AnyConnect for Android supports managed configurations, which could be provisioned by MDM/EMM apps. The schema is embedded within AnyConnect''s APK (in res/restrictions.xml) and could be retrieved via Google's EMM API. The schema includes detailed documentation on each field and defines a form that could be rendered by the EMM admin portal.
To provision only a single VPN configuration entry, admins may use the vpn_connection_* fields. To provision multiple VPN configurations, admins may use the vpn_configuration_list field, which is a BundleArray that may contain one or more vpn_configuration entries.
Some of the managed configuration keys are associated dynamic tokenized values that should be populated by EMM software.
Provisioning Client Certificates
AnyConnect supports the standard process for EMM provisioning of client certificates. vpn_keychain_cert_alias should contain the Android KeyChain alias of the certificate. When this value is present, AnyConnect will call KeyChain.choosePrivateKeyAlias to start the import (if the alias has not already been imported). Normally, this will result in an OS prompt for the user to approve the request. For a more seamless user experience, the EMM app may implement onChoosePrivateKeyAlias to avoid prompting the user.
Most EMM portals allow the admin to input a special tokenized value for the vpn_keychain_cert_alias field. Once the EMM app has imported the certificate into Android KeyChain, it will use the actual certifiate alias in place of the special token.
Note: the value of of vpn_keychain_cert_alias must match the actual KeyChain alias of the certificate. Otherwise, the user may be prompted repeatedly because AnyConnect thinks the certificate has not been imported.
To recap the process of EMM provisioning of client certificate:
- EMM app obtains the certificate (e.g. via SCEP) and imports it into Android KeyChain.
- (Recommended) EMM app implements DeviceAdminReceiver.onChoosePrivateKeyAlias() so AnyConnect will be auto-approved to use the certificate
- EMM app sets the KeyChain alias of the imported certificate into the vpn_keychain_cert_alias field of AnyConnect's managed configuration.
Provisioning Device Identifier
AnyConnect supports EMM provisioning of a device identifier that could be used for network access control or reporting using the special tokenized value field vpn_connection_device_id. For more information about the device ID, please see this Tech Zone note.