AnyConnect Apple iOS - Transition to Apple's latest VPN framework (NetworkExtension)

Both Apple iOS released have been posted (Legacy and New).

On June 14, 2017, we began the public transition away from Apple's deprecated iOS VPN framework (VPN Plugin) which is what is currently used by AnyConnect to Apple's current VPN framework (NetworkExtension). The new framework will allow for more reliable VPN connectivity and also allows for us to finally officially support Per App VPN connectivity, not just for TCP applications, but UDP applications as well. Per App support requires EMM configuration.

Transition timeline and process -

June 14, 2017 An additional (new) AnyConnect application will appear in the App Store. This new application will be supported on iOS 10.x and later. We recommend the latest version of iOS 10.x or later is always used as Apple has provided bug fixes to improve the reliability of this newer framework.

App Store willing, the old application will be renamed to Cisco Legacy AnyConnect and will be rebranded with legacy branding in this same timeframe.

Phase out of legacy AnyConnect -

The legacy application (existing older AnyConnect) will only receive critical bug fixes going forward and will be phased out over an extended period of time. More details on the phase out timing will be announced at a later date.

Transition process -

Unfortunately there is no ability to automatically transition users from the old OS framework to the new framework. Users will need to download the newer AnyConnect application or have EMM push out the new AnyConnect application. The new application will need to be re-provisioned, whether manually or via EMM. This includes pushing down configuration and certificates (if applicable). To avoid confusion or conflicts, the old application should be removed from the endpoint.

EMM configuration -

EMM vendors must support VPNType (VPN), VPNSubType (com.cisco.anyconnect) and ProviderType (packet-tunnel). For integration with ISE, they must be able to pass the UniqueIdentifier to AnyConnect since AnyConnect no longer has this access directly in the new framework. Please consult with your EMM vendor for how to set this up, some may require this to be set up as a "custom" VPN type and others may not have support available at release time.

See information below and attachments for information supplied by 3rd party vendors AirWatch and MobileIron on how to set this up in their systems.

Questions?

Please direct any questions to ac-mobile-feedback@cisco.com.

AirWatch instructions

direct any questions to them.

https://support.air-watch.com/articles/115005786867 (Requires AirWatch customer login to view)

How to setup VPN profile for the new Cisco AnyConnect application

Steps to perform

• Add iOS VPN profile
• Select Connection Type as “Custom”
• Enter identifier as “com.cisco.anyconnect”
• Add Custom Data with Key as “DeviceUniqueIdentifier” and Value as “{DeviceUid}”
• Select Provider type as “Packet Tunnel”
• Complete the rest of the configuration as per requirement

Meraki instructions, see attachments.

Microsoft InTune - support for new configuration not currently available. Please direct any questions on timing to InTune.

MobileIron instructions, see attachment. Direct any questions to them.