1password / Cisco AnyConnect VPN / New 15" MBPr with TouchBar

Are any of you admins of your respective VPN or have admins that would be willing to share the details of their VPN config with Apple/Cisco?

I'm hoping we're able to get them a VPN configuration where they can reproduce the issue and resolve this properly.

Rudy

@rcurran: While it doesn't make any kind of sense to me, I'm glad that helped in your case! :chuffed:

@rcurran: I think that would probably be overkill, but essentially the utility just automates some command line repair operations on folder and file permissions to make sure they're all set correctly so 1Password can function properly. This is really only necessary if something is broken, and it's not convenient to do all the time since it requires admin rights. Cheers! :)

Hi @rcurran,

Also wanted to note that it seems if you use the 1password troubleshooting utility and repair permissions right before you launch, you're good to go while on vpn.

You're running Repair Permissions from the 1Password Troubleshooting app after connecting to the VPN and before opening 1Password? Thanks for clarifying this. :)

A big part of the difference between the 1Password Troubleshooting Tool and Disk Utility is that the former is doing a much more limited reset, while the latter is going through more of the system that isn't related to 1Password. Frankly, I'd be more curious what the VPN is changing that 1Password needs to reset. Cheers! :)

@rcurran: It's possible, and I've checked with our diagnostics guy in charge of the utility so he should know. But I guess my concern is that this shouldn't be necessary. Something is making this change if you're having to undo it repeatedly. It seems more important to stop the guy from knifing you, rather than continuing to bandage the wound.

@rcurran

The repair permissions button shouldn't do anything at all for the VPN. It only touches files/folders for 1Password.

1. It makes sure the ~/Library/Application Support/1Password folder exists. This is for 1Password 3 only, not 4 through 6.
2. It makes sure that folder has read and write permission for the current user account
3. Makes sure that folder is owned by the current user
4. Makes sure ~/Library/ScriptingAdditions/ exists
5. chmod 700's that folder
6. Makes sure it's owned by the current user
7. Removes extended attributes from that folder
8. Does similar things for our old 1Password 2 and 3 binary extensions (no longer in use)
9. Does the same things for our 1Password 3 agent

Nothing in there does anything for 1Password 6 because 1Password 6 doesn't use a Launch Agent, it doesn't use Scripting Additions, and it's folder is ~/Library/Application Support/1Password 4/ (or another folder inside the ~/Library/Containers/ folder if you're on MAS.

All of these are able to be done by the current user, not an admin. Any admin related changes will require the use of sudo, which we don't use in this case.

I suspect that this is a red herring and while it might appear to be fixing something, there's no logical reason that it does after looking at the actions that button does.

For anyone who is curious here's the actual code

This will be removed in an upcoming revamp of the diagnostics tool as it's completely irrelevant to 1Password 4 and on. Most of my work at this point has consisted of gathering data about 1Password not the UI side of things. Some upcoming under the hood changes to 1Password for Mac will reduce the amount of logging we do by default and due to this change I will be rewriting the UI for the diagnostics utility and taking the opportunity to remove old and out-dated stuff such as this.

Hope that helps explain things but I see absolutely no reason for why that button fixes anything for you because it only impacts 1Password 3 related things.

Thank you for testing that and letting us know, @digitalskies! To be honest, we're not sure why that works for you and rcurran (as Kyle explained, the Repair Permissions button doesn't do anything for 1Password 6), but I'm glad to hear you're able to use that as a workaround. A proper fix will still need to come from Cisco (or possibly Apple), or perhaps there's a configuration for the VPN that will help. But it's good to know there are options for working around the problem in the meantime! :)

@rcurran, do you mean you disabled the Touch ID option and are now unlocking 1Password by typing your master password? If so, 1Password isn't making an API call to macOS to find out if Touch ID is available, and therefore it isn't getting caught up in the interference from the VPN software. But I may have misunderstood what you meant.

@digitalskies,

It is definitely still calling the API to see if Touch ID is available. the only thing turning Touch ID off on the security tab would do is hide the Touch ID unlock UI in the main window.

Rudy

@pushxtonotdie,

Just to give everyone an update. Cisco has a fix out for this issue in their build #: 4.4.2039

Rudy

Ack. Well, at least it's progress! Please let us know how you get along. :lol: