Experts,

We are running into an issue where cert based auth is prompting users to allow the anyconnect app to access system keychain item. While manually "whitelisting" the app in the access-control tab of private key is an option, we are looking at ways where this can done programmatically without user intervention. All our devices are already deployed with identity certs in system chain.

Is it possible to remove the existing identity cert and redeploy the certs with anyconnect app allowed in access-list to all users ? 

I have to tried workaround mentioned in https://help.duo.com/s/article/4791?language=en_US to avoid the prompts altogether, but it is not working for me.  

I also looked at the option of moving system keychain cert to login keychain insteat, but that is breaking a lot of existing client workflows. 

Finally, it looks like there is a way to export and reimport mentioned in https://www.jamf.com/jamf-nation/discussions/10417/keychain-acl-s-scriptable

but it is not clear if this has be done on the user end or can be pushed from GPO.