cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Webcast- Catalyst 9000

AnyConnect Apple iOS - Transition to Apple's latest VPN framework (NetworkExtension)

9809
Views
21
Helpful
9
Comments
Cisco Employee

AnyConnect Apple iOS - Transition to Apple's latest VPN framework (NetworkExtension)


Both Apple iOS released have been posted (Legacy and New).


On June 14, 2017, we began the public transition away from Apple's deprecated iOS VPN framework (VPN Plugin) which is what is currently used by AnyConnect to Apple's current VPN framework (NetworkExtension). The new framework will allow for more reliable VPN connectivity and also allows for us to finally officially support Per App VPN connectivity, not just for TCP applications, but UDP applications as well. Per App support requires EMM configuration.

Transition timeline and process -


June 14, 2017 An additional (new) AnyConnect application will appear in the App Store. This new application will be supported on iOS 10.x and later. We recommend the latest version of iOS 10.x or later is always used as Apple has provided bug fixes to improve the reliability of this newer framework.

App Store willing, the old application will be renamed to Cisco Legacy AnyConnect and will be rebranded with legacy branding in this same timeframe.

Phase out of legacy AnyConnect -

The legacy application (existing older AnyConnect) will only receive critical bug fixes going forward and will be phased out over an extended period of time. More details on the phase out timing will be announced at a later date.

Transition process -

Unfortunately there is no ability to automatically transition users from the old OS framework to the new framework. Users will need to download the newer AnyConnect application or have EMM push out the new AnyConnect application. The new application will need to be re-provisioned, whether manually or via EMM. This includes pushing down configuration and certificates (if applicable). To avoid confusion or conflicts, the old application should be removed from the endpoint.

EMM configuration -

EMM vendors must support VPNType (VPN), VPNSubType (com.cisco.anyconnect) and ProviderType (packet-tunnel). For integration with ISE, they must be able to pass the UniqueIdentifier to AnyConnect since AnyConnect no longer has this access directly in the new framework. Please consult with your EMM vendor for how to set this up, some may require this to be set up as a "custom" VPN type and others may not have support available at release time.

See information below and attachments for information supplied by 3rd party vendors AirWatch and MobileIron on how to set this up in their systems.

Questions?

Please direct any questions to ac-mobile-feedback@cisco.com.

AirWatch instructions

direct any questions to them.

https://support.air-watch.com/articles/115005786867 (Requires AirWatch customer login to view)

How to setup VPN profile for the new Cisco AnyConnect application

Steps to perform

• Add iOS VPN profile
• Select Connection Type as “Custom”
• Enter identifier as “com.cisco.anyconnect”
• Add Custom Data with Key as “DeviceUniqueIdentifier” and Value as “{DeviceUid}”
• Select Provider type as “Packet Tunnel”
• Complete the rest of the configuration as per requirement

Meraki instructions, see attachments.

Microsoft InTune - support for new configuration not currently available. Please direct any questions on timing to InTune.

MobileIron instructions, see attachment. Direct any questions to them.

NewACIcon.png

9 Comments
Contributor

Thanks Pete. This is great news.

Warning: I either dictated this to my device, or typed it with my thumbs. Erroneous words are a feature, not a typo.

Contributor

It’s posted and available for download. Thanks again.

Thanks man!

I still don't see support for Intune currently and it's October.. if anyone knows of a fix please let me know! I'll keep looking and chat w/Microsoft and if I have an update I can post here.

Cisco Employee

You will want to reach out to your Microsoft InTune account team. We have already been in communication with the InTune team on this many times, including recently. Only Microsoft InTune team will be able to give you the current status on when this will be available.

Beginner

Hi there. Any idea as to when the Legacy Anyconnect will be removed from the Apple App Store? It seemed to disappear today (Oct.24/17) and then re-appear later in the day. This had caused us a few issues as we do not have the new Anyconnect version ready in our Production environment. Thanks.

Cisco Employee

We will provide a 3 month public notice before end of availability, please start working on this transition now as this day is quickly arriving.  Regarding the disappearance for part of a day, this was the only app left on a legacy Cisco app store account and that account status lapsed. Unfortunately we did not get any notice until after it had lapsed and the app was not longer available. This issue has been corrected. Apologies for any inconvenience this may have caused you.

Beginner

I KNEW IT!!  I saw the app go down for a bit the same day as you and it cause me to freak out and contact both Microsoft and Cisco about the time line.  Microsoft won't commit to anything timeline wise, so I think we are going to have to rely on the Cisco-Microsoft relationship to ensure their mutual customers don't have Legacy VPN cut off from the 3500 mobile users we have.

Beginner

Hi,

How can an Intune customer prepare for this transition if its really up to Microsoft to provide the support for the new product?  What happens if they don't support the new app by the time Cisco removes the legacy app from the app store?

Anthony

Cisco Employee

You can contact Microsoft as you have done and express the urgency for this support. While I cannot speak for the InTune team, I am confident that they will provide support before the legacy AnyConnect app is no longer available for new installations.  Cisco has already been in touch with the InTune team on multiple occasions on this topic.