Sophos Endpoint and Cisco AnyConnect network extension incompatibility (breaks Safari WebSocket connections and other software)

Question

We are facing a problem when both Sophos Endpoint and Cisco AnyConnect VPN Secure Mobility Client are installed on the same MacOS Big Sur 11.1 system. Safari cannot connect and web socket, other programs (e.g. Adobe Cloud Sync) fail too. 
 Steps to reproduce: 
 
 Clean macOS Big Sur 11.1 (20C69) install 
 Install Sophos Endpoint 10.0.2 and Cisco AnyConnect SMC 4.9.04043. 
 Approve System Extensions and Content Filters interactively or through MDM configuration profiles using Jamf Pro (doesn't make any difference) 
 Verified that System Extensions are all loaded properly and Content Filters are running accordingly to vendor documentation. ( systemextensionsctl list ) 
 Open web.whatsapp.com or connectivity-test.asana.com in Safari. 
 Issue persist regardless of an active VPN network connection or not. 
 
 Expected behaviour: 
 
 Site opens and loads contents, reports successful WebSocket connection. 
 
 Actual behaviour: 
 
 WebSocket network error: OSStatus Error -9810: Internal error 
 
 Notes: 
 
 Uninstalling either Network Extension by using the terminal commends systemextensionsctl uninstall 2H5GFH3774 com.sophos.endpoint.networkextension or systemextensionsctl uninstall DE8Y96K9QP com.cisco.anyconnect.macos.acsockext fixes the issue temporarily until next restart. 
 Uninstalling either software immediately eliminates the issue. 
 It has been reported in Apple Developer forums that the problem may be originated when any NETransparentProxyProvider and NEFilterDataProvider run together on the system (same app or not). 
 
 References: Cisco: https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/upgrade/AnyConnect_macOS_BigSur_Advisory.html#_Toc52277855 
 Apple: https://developer.apple.com/forums/thread/667962

David Lancaster · Accepted Answer

In the meantime we can suggest trying a temporary workaround of disabling the features that rely on the network extension. This will leave file based protections in place. 
 In the central amend, or create new, policies to disable: 
 
 Threat Protection

Real-time Scanning - Internet 
 
 Scan downloads in progress 
 Block access to malicious websites

Remediation
 
 Enable threat case creation 
 Protect network traffic

Web Control
 
 Disable Web Control

Once the features are disabled rebooting the machine will ensure the network extension is not loaded.

David Lancaster · Answer

I'm pleased to say that macOS 11.2 appears to have fixed the problem. The team tested with Cisco AnyConnect v4.9 and with a custom own NEFilterDataProvider on macOS 11.2 and have confirmed web sockets worked correctly.

David Lancaster · Answer

Hi Rene, 
 Thanks for the detailed feedback. 
 The development team has been able to repro and can confirm as the issue referred to in the developer forum - we'll engage with Apple to see if there's a workaround or an OS fix coming. 
 You mentioned other apps such as Adobe Cloud Sync, are you able to provide more information on the apps that were having issues? 
 Thanks again.

Sophos Endpoint and Cisco AnyConnect network extension incompatibility (breaks Safari WebSocket connections and other software)

Top Replies