Are you planning to upgrade to MacOS Big Sur and are a user of the roaming client for MacOS? If so, please continue reading.
If you are an AnyConnect Roaming Security Module user - you are not affected and can stop reading. AnyConnect Umbrella modules are not affected by this issue.
Currently, Cisco is aware of an incompatibility between the Umbrella roaming client (standalone version only, bundled with AnyConnect not affected) and MacOS Big Sur in the presence of an IPv6 address. IPv4-only networks are not affected.
The impact of this issue causes the roaming client to inconsistently apply state, changing frequently between Protected and Unprotected (Checking states).
At this time we cannot recommend upgrading clients to Big Sur until a fix is available due to the ubiquity of IPv6 networks.
At this time there is no immediate solution on Big Sur other than disabling IPv6 temporarily. This issue is due to a core change in the underlying OS. Note that setting IPv6 to local-link only is ineffective as a workaround. This workaround is a significant change which may impact connectivity on some networks.
Cisco Umbrella is targeting Q1 2021 for release of a patched version of the roaming client for MacOS. A release containing a fix is expected in late February 2021.