Solved: Re: Anyconnect 4.8 won't install on Mac Yosemite or Mavericks. Options to prevent update?

dmooreami · ‎01-29-2020

I was under the impression that the 4.8 A/C for mac would work with any version of the OS. It won't upgrade or install on 10.9 or 10.10. Yes, I realize this OS is around 10 years old. Version 4.5 has not problems, but I still need to support

Catalina 10.15.

How can I setup A/C on the ASA running 9.8.x to give out 4.5 to 10.9/10.10 and 4.8 to 10.15? Is this possible?

Francesco Molino · ‎01-30-2020

Yes you'll need to have multiple profile.
Hostscan will run posture policies but won't help you in managing multiple anyconnect images with the same os for multiple versions of this os.

If you can upgrade your mac then it will be the best solution.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎01-29-2020

Hi

Anyconnect 4.8 supports macos 10.13 and higher (https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect48/release/notes/b_Release_Notes_AnyConnect_4_8.html#topic_6E4CD8245873424A87FF809DA5247A93)

What do you mean to give out? Just to confirm. You mean to auto deploy the package on macos?

I understand you need to support old macos, but do you need them to auto install the anyconnect package? If not, you can put the newest package for new macos and disable auto update in the xml file to avoid older mac to update their client. Does that make sense?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

dmooreami · ‎01-29-2020

Thanks for the response.
Yes, I need to keep the old macs on 4.5 and not have them upgrade when they "connect" via AnyConnect.

You mention the XML file, but the XML file from a/c is overwritten upon each connect, correct?

How to I modify the old 10.9 and 10.10 a/c on the macs so they don't try to upgrade their existing a/c client?

I still want the mac's that work with 4.8 to be able to update/upgrade when we put a newer version of 4.8 out. Possible? Or is it an "all" or "none" with the "disable auto update". FYI, I have Windows 10 machines also, so keep that in mind (disable of auto update). They are not having issues with 4.8, but will need them the auto update also.

Got a link here on cisco or another site that can expand on that?
Thanks!

Francesco Molino · ‎01-29-2020

The way I'm thinking at it is having 2 policies. 1 pushing xml config file with no update for old mac 1 policy with auto update for new mac and windows.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

dmooreami · ‎01-30-2020

From what I understand, a policy would have to be associated with a profile. that profile would have to manually selected upon login via the drop down box. Pretty sure you can't get hostscan to return the OS version and then execute a policy from that result. That would be the best solution.

Something tells me this is a losing battle and the most simple solution is to get anyone on 10.8 or 10.9 upgraded to something that will support 4.8. and if the hardware won't then they need newer hardware.

Or will be forced to use IPsec via the macOS.

Francesco Molino · ‎01-30-2020

Yes you'll need to have multiple profile.
Hostscan will run posture policies but won't help you in managing multiple anyconnect images with the same os for multiple versions of this os.

If you can upgrade your mac then it will be the best solution.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

dmooreami · ‎01-31-2020

Agreed, OS upgrade make more sense. Or have Mac go IPsec with built-in vpn client.
No easy way to keep Anyconnect 4.5 automatically on old Mac's while 4.8 is needed for the "masses". :)