Managed Configuration for AnyConnect for Android

Available Languages

Download Options

  • PDF     (4.9 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (81.0 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (65.2 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:November 13, 2019
Document ID:215076

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Contents

AnyConnect for Android supports managed configurations, which could be provisioned by MDM/EMM apps. The schema is embedded within AnyConnect''s APK (in res/restrictions.xml) and could be retrieved via Google's EMM API. The schema includes detailed documentation on each field and defines a form that could be rendered by the EMM admin portal.

To provision only a single VPN configuration entry, admins may use the vpn_connection_* fields. To provision multiple VPN configurations, admins may use the vpn_configuration_list field, which is a BundleArray that may contain one or more vpn_configuration entries.

Some of the managed configuration keys are associated dynamic tokenized values that should be populated by EMM software.

Provisioning Client Certificates

AnyConnect supports the standard process for EMM provisioning of client certificates. vpn_keychain_cert_alias should contain the Android KeyChain alias of the certificate. When this value is present, AnyConnect will call KeyChain.choosePrivateKeyAlias to start the import (if the alias has not already been imported). Normally, this will result in an OS prompt for the user to approve the request. For a more seamless user experience, the EMM app may implement onChoosePrivateKeyAlias to avoid prompting the user.

Most EMM portals allow the admin to input a special tokenized value for the vpn_keychain_cert_alias field. Once the EMM app has imported the certificate into Android KeyChain, it will use the actual certifiate alias in place of the special token.

Note: the value of of vpn_keychain_cert_alias must match the actual KeyChain alias of the certificate. Otherwise, the user may be prompted repeatedly because AnyConnect thinks the certificate has not been imported.

To recap the process of EMM provisioning of client certificate:

  1. EMM app obtains the certificate (e.g. via SCEP) and imports it into Android KeyChain.
  2. (Recommended) EMM app implements DeviceAdminReceiver.onChoosePrivateKeyAlias() so AnyConnect will be auto-approved to use the certificate
  3. EMM app sets the KeyChain alias of the imported certificate into the vpn_keychain_cert_alias field of AnyConnect's managed configuration.

Provisioning Device Identifier

AnyConnect supports EMM provisioning of a device identifier that could be used for network access control or reporting using the special tokenized value field vpn_connection_device_id. For more information about the device ID, please see this Tech Zone note.

TAC Authored

Contributed by Cisco Engineers

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products