After installing AnyConnect 4.8.x with the Umbrella Roaming Security module, customers with Umbrella SIG Essentials, SIG add-on, or ELA including SIG, endpoints start forwarding web traffic to Umbrella SWG with no clear method to disable this behavior.
AnyConnect 4.8 MR1 was the first release to support Umbrella SWG from the endpoint, but rather than the SWG Agent having its own binary to install from, it was bundled with the same binary that installs Umbrella Roaming Security Agent. Currently the SWG Agent can be controlled from the Umbrella dashboard, but this is a global setting that affects all endpoint installs. We are working out the ability to manage enabling SWG Agent on a per-endpoint basis, but as of the time of this writing that feature is not yet available.
Since macOS does not have the ability to control the state of SWG Agent locally, this must be managed using a scripted method. The Cisco Umbrella team has developed two scripts, one to disable SWG Agent and one to enable SWG Agent, which make the state persistent.
The scripts must be executed as root, but no reboot should be required. Upgrading or re-installing AnyConnect will re-enable SWG Agent and the script must be executed again. Scripts can be found attached to the bottom of this article.
Checking the Status of the AnyConnect SWG Agent
To ensure that the status of your AnyConnect SWG Agent is correct:
- Open the Cisco AnyConnect Secure Mobility Client
- Click on "Statistics"
- Scroll down to see "Web Protection Status"