Hello,

We're having loads of fun setting up ISE posturing for securing our AnyConnect VPN remote access. I stumbled across issues with MacOS.

Our test environment:

• AnyConnect 4.10.01075 ... 4.10.03104
• Compliance Module 4.3.2009.4353
• ISE 2.7.0.356 patch 5
• Cisco ASA 9.14(2)15 multicontext on Firepower 2120
• MacOS Catalina 10.15.7 and Big Sur 11.6
• ISE uses SSL certificates on port 443 and 8443 signed by our internal CA. Certs have SAN name, are 13 months valid, CA certificate is in system and login keychain and trusted and even Chrome does not complain.
• I unchecked the "block connections to untrusted servers" for VPN and System Scan in AnyConnect. 
• CA certificates are even in ~/.cisco/certificates/ca and /opt/.cisco/certificates/ca like on Linux.

On MacOS Catalina 10.15.7 the system scan shows a warning about an untrusted certificate. When continuing the firewall remediation fails due to an untrusted server. Is there a hidden, undocumented place where the posture module expects CA certificates?

On MacOS Big Sur 11.6 we don't have that certificate problem, but there the firewall check does not recognize whether the firewall is turned off or on. Check is always green. Also check for malware seems not to work.

I didn't want to upgrade yet to ISE 3.0 because the upgrade process is painfully slow and the new oversized whitespace UI is buggy with rendering.

Any ideas how to fix this? Thanks in advance,

Bernd