Configuration Profile creation and signing with settings for Cisco Secure Client


Instructions taken and modified from this Cisco document 


     


Copy the following full text before beginning:


<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

      <dict>

      <key>PayloadContent</key>

      <array>

            <dict>

                  <key>AllowUserOverrides</key>

                  <true/>

                  <key>AllowedKernelExtensions</key>

                  <dict>

                        <key>DE8Y96K9QP</key>

                        <array>

                        <string>com.cisco.kext.acsock</string>

                        </array>

                  </dict>

                  <key>PayloadDescription</key>

                  <string></string>

                  <key>PayloadDisplayName</key>

                  <string>AnyConnect Kernel Extension</string>

                  <key>PayloadEnabled</key>

                  <true/>

                  <key>PayloadIdentifier</key>

                  <string>37C29CF2-A783-411D-B2C7-100EDDFBE223</string>

                  <key>PayloadOrganization</key>

                  <string>Cisco Systems, Inc.</string>

                  <key>PayloadType</key>

                  <string>com.apple.syspolicy.kernel-extension-policy</string>

                  <key>PayloadUUID</key>

                  <string>37C29CF2-A783-411D-B2C7-100EDDFBE223</string>

                  <key>PayloadVersion</key>

                  <integer>1</integer>

            </dict>

            <dict>

                  <key>AllowUserOverrides</key>

                  <true/>

                  <key>AllowedSystemExtensions</key>

                  <dict>

                        <key>DE8Y96K9QP</key>

                        <array>

                        <string>com.cisco.anyconnect.macos.acsockext</string>

                        </array>

                  </dict>

                  <key>PayloadDescription</key>

                  <string></string>

                  <key>PayloadDisplayName</key>

                  <string>AnyConnect System Extension</string>

                  <key>PayloadEnabled</key>

                  <true/>

                  <key>PayloadIdentifier</key>

                  <string>A8364220-5D8D-40A9-Af66-1Fbfef94E116</string>

                  <key>PayloadOrganization</key>

                  <string>Cisco Systems, Inc.</string>

                  <key>PayloadType</key>

                  <string>com.apple.system-extension-policy</string>

                  <key>PayloadUUID</key>

                  <string>A8364220-5D8D-40A9-Af66-1Fbfef94E116</string>

                  <key>PayloadVersion</key>

                  <integer>1</integer>

            </dict>

            <dict>

                  <key>Enabled</key>

                  <true/>

                  <key>AutoFilterEnabled</key>

                  <false/>

                  <key>FilterBrowsers</key>

                  <false/>

                  <key>FilterSockets</key>

                  <true/>

                  <key>FilterPackets</key>

                  <false/>

                  <key>FilterType</key>

                  <string>Plugin</string>

                  <key>FilterGrade</key>

                  <string>firewall</string>

                  <key>PayloadDescription</key>

                  <string></string>

                  <key>PayloadDisplayName</key>

                  <string>Cisco AnyConnect Content Filter</string>

                  <key>PayloadIdentifier</key>

                  <string>com.apple.webcontent-filter.339Ec532-9Ada-480A-Bf3D-A535F0F0B665</string>

                  <key>PayloadType</key>

                  <string>com.apple.webcontent-filter</string>

                  <key>PayloadUUID</key>

                  <string>339Ec532-9Ada-480A-Bf3D-A535F0F0B665</string>

                  <key>PayloadVersion</key>

                  <integer>1</integer>

                  <key>FilterDataProviderBundleIdentifier</key>

                  <string>com.cisco.anyconnect.macos.acsockext</string>

                  <key>FilterDataProviderDesignatedRequirement</key>

                  <string>anchor apple generic and identifier "com.cisco.anyconnect.macos.acsockext" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = DE8Y96K9QP)</string>

                  <key>PluginBundleID</key>

                  <string>com.cisco.anyconnect.macos.acsock</string>

                  <key>UserDefinedName</key>

                  <string>Cisco AnyConnect Content Filter</string>

            </dict>

      </array>

      <key>PayloadDescription</key>

      <string></string>

      <key>PayloadDisplayName</key>

      <string>Approved AnyConnect System and Kernel Extensions</string>

      <key>PayloadEnabled</key>

      <true/>

      <key>PayloadIdentifier</key>

      <string>A401Bdc2-4Ab1-4406-A143-11F077Baf52B</string>

      <key>PayloadOrganization</key>

      <string>Cisco Systems, Inc.</string>

      <key>PayloadRemovalDisallowed</key>

      <true/>

      <key>PayloadScope</key>

      <string>System</string>

      <key>PayloadType</key>

      <string>Configuration</string>

      <key>PayloadUUID</key>

      <string>A401Bdc2-4Ab1-4406-A143-11F077Baf52B</string>

      <key>PayloadVersion</key>

      <integer>1</integer>

</dict>

</plist>



  1. Paste the above full text into BBedit

  2. Save as Cisco Secure Client configuration profile.mobileconfig



Create a Signing Certificate to sign the configuration profile

The configuration profile now needs to be signed because Jamf Pro will modify manually-created configuration profiles if they are not signed. I followed the instructions from this blog post to do so. Specifically, I did the procedure under the section entitled “Signing Profiles for Trust Only by Jamf-enrolled Clients”


  1. Create a Certificate Signing Request (CSR) on one of your Jamf Pro client computers so that “...the certificate trust chain is complete.”

    1. Open Keychain Access/Keychain Access menu/Certificate Assistant/Request a Certificate from a Certificate Authority

    2. Enter an email address to use

    3. Name the certificate “Configuration Profile Signing Certificate”

    4. Choose the “Save to disk” radio button

    5. Save to ~/Downloads

      1. It will be named CertificateSigningRequest.certSigningRequest. The name you initially typed in for it was only for use by Keychain Access, and that’s the name you’ll find it has within Keychain Access.

      2. You’ll currently have two files in your login keychain:

        1. Configuration Profile Signing Certificate - public key

        2. Configuration Profile Signing Certificate - private key

  2. Create the final Signing Certificate using Jamf Pro

    1. Open CSR (I use BBedit)

    2. Copy full text to clipboard

    3. go to Jamf Pro/Settings/Global Management/PKI Certificates/Management Certificate Template tab

    4. Click Create Certificate from CSR

    5. Paste the full text into the popup window

    6. Choose Web Server Certificate in the drawdown menu

    7. Click Create

      1. A file will download to your Downloads folder named C=US,CN=Configuration Profile Signing Certificate,E=evacchio@saes.org.pem

      2. JAMF PRO WILL HANG AT THIS POINT. JUST CLICK SOME OTHER LINK AND IT WILL RETURN TO NORMAL

    8. Open the .pem file

    9. Choose “login” keychain from the dropdown

    10. Click Add

      1. A third file is now added to your login keychain: 

        1. Configuration Profile Signing Certificate - a certificate file

          1. this is the final signing certificate we need to use



Sign the configuration profile

  1. Open Terminal

  2. /usr/bin/security cms -S -N Configuration\ Profile\ Signing\ Certificate -i ~/Downloads/Cisco\ AnyConnect\ configuration\ profile.mobileconfig -o ~/Downloads/Cisco\ AnyConnect\ configuration\ profile\ SIGNED.mobileconfig

  3. Enter your password to download the signed configuration profile to your Downloads



Upload configuration profile to Jamf Pro

  1. Click Jamf Pro/Computers/Configuration Profiles/Upload

  2. Point it to your configuration profile

  3. Click Upload

  4. Click Save

  5. Jamf Pro names this configuration profile to be something like “Approved Secure Client System and Kernel Extensions” and it is READ ONLY (because it is signed) so you can not rename it. DO NOT MAKE IT EDITABLE - when you go to save it again Jamf can and may well modify the file, which we do NOT want.