Configuring Cisco AnyConnect VPN when using Android for Work

Without certificate authentication

When certificates are not used for authentication, use App Configuration when adding Cisco AnyConnect as a public app.

  1. Navigate to Apps & Books > List View > Public.
  2. Select Add Application and select Android from the Platform field.
  3. Search Cisco AnyConnect and click the +Select button to add.
  4. Enable Send Application Configuration under the Assignment tab. Parameters supported by AnyConnect are shown.
    AnyConnect1.png
  5. Assign and deploy the application.

 

With certificate authentication

When using certificates to configure Cisco AnyConnect, use the custom XML profile. You must configure the Credential profile prior to creating the custom XML profile.

To create a credential profile:

  1. Navigate to Devices > Profiles & Resources > Profiles > Add > Add Profile > Android > Android for Work.
  2. Configure the General profile settings including the name for the profile and assign it to smart group(s).
  3. Select the Credentials tab and upload the necessary certificates.
  4. Select Save & Publish to distribute the certificates to devices.
    AnyConnect2.png

 

Retrieving the certificate alias:

  1. Navigate to Devices > Profiles & Resources > Profiles.
  2. Select the Credentials profile created from the previous steps, and select XML.
    AnyConnect3.png
  3. In the XML, make a note of the certificate UDID value, this is the certificate alias that will be used when building the custom XML. If there are multiple certificates in the Credential payload, there will be a unique certificate UDID for each certificate.
    AnyConenct4.png

 

Create the custom XML profile:

  1. Navigate to Devices > Profiles & Resources > Profiles > Add > Add Profile > Android > Android for Work.
  2. Configure the General profile settings including the name for the profile and assign it to smart group(s).
  3. Paste the following XML in the Custom Settings profile:
    <characteristic type="com.airwatch.android.androidwork.app:com.cisco.anyconnect.vpn.android.avf"
    uuid="f80d169f-601e-41a0-a7fb-7db9982e0126">
         <parm name="vpn_connection_name" value="{VPN_NAME}" type="string" />
         <parm name="vpn_connection_host" value="{VPN_HOSTNAME}" type="string" />
         <parm name="vpn_connection_protocol" value="vpn_connection_protocol_ssl" type="choice" />
         <parm name="vpn_connection_keychain_cert_alias" value="{UUID_FROM_XML}" type="certificate-alias" />
         <parm name="vpn_connection_perapp" value="com.android.chrome,com.boxer.email" type="string" />
         <parm name="vpn_setting_fips_mode" value="False" type="boolean" />
         <parm name="vpn_setting_strict_mode" value="False" type="boolean" />
         <parm name="vpn_setting_certificate_revocation" value="False" type="boolean" />
    </characteristic>

     

  4. Make the following changes to the XML:
    • Replace {VPN_NAME} and {VPN_HOSTNAME} with the name of the VPN configuration (e.g. ACME VPN) and the hostname that Cisco AnyConnect should connect to (e.g. acme.ciscovpn.com)
    • Replace {UUID_FROM_CERT_PROFILE_XML} with the certificate UDID from the previous step.
    • In this line: <parm name="vpn_connection_perapp" value="com.android.chrome,com.boxer.email" type="string" />, "com.android.chrome,com.boxer.email" is provided as an example to show how apps can be whitelisted for per app VPN. A comma separated list of apps can be added here if more than one app needs to be whitelisted for per app VPN. If per app VPN is not being used, this line can be removed from the XML.
  5.  Save & Publish the profile.

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.