Configure Anyconnect PerApp VPN for iOS with Meraki System Manager

Available Languages

Download Options

  • PDF     (3.4 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (3.2 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (1.7 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:February 28, 2023
Document ID:220259

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to configure PerApp VPN on Apple iOS devices managed by Meraki Mobile Device Manager (MDM), System Manager (SM).

    Prerequisites

    Requirements

    • AnyConnect v4.0 Plus or Apex license.
    • ASA 9.3.1 or later to support Per App VPN.
    • Cisco Enterprise Application Selector tool available on Cisco.com

    Components Used

    The information in this document is based on these software versions:

    • ASA 5506W-X version 9.15(1)10
    • iPad iOS version 15.1

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    This document does not include the listed processes:

    • SCEP CA Configuration on Systems Manager for client certificate generation
    • PKCS12 client certificate generation for the iOS clients

    Configure

    Step 1. Register iOS Device to Meraki Systems Manager

    1.1. Navigate to Systems Manager > Add Devices

    SM - Dashboard

    1.2. Click on the iOS option to start the enrollment.

    Device enrollment type

    1.3. Enroll the device via internet browser or scan the QR code with the camera. In this document, the camera was used for the enrollment process.

    Enrollment menu for iOS device

    1.4. When the QR code is recognized by the camera, select the Open "meraki.com" in Safari notification that pops up.

    Enrollment menu view from iPad

    1.5. When prompted, select Register.

    Enrollment process

    1.6. Select Allow in order to allow the device to download the MDM profile.

    Enrollment process to grant access to download

    1.7. Select Close to complete the download.

    Enrollment process - download complete

    1.8. Navigate to the iOS Settings App and locate the Profile Downloaded option in the left pane and select the Meraki Management section.

    Enrollment process - profile selection

    1.9. Select the Install option to install the MDM profile.

    Enrollment process - profile installation

    1.10. You must grant the access to Install the SM application.

    SM approval

    1.11. Open the recently downloaded application called Meraki MDM located in the home screen.

    SM view from iOS main menu

    1.12. Verify all the statuses have a green tick that confirms the enrollment is in complete.

    SM compliance

    Step 2. Setup Managed Apps

    In order to setup the Tunneled Apps for PerApp later in this document, you need to manage those same applications via SM. In this configuration example, Firefox is intended to be tunneled via Per App, hence it is added to the managed Apps.

    2.1. Navigate to Systems Manager > Manage > Apps in order to add the managed apps.

    SM device configuration

    2.2. Select the Add app option.

    SM add managed apps

    2.3. Select the type of application (App Store app, Custom, B2B) based on where the app is stored. Select Next once it is selected.

    In this example the app is stored publicly in the App Store.

    SM add managed app

    2.4. When prompted, search for the desired application and select the region from where the application is downloaded from. Select Save once the app is selected.

    Note: If the country does not match the Apple account's region, the user may experience problems with the application.

    SM select managed ap

    2.5. Click Save once you select all the desired applications.

    Step 3. Configure PerApp VPN profile

    3.1. Navigate to Systems Manager > Manage > Settings

    SM - add new device

    3.2. Select the Add profile option.

    SM - policy add new device

    3.3. Select Device profile (default) and click Continue.

    SM - search for type of policy

    3.4. Once the Profile Configuration menu is displayed, write the Name and select the target devices under Scope.

    Configure scope of perapp policy

    3.5. Select Add settings and filter the types of profile by iOS Per App VPN, select the option as seen below.

    Menu to select PerApp policy

    3.6. Once the menu is displayed, write the connection information based on the example below.

    Systems Manager supports two certificate enrollments for these connections, SCEP and manual enrollment. In this example manual enrollment was used.

    Note: Select Add credential once you filled the text-boxes since this option takes you to a new menu to add a certificate file.

    Menu to configure PerApp parameters

    3.7. Once you clicked on Add credential and you got redirected to the Certificate menu, write the Name of the Certificate, browse in your computer and look for the the Password that protects the .pfx file (encrypted certificate file).

    Menu to configure credentials (certificate)

    3.8. After the certificate is selected, the certificate filename is displayed.

    Menu to confirm credentials

    3.9. Once you selected the certificate, navigate to the VPN profile you were previously on and select the recently imported credential and Select the tunneled App (Firefox in this case).

    Click Save once this is completed.

    Menu to confirm PerApp parameters prior to deployment

    3.10. Verify the profile is installed on the target devices.

    Confirm installation of profile

    Step 4. App Selector Configuration

    4.1. Download app selector from cisco website https://software.cisco.com/download/home/286281283/type/282364313/release/AppSelector-2.0

    Caution: Run the application on a Windows machine. The results displayed are not be the expected when the tool is used on MacOS devices.

    4.2. Open the java application. Select iOS from the dropdown menu, add a friendly name and ensure you type *.* in the App ID.

    AppSelector wildcard

    4.3. Navigate to Policy and select View Policy

    AppSelector wildcard - view policy

    4.4. Copy the string displayed. (This is later used in the VPN headend configuration).

    AppSelector wildcard - view policy - export value

    Step 5. ASA Sample Per App VPN Configuration

    conf t
    webvpn
    anyconnect-custom-attr perapp description PerAppVPN
    anyconnect-custom-data perapp wildcard eJyrVnLOLE7Od84vqCzKTM8oUbJSgrMVNJI1FYwMDEwUwGoUgiuLS1Jzi3UUPPOS9ZR0lFxSyzKTU30yi4G6oquh3JDKglSgIYkFBTmpupn5xUB1jgUFcEVA8cwUoLyWnhZQJi0vMRekujwzJyU5sShFqTYWCAFHcjDB


    ip local pool vpnpool 10.204.201.20-10.204.201.30 mask 255.255.255.0

    access-list split standard permit 172.168.0.0 255.255.0.0 
    access-list split standard permit 172.16.0.0 255.255.0.0

    group-policy GP-perapp internal
    group-policy GP-perapp attributes
    vpn-tunnel-protocol ssl-client 
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value split
    split-tunnel-all-dns disable
    anyconnect-custom perapp value wildcard

    tunnel-group perapp type remote-access
    tunnel-group perapp general-attributes
    address-pool vpnpool
    default-group-policy GP-perapp
    tunnel-group perapp webvpn-attributes
    authentication certificate
    group-alias perapp enable
    group-url https://vpn.cisco.com/perapp enable

    Verify

    6. Verify Profile Installation on AnyConnect Application

    6.1. Open the AnyConnect Application and select Connections in the left pane. The PerApp VPN profile must be displayed under a new section called PER-APP VPN.

    Select the i  to display the advanced settings.

    Verify VPN connection profile

    6.2. Select the Advanced option.

    Verify VPN advanced parameters

    6.3. Select the App Rules option.

    Verify app rules

    6.4. Lastly, confirm the App Rule is installed. (Mozilla is the tunneled App desired in this document, so the app installation was successful).

    App Rules from perapp

    Troubleshoot

    There are currently no specific troubleshooting steps for this document.

    Revision History

    Revision Publish Date Comments
    1.0
    27-Feb-2023
    Initial Release

    Contributed by

    • Hugo Olguin

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products