Showing results for 
Search instead for 
Did you mean: 

AnyConnect Apple iOS - Transition to Apple's latest VPN framework (NetworkExtension)

Peter Davis
Cisco Employee

AnyConnect Apple iOS - Transition to Apple's latest VPN framework (NetworkExtension)

On approximately June 14, 2017, we will begin the public transition away from Apple's deprecated iOS VPN framework (VPN Plugin) which is what is currently used by AnyConnect to Apple's current VPN framework (NetworkExtension). The new framework will allow for more reliable VPN connectivity and also allows for us to finally officially support Per App VPN connectivity, not just for TCP applications, but UDP applications as well. Per App support requires EMM configuration.


Transition timeline and process -

Approximately June 14, 2017 An additional (new) AnyConnect application will appear in the App Store. This new application will be supported on iOS 10.x and later. We recommend the latest version of iOS 10.x or later is always used as Apple has provided bug fixes to improve the reliability of this newer framework.

App Store willing, the old application will be renamed to Cisco Legacy AnyConnect and will be rebranded with legacy branding in this same timeframe.


Phase out of legacy AnyConnect -


The legacy application (existing older AnyConnect) will only receive critical bug fixes going forward and will be phased out over an extended period of time. More details on the phase out timing will be announced at a later date.


Transition process -


Unfortunately there is no ability to automatically transition users from the old OS framework to the new framework. Users will need to download the newer AnyConnect application or have EMM push out the new AnyConnect application. The new application will need to be re-provisioned, whether manually or via EMM. This includes pushing down configuration and certificates (if applicable). To avoid confusion or conflicts, the old application should be removed from the endpoint.


EMM configuration -


EMM vendors must support VPNType (VPN), VPNSubType ( and ProviderType (packet-tunnel). For integration with ISE, they must be able to pass the UniqueIdentifier to AnyConnect since AnyConnect no longer has this access directly in the new framework. Please consult with your EMM vendor for how to set this up, some may require this to be set up as a "custom" VPN type and others may not have support available at release time.



Please direct any questions to

Content for Community-Ad

This widget could not be displayed.