umbrellactl: Bash script to check status, enable or disable Cisco Umbrella Roaming Security Module for AnyConnect on MacOS

umbrellactl

#!/usr/bin/env bash

PLUGIN_BASE='/opt/cisco/secureclient/bin/plugins'

read -r -d '' USAGE << EGASU
Usage: `basename $0` [-s|-e|-d|-h]

    -s, --status    Print Umbrella Roaming Security module status
    -e, --enable    Enable Umbrella Roaming Security module
    -d, --disable   Disable Umbrella Roaming Security module
    -h, --help      Show this message.
EGASU

# Check plugin status, return 0 if enabled, 1 if disabled
function check_status {
    [[ -f $PLUGIN_BASE/libacumbrellaapi.dylib ]] &&
    [[ -f $PLUGIN_BASE/libacumbrellactrl.dylib ]] &&
    [[ -f $PLUGIN_BASE/libacumbrellaplugin.dylib ]]
}

# Check if plugin disabled by utility, return 0 if yes, 1 if no
function verify_plugin_disabled {
    [[ -f $PLUGIN_BASE/disabled/libacumbrellaapi.dylib ]] &&
    [[ -f $PLUGIN_BASE/disabled/libacumbrellactrl.dylib ]] &&
    [[ -f $PLUGIN_BASE/disabled/libacumbrellaplugin.dylib ]]
}

# Disable plugin
function disable_plugin {
    sudo mkdir -p $PLUGIN_BASE/disabled
    sudo mv -f $PLUGIN_BASE/libacumbrellaapi.dylib $PLUGIN_BASE/libacumbrellactrl.dylib $PLUGIN_BASE/libacumbrellaplugin.dylib $PLUGIN_BASE/disabled
}

# Enable plugin
function enable_plugin {
    sudo mv -f $PLUGIN_BASE/disabled/libacumbrellaapi.dylib $PLUGIN_BASE/disabled/libacumbrellactrl.dylib $PLUGIN_BASE/disabled/libacumbrellaplugin.dylib $PLUGIN_BASE/
}

case "$1" in
    '-s'|'--status')
        check_status &&
        echo Umbrella Roaming Security Module for AnyConnect is ENABLED. ||
        echo Umbrella Roaming Security Module for AnyConnect is DISABLED.
        exit 0
        ;;
    '-e'|'--enable')
        verify_plugin_disabled &&
        enable_plugin &&
        echo Umbrella Roaming Security Module for AnyConnect has been ENABLED. &&
        exit 0 ||
        echo ERROR: Umbrella Roaming Security Module for AnyConnect can only be enabled if it has previously been disabled by this utility.
        exit 1
        ;;
    '-d'|'--disable')
        check_status &&
        disable_plugin &&
        echo Umbrella Roaming Security Module for AnyConnect has been DISABLED. ||
        echo ERROR: Umbrella Roaming Security Module for AnyConnect does not appear to be enabled.
        exit 1
        ;;
    '-h'|'--help')
        echo "$USAGE"
        exit 0
        ;;
    *)
        echo "$USAGE"
        exit 1
        ;;
esac

To install on MacOS open Terminal and run:

$ cd /usr/local/bin
$ curl -LO https://git.io/umbrellactl
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   218  100   218    0     0   2566      0 --:--:-- --:--:-- --:--:--  2595
$ chmod 755 umbrellactl
$ umbrellactl
Usage: umbrellactl [-s|-e|-d|-h]

    -s, --status    Print Umbrella Roaming Security module status
    -e, --enable    Enable Umbrella Roaming Security module
    -d, --disable   Disable Umbrella Roaming Security module
    -h, --help      Show this message.
$

The rest should explain itself.

You sir, are a life saver!

Thank you so much

Thank you so much :)

Thank you!

excellent

Easy to use! Thanks

Since AnyConnect has been renamed to Secure Client, Cisco has changed the path.

-       PLUGIN_BASE='/opt/cisco/anyconnect/bin/plugins'
+       PLUGIN_BASE='/opt/cisco/secureclient/bin/plugins'

Updated

Since the client began loading a socket filter system extension, I have a different preferred method.

vpnagentd can be disabled and the system extension unloaded with a script like the following:

#!/bin/sh

echo Disabling vpnagentd...
sudo launchctl disable system/com.cisco.anyconnect.vpnagentd
echo Tearing down vpnagentd...
sudo launchctl bootout system /Library/LaunchDaemons/com.cisco.anyconnect.vpnagentd.plist
echo Deactivating Cisco AnyConnect Socket Filter Extension...
/Applications/Cisco/Cisco\ AnyConnect\ Socket\ Filter.app/Contents/MacOS/Cisco\ AnyConnect\ Socket\ Filter -deactivateExt

In order to use the VPN client again, you only have to re-enable vpnagentd:

#!/bin/sh

echo Enabling vpnagentd...
sudo launchctl enable system/com.cisco.anyconnect.vpnagentd
echo Bootstrapping vpnagentd...
sudo launchctl bootstrap system /Library/LaunchDaemons/com.cisco.anyconnect.vpnagentd.plist

Since the client began loading a socket filter system extension, I have a different preferred method.

vpnagentd can be disabled and the system extension unloaded with a script like the following:

#!/bin/sh

echo Disabling vpnagentd...
sudo launchctl disable system/com.cisco.anyconnect.vpnagentd
echo Tearing down vpnagentd...
sudo launchctl bootout system /Library/LaunchDaemons/com.cisco.anyconnect.vpnagentd.plist
echo Deactivating Cisco AnyConnect Socket Filter Extension...
/Applications/Cisco/Cisco\ AnyConnect\ Socket\ Filter.app/Contents/MacOS/Cisco\ AnyConnect\ Socket\ Filter -deactivateExt

In order to use the VPN client again, you only have to re-enable vpnagentd:

#!/bin/sh

echo Enabling vpnagentd...
sudo launchctl enable system/com.cisco.anyconnect.vpnagentd
echo Bootstrapping vpnagentd...
sudo launchctl bootstrap system /Library/LaunchDaemons/com.cisco.anyconnect.vpnagentd.plist

I took your two scripts and put them into one with an "on" or "off" option. Works great for me.

#!/bin/sh

if [ -z "$1" ]; then
    echo "Usage: $0 [on|off]"
    exit 1
fi

if [ "$1" = "off" ]; then
    echo "Disabling vpnagentd..."
    sudo launchctl disable system/com.cisco.anyconnect.vpnagentd
    echo "Tearing down vpnagentd..."
    sudo launchctl bootout system /Library/LaunchDaemons/com.cisco.anyconnect.vpnagentd.plist
#    echo "Deactivating Cisco AnyConnect Socket Filter Extension..."
#    /Applications/Cisco/Cisco\ AnyConnect\ Socket\ Filter.app/Contents/MacOS/Cisco\ AnyConnect\ Socket\ Filter -deactivateExt
elif [ "$1" = "on" ]; then
    echo "Enabling vpnagentd..."
    sudo launchctl enable system/com.cisco.anyconnect.vpnagentd
    echo "Bootstrapping vpnagentd..."
    sudo launchctl bootstrap system /Library/LaunchDaemons/com.cisco.anyconnect.vpnagentd.plist
else
    echo "Invalid option. Usage: $0 [on|off]"
    exit 1
fi

I prefer to keep the code in disabling the system extension. Otherwise it will remain loaded and still technically be in path - even with the service and vpn disconnected. You can verify this with 'systemextensionctl list' which will show it as loaded. When you run the deactivate command, it unloads the extension and shows it will be removed at reboot. I've tested and confirmed you can enable, disable, enable disable without reboots, you will just end up with a list of disabled instances of the socket filter that will all be cleared on the next reboot.
Otherwise everything is still running though the socket filter. Even if it is not actively filtering.

Cisco Umbrella 5.1.x on macOS seems to behave differently:
The pkg no longer installs launchdaemons into /Library/LaunchDaemons.

To stop you need to execute:

sudo /usr/bin/osascript -e 'quit app "Cisco Secure Client - AnyConnect VPN Service.app"'
sudo /usr/bin/open -W -a "/opt/cisco/secureclient/bin/Cisco Secure Client - AnyConnect VPN Service.app" --args uninstall
sudo "/Applications/Cisco/Cisco Secure Client - Socket Filter.app/Contents/MacOS/Cisco Secure Client - Socket Filter" -deactivateExt

To start you need to execute:

sudo open -a "/opt/cisco/secureclient/bin/Cisco Secure Client - AnyConnect VPN Service.app"

source: https://support.umbrella.com/hc/en-us/articles/230561067-Umbrella-Roaming-Client-Manually-Disabling-or-Restarting