
After installing AnyConnect 4.8.x with the Umbrella Roaming Security module, customers with Umbrella SIG Essentials, SIG add-on, or ELA including SIG, endpoints start forwarding DNS traffic and web traffic to Umbrella Roaming Security Module and SWG with no clear method to disable these behavior.
AnyConnect 4.8 MR1 was the first release to support Umbrella SWG from the endpoint, but rather than the SWG Agent having its own binary to install from, it was bundled with the same binary that installs Umbrella Roaming Security Agent. Currently the SWG Agent can be controlled from the Umbrella dashboard, but this is a global setting that affects all endpoint installs. SWG selective sync can now be completed in the dashboard, 100 at a time.
Solution
Since macOS does not have the ability to control the state of Roaming Security Module and SWG Agent locally, this must be managed using a scripted method. The Cisco Umbrella team have developed few scripts to disable SWG Agent and one to enable SWG Agent and to disable Roaming security Module and enable Roaming Security Module, which make the state persistent.
The scripts must be executed as root, but no reboot should be required. Upgrading or re-installing AnyConnect will re-enable Roaming Security Module and SWG Agent and the script must be executed again. Scripts can be found attached to the bottom of this article.
Checking the Status of the AnyConnect RSM Agent
To ensure that the status of your AnyConnect RSM Agent is correct:
- Open the Cisco AnyConnect Secure Mobility Client
- Click on "Statistics"
- Scroll down to see "DNS Protection Status"
* Note: when disabling Umbrella Roaming Security Module, this will also disabled the SWG agent as well since SWG agent is dependant on the Umbrella Roaming Security Module.
Checking the Status of the AnyConnect SWG Agent
To ensure that the status of your AnyConnect SWG Agent is correct:
- Open the Cisco AnyConnect Secure Mobility Client
- Click on "Statistics"
- Scroll down to see "Web Protection Status"
Scripts usage
To run the scripts in MAC:
1. Make sure the scripts has sufficient privilege, especially write privilege.
You can edit the script privilege from MAC terminal using below command example:
chmod 777 umbrella_swg_disable.sh
2. To run the script, you can use below command example:
sudo ./umbrella_swg_disable.sh
sample successful output:
Note: Adding additional scripts for MAC OS 13+ with Secure Client Version 5.1.X.XXX and later and scripts for MAC OS prior 13 with Secure Client 5.0.x