umbrellactl: Bash script to check status, enable or disable Cisco Umbrella Roaming Security Module for AnyConnect on MacOS

umbrellactl

#!/usr/bin/env bash

PLUGIN_BASE='/opt/cisco/secureclient/bin/plugins'

read -r -d '' USAGE << EGASU
Usage: `basename $0` [-s|-e|-d|-h]

    -s, --status    Print Umbrella Roaming Security module status
    -e, --enable    Enable Umbrella Roaming Security module
    -d, --disable   Disable Umbrella Roaming Security module
    -h, --help      Show this message.
EGASU

# Check plugin status, return 0 if enabled, 1 if disabled
function check_status {
    [[ -f $PLUGIN_BASE/libacumbrellaapi.dylib ]] &&
    [[ -f $PLUGIN_BASE/libacumbrellactrl.dylib ]] &&
    [[ -f $PLUGIN_BASE/libacumbrellaplugin.dylib ]]
}

# Check if plugin disabled by utility, return 0 if yes, 1 if no
function verify_plugin_disabled {
    [[ -f $PLUGIN_BASE/disabled/libacumbrellaapi.dylib ]] &&
    [[ -f $PLUGIN_BASE/disabled/libacumbrellactrl.dylib ]] &&
    [[ -f $PLUGIN_BASE/disabled/libacumbrellaplugin.dylib ]]
}

# Disable plugin
function disable_plugin {
    sudo mkdir -p $PLUGIN_BASE/disabled
    sudo mv -f $PLUGIN_BASE/libacumbrellaapi.dylib $PLUGIN_BASE/libacumbrellactrl.dylib $PLUGIN_BASE/libacumbrellaplugin.dylib $PLUGIN_BASE/disabled
}

# Enable plugin
function enable_plugin {
    sudo mv -f $PLUGIN_BASE/disabled/libacumbrellaapi.dylib $PLUGIN_BASE/disabled/libacumbrellactrl.dylib $PLUGIN_BASE/disabled/libacumbrellaplugin.dylib $PLUGIN_BASE/
}

case "$1" in
    '-s'|'--status')
        check_status &&
        echo Umbrella Roaming Security Module for AnyConnect is ENABLED. ||
        echo Umbrella Roaming Security Module for AnyConnect is DISABLED.
        exit 0
        ;;
    '-e'|'--enable')
        verify_plugin_disabled &&
        enable_plugin &&
        echo Umbrella Roaming Security Module for AnyConnect has been ENABLED. &&
        exit 0 ||
        echo ERROR: Umbrella Roaming Security Module for AnyConnect can only be enabled if it has previously been disabled by this utility.
        exit 1
        ;;
    '-d'|'--disable')
        check_status &&
        disable_plugin &&
        echo Umbrella Roaming Security Module for AnyConnect has been DISABLED. ||
        echo ERROR: Umbrella Roaming Security Module for AnyConnect does not appear to be enabled.
        exit 1
        ;;
    '-h'|'--help')
        echo "$USAGE"
        exit 0
        ;;
    *)
        echo "$USAGE"
        exit 1
        ;;
esac

I prefer to keep the code in disabling the system extension. Otherwise it will remain loaded and still technically be in path - even with the service and vpn disconnected. You can verify this with 'systemextensionctl list' which will show it as loaded. When you run the deactivate command, it unloads the extension and shows it will be removed at reboot. I've tested and confirmed you can enable, disable, enable disable without reboots, you will just end up with a list of disabled instances of the socket filter that will all be cleared on the next reboot.
Otherwise everything is still running though the socket filter. Even if it is not actively filtering.

Cisco Umbrella 5.1.x on macOS seems to behave differently:
The pkg no longer installs launchdaemons into /Library/LaunchDaemons.

To stop you need to execute:

sudo /usr/bin/osascript -e 'quit app "Cisco Secure Client - AnyConnect VPN Service.app"'
sudo /usr/bin/open -W -a "/opt/cisco/secureclient/bin/Cisco Secure Client - AnyConnect VPN Service.app" --args uninstall
sudo "/Applications/Cisco/Cisco Secure Client - Socket Filter.app/Contents/MacOS/Cisco Secure Client - Socket Filter" -deactivateExt

To start you need to execute:

sudo open -a "/opt/cisco/secureclient/bin/Cisco Secure Client - AnyConnect VPN Service.app"

source: https://support.umbrella.com/hc/en-us/articles/230561067-Umbrella-Roaming-Client-Manually-Disabling-or-Restarting