Solved: Re: AnyConnect 4.7.00136 creates local user called ciscoacvpnmcuser

HugoAmaro · ‎01-17-2019

Hi all,

After migrating to anyconnect 4.7.00136, we noticed that it created a local user in our AD with the name ciscoacvpnmcuser.

Does anyone knows why and is the safe to delete?

Thanks,

Hugo Amaro

pcarco · ‎01-29-2019

This is directly related to the new Management Tunnel Feature in 4.7

The 4.7 installer will also create a low-privileged user account (ciscoacvpnmcuser), to be used for running the MC (management connection) and downloader processes with limited privileges during a management tunnel connection.
This account (along with the associated user profile directory) will be removed during uninstall

Feature Description:

"Management VPN Tunnel-(Requires ASDM 7.10.1) Ensures connectivity to the corporate network whenever the client system is powered up, not just when a VPN connection is established by the end user.

This feature allows patch management on systems which may not come in to the office frequently. Endpoint OS login scripts requiring corporate network connectivity will also benefit from this feature."

Source: Release notes

If you never plan on using this feature you can remove it although if you change your mind there may be some difficulty having this account created one again

Best regards,

Paul

AC TME

View solution in original post

stsargen · ‎01-17-2019

See response from pcarco below.

harta13 · ‎01-25-2019

We also just started rolling out the AnyConnect Client 4.7.00.136 and it is in fact creating a local user on the workstation after installation. Can anyone provide any documentation as to the function of this account? I have found if I disable the user I am still able to connect to our VPN but it is very discerning to see a user account being created with no warning from Cisco.

It is not creating an account in Active Directory but is very much creating a Local user on the workstations.

pcarco · ‎01-29-2019

This is directly related to the new Management Tunnel Feature in 4.7

The 4.7 installer will also create a low-privileged user account (ciscoacvpnmcuser), to be used for running the MC (management connection) and downloader processes with limited privileges during a management tunnel connection.
This account (along with the associated user profile directory) will be removed during uninstall

Feature Description:

"Management VPN Tunnel-(Requires ASDM 7.10.1) Ensures connectivity to the corporate network whenever the client system is powered up, not just when a VPN connection is established by the end user.

This feature allows patch management on systems which may not come in to the office frequently. Endpoint OS login scripts requiring corporate network connectivity will also benefit from this feature."

Source: Release notes

If you never plan on using this feature you can remove it although if you change your mind there may be some difficulty having this account created one again

Best regards,

Paul

AC TME

HugoAmaro · ‎01-30-2019

Thanks Paul.

Marvin Rhoads · ‎01-31-2019

Good to know @pcarco - thanks for jumping in on this one.

pcarco · ‎01-31-2019

You are welcome. I am working with the development and documentation teams to have this information added to the release notes and guides so that its not such a surprise moving forward.

Best regards,

Paul

AC TME

jmflores@trends.com.ph · ‎05-07-2019

Hi. I have iinstalled anyconnect for posture purposes. By removing this user, will it affect my posture checking for Cisco ISE?

Marvin Rhoads · ‎05-07-2019

Removing the user will not affect the ability to use ISE-based posture feature with AnyConnect.