Stop Cisco AnyConnect Secure Mobility Client from starting up automatically

Question

So I am currently running:

OS X 10.10.5
Cisco AnyConnect Secure Mobility Client 4.1.04011

I boot up my laptop and AnyConnect is running. I go into Preferences...Users & Groups and remove /Applications/Cisco/Cisco from my list of login items then I quit AnyConnect.

Shut down...turn computer on later and it's back running and it's back in my login items list.

The company I work for only uses AnyConnect for VPN.

Is there a way for me to keep AnyConnect out of my login items list? It's not that I mind it running in the background but if it is it's in my command + tab, etc... and I just find it annoying.

score 44 · Answer 1 · edited Jan 24 '20 at 08:18

44

Removing the following worked for me.

/Library/LaunchAgents/com.cisco.anyconnect.vpnagent.plist
/Library/LaunchDaemons/com.cisco.anyconnect.gui.plist

Update: For macOS Catalina and anyconnect 4.7.x removing this single file seems to be enough:

/Library/LaunchAgents/com.cisco.anyconnect.gui.plist

edited Jan 24 '20 at 08:18

otmezger

400
1
7
19

answered Jan 19 '17 at 17:39

Frank

441
4
2

This prevents AnyConnect from working for me. – Ryan Oct 25 '18 at 11:53
1

My understanding is LaunchDaemons start at boot while LaunchAgents start at login. Can you explain in a little more detail how LaunchDaemons are relevant or if my understanding isn’t correct? – MarcH Feb 14 '19 at 23:03
3

Just removed `com.cisco.anyconnect.gui.plist` from `/Library/LaunchAgents/` worked for me. The GUI does not start any more at login, but I can still start the app when needed. – Henrik Jun 13 '19 at 12:22
3

I can confirm in macOS Catalina that just removing `/Library/LaunchAgents/com.cisco.anyconnect.gui.plist` did the trick. The app does not start automatically but can be started manually without any problem. This is the most elegant solution if you don't want to reinstall again. – otmezger Jan 24 '20 at 07:25
I am on Mojave. There is no subfolder in user names's /Library/LaunchDaemons/ – chikitin Mar 31 '20 at 11:38
If I delete any of these plist files and want them again, where can I get them from? – kapad Jul 28 '20 at 04:38
3

I would say delete it is stupid since as kapad did, you can't bring it back, only by reinstalling it. But, you can edit this file, and change the key's value "RunAtLoad" to false. that's it. – Shai Alon Sep 29 '20 at 18:35
I'm on 12.1 (Monterey) and this solution didn't work anymore. I tried several things, also find/grep of .plists etc. Ultimately the AnyConnect client couldn't start anymore (but until before that, it still started after reboot even if not part of the Login Items). – Marius Hofert Jan 13 '22 at 02:12
Interestingly, there is a key in com.cisco.anyconnect.gui.plist named "RunAtLoad" which is set to "true". I hoped that setting this to "false" would have the desired effect, but at next bootup, anyconnect showed its unwelcome face. Erasing the plist file is the only thing that worked for me. Occasionally, anyconnect updates itself and re-installs the plist file, and I have to erase it again. This is very unfriendly design, but not a surprise from Cisco. – Thagomizer Jan 19 '22 at 19:24
This solved part of the problem for me. I'm using MacOS Monterey 12.5.1. After doing this, anyconnect is not loaded at startup, and I can check in Settings > Network that the Cisco VPN is not working. However, a screen asking for Cisco to monitor my connection keeps appearing. If I reject, there is no problem, and if I accept its VPN starts. What I am missing to remove this annoying window? – Davi Sep 11 '22 at 20:58
After removing the LaunchAgents file and using `launchctl list`, I still can see a single instance with "cisco": `com.cisco.anyconnect.notification` . This should be generating the annoying window that I commented. How to remove it? – Davi Sep 11 '22 at 21:07

MarcH · Answer 2 · 2021-06-11T00:00:02.827

If it's not in "Login Items" then it has to be in launchctl. Always prefer the user interface when there is one rather than messing with files directly:

 launchctl list | grep -i cisco
 launchctl unload -w /Library/LaunchAgents/com.cisco.anyconnect.gui.plist
 launchctl list | grep -i cisco

 # Load it back
 launchctl load -w /Library/LaunchAgents/com.cisco.anyconnect.gui.plist
 launchctl list | grep -i cisco

NB: be careful NOT to run sudo launchctl and NOT to run launchctl from a root terminal, because launchctl is user-dependent. For example, trying to run sudo launchctl unload -w /Library/LaunchAgents/com.cisco.anyconnect.gui.plist results in an error "Could not find specified service", whereas without the sudo it works.

When there's a user interface it's very likely because it does more than just moving one file. Don't take the risk to miss those extra bits; use the official and documented user interface.

launchctl is the equivalent of systemd on Linux or services.msc on Windows. Every mac user should have at least some vague idea of what launchctl does because it manages far more than AnyConnect: basically every process not manually started by the user.

launchctl is documented in (surprise) man launchctl but that's not for the faint of heart. For a friendlier documentation that does not assume you already know the difference between "loading" versus "starting" or between a "daemon" vs a "service" or an "agent" go to http://www.launchd.info/ first.

As a bonus and slightly off-topic answer, here's a clean way to restart the AnyConnect daemon in case it gets stuck as it sometimes does. This is the other, lower-level AnyConnect process(es) without any user interface and running as root that does the actual work:

  sudo launchctl kickstart -kp system/com.cisco.anyconnect.vpnagentd

Avoid kill and killall, see why on http://www.launchd.info/ Be careful where you use sudo since some of the agents and daemons run in user space and some run in system space and different versions of macOS have different syntax and shells.

Now this is a long time coming - what persistence to get a great answer here. Thank you — bmike, Jun 19 '20 at 19:44

score 16 · Answer 3 · answered Nov 03 '15 at 14:46

16

So it would seem that if you only install the VPN client AnyConnect will not autostart.

I uninstalled AnyConnect (version 4.x) then reinstalled doing a custom install. I only installed VPN, I did not install:

Web Security
AMP Enabler
Diagnostics and Reporting Tool
Posture
ISE Posture

Now AnyConnect no longer auto starts (yeah!)

Makes sense I suppose as the other parts that get installed by default are there to "protect" your system.

answered Nov 03 '15 at 14:46

Jason

1,769
1
14
26

Would you be able to tell which of the daemons under Library/LaunchDaemons is there? I'm having the same problem, and I have these: com.cisco.anyconnect.aciseagentd.plist com.cisco.anyconnect.ciscod.plist com.cisco.anyconnect.vpnagentd.plist – Throsby Apr 29 '16 at 19:13
2

This does not work for me using version 4.4. – Anthony Sep 18 '17 at 01:12

Johan Jerming · Answer 4 · 2016-12-07T16:59:13.200

3

Forget about tricky removals of plists and stuff like that, just rename Cisco AnyConnect Secure Mobility Client in Finder, that´s it.

Edit: Strange I got a downvote, because I just tested it myself, and it works without any problems at all. Perhaps not a beautiful solution that addresses the underlaying problem (by design ?), nevertheless... ?

edited Dec 07 '16 at 16:59

answered Dec 07 '16 at 13:20

Johan Jerming

49
4

1

Tricky or not plists are the official and documented way to configure autostart. Instead you recommend breaking Any Connect which can have unintended consequences. – MarcH Feb 14 '19 at 23:08
1

@MarcH how is this breaking it if Johan can still run it? – Mars Sep 30 '19 at 00:59
1

"works for me!" – MarcH Sep 30 '19 at 16:13
1

@mars Cisco has a _lot_ more functionality than showing its GUI. Unless every single functionality and configuration has been extensively tested in this setup, I would still categorize it as "risky". – Fuzzy76 Nov 18 '19 at 08:16
@Fuzzy76 that's a good point. – Mars Nov 19 '19 at 03:18

score 3 · Answer 5 · answered Jun 19 '20 at 17:32

This same topic is discussed on the Cisco forum:

AnyConnect Secure Mobility - Disable the automatic launch on login

https://community.cisco.com/t5/vpn/anyconnect-secure-mobility-disable-the-automatic-launch-on-login/td-p/2062460

The accepted solution there is to set AutoConnectOnStart to false in the "XML Profile" located at /opt/cisco/anyconnect/profile/.

<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>

They provide an example XML profile 137498-AnyConnect.xml, which they claim should stop the app from opening at login:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
    <ClientInitialization>
        <UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
        <AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
        <ShowPreConnectMessage>false</ShowPreConnectMessage>
        <CertificateStore>All</CertificateStore>
        <CertificateStoreOverride>false</CertificateStoreOverride>
        <ProxySettings>Native</ProxySettings>
        <AllowLocalProxyConnections>false</AllowLocalProxyConnections>
        <AuthenticationTimeout>12</AuthenticationTimeout>
        <AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
        <MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
        <LocalLanAccess UserControllable="true">false</LocalLanAccess>
        <ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
        <AutoReconnect UserControllable="false">true
            <AutoReconnectBehavior UserControllable="false">DisconnectOnSuspend</AutoReconnectBehavior>
        </AutoReconnect>
        <AutoUpdate UserControllable="false">true</AutoUpdate>
        <RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
        <WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
        <WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
        <AutomaticVPNPolicy>false</AutomaticVPNPolicy>
        <PPPExclusion UserControllable="false">Automatic
            <PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
        </PPPExclusion>
        <EnableScripting UserControllable="false">false</EnableScripting>
        <EnableAutomaticServerSelection UserControllable="true">false
            <AutoServerSelectionImprovement></AutoServerSelectionImprovement>
            <AutoServerSelectionSuspendTime></AutoServerSelectionSuspendTime>
        </EnableAutomaticServerSelection>
        <RetainVpnOnLogoff>false
        </RetainVpnOnLogoff>
    </ClientInitialization>
</AnyConnectProfile>

score 2 · Answer 6 · answered Nov 02 '15 at 23:04

This has been driving me crazy. I finally discovered the 3 plist files that appear to control this in /Library/LaunchDaemons. But I couldn't change the RunAtLoad parameter to false, because even after I changed the file permissions I couldn't save the plist files. I finally changed the folder permissions to read and write and applied those changes to the contained items, and at last I've been able to edit and save. I'll know for sure after the next reboot ... something I'll do in a few days because starting up again takes forever.

score 1 · Answer 7 · edited Nov 04 '17 at 13:01

1

I managed to stop the client from launching at startup.

I achieved this by just moving the folder Cisco from Applications to any other location, let's say for instance Desktop: sudo mv /Applications/Cisco/ /Users/{your-user}/Desktop/Cisco

I think it has nothing to do with the destination folder. Just moving it from the Applications folder is enough to stop the process that starts it from finding it.

edited Nov 04 '17 at 13:01

Monomeeth

63,349
14
147
188

answered Nov 04 '17 at 12:55

pleonasmik

119
2

As [above](https://apple.stackexchange.com/questions/202296/stop-cisco-anyconnect-secure-mobility-client-from-starting-up-automatically#comment461924_263905): "breaking Any Connect which can have unintended consequences" – jalanb Feb 05 '21 at 20:18

score 0 · Answer 8 · answered Oct 27 '16 at 08:53

It is not the permission of the file itself that prevents you from editing, it is the permission of the containing folder. Then, you should not change the permissions of such system files for security reasons. But it is easy to edit these files: Simply copy them to some other place where you have permission to write to files, e.g. the Desktop, and edit the files there. Then move them back in with replacing option and authenticating as an administrator and the file is edited.

However, I do not see those three files you seem to mention. I find on my system only 'com.cisco.anyconnect.ciscod.plist' and 'com.cisco.anyconnect.vpnagentd.plist' in the directory '/Library/LaunchAgents'. Perhaps more importantly, while setting in these two files the parameter 'RunAtLoad' to 'false' indeed prevents the annoying reinstallation of the application 'Cisco AnyConnect Secure Mobility Client.app' as a login item after a restart, it also makes the vpn in general disfunctional.

Has anyone found actually a solution?

Stop Cisco AnyConnect Secure Mobility Client from starting up automatically

8 Answers8

AnyConnect Secure Mobility - Disable the automatic launch on login

Linked