Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
359
Views
0
Helpful
0
Comments

Support for Umbrella roaming clients and user attribution (Azure AD, OKTA, JAMF Connect)

adamwin
Cisco Employee
Cisco Employee

on ‎06-29-2022 07:25 AM

Introduction

One of the core features of the Umbrella roaming client is the ability to apply a user identity from anywhere to the DNS and Web traffic captured by the client. Currently, there are two major limitations as user identities have evolved. This article will describe each limitation and what Cisco Umbrella is doing to address them. 

Windows

On Windows platforms, Umbrella currently relies on a Generated UID, or GUID to perform user identification. This value is ubiquitous on traditional Active Directory; however, does not exist on Azure AD (by default), Okta, or other cloud-based identity platforms. As a result, a migration is required. 

Roaming client versions that fully support Azure AD and other "user name/email"-based identity platforms supported by Umbrella cloud. 

  • Cisco Secure Client (formerly AnyConnect)
    • Cisco Secure Client 5.0 and above
    • AnyConnect 4.10 MR6 (and higher on 4.10)
  • Umbrella Roaming Client
    • 3.0.328 and above

macOS

macOS has many options to do user identity, from traditional native binding (phasing out), Enterprise Connect (end of life), NoMaD (acquired and launched as JAMF Connect), JAMF Connect, and AppSSO. Cisco currently supports:

  • Native Binding
  • NoMaD branded implementations
  • Enterprise Connect

At this time Cisco Umbrella has not yet added support for JAMF Connect (formerly NoMaD/NoMaD Login) or AppSSO (Kerberos Extension) in the roaming client. 

Cisco will be releasing a native MDM profile support for user identity. Any MDM can push a managed preferences profile containing a user email address to set the current user by MDM. 

Support versions:

  • Cisco Secure Client (formerly AnyConnect)
    • Cisco Secure Client 5.0 and above
    • AnyConnect 4.10 MR6 (and higher on 4.10)
  • Umbrella Roaming Client
    • 3.0.22 and above

This profile should be pushed to "Managed Preferences" (*/Library/Managed Preferences). This will not function without a version listed above. Contact the Umbrella support team to request a preview version for testing purposes. 

com.cisco.umbrella.client.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>UPN</key>
<string>user@domain.com</string>
</dict>
</plist>

Example configuration (JAMF)

Below is an example of distribution with JAMF. Configuration may differ based on your MDM provider.

article-7406359821588_jamf2.pngarticle-7406359821588_jamf3.png

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents