We currently are trying to rollout tablets to users within our company and we want to lock them down as much as possible. The tablets will mainly be connecting over 3G/4G using the cisco anyconnect client for android. Our mobile device manager can lock down the client so that the user cannot end the app or uninstall it, but the user can still go into the app and turn the vpn off, thus allowing them full internet access over 3G/4G. I'm wondering if there is a way to block users from turning it off. Did I miss something when setting up the AnyConnect profile on my ASA? Any other ideas?