Showing results for 
Search instead for 
Did you mean: 
Cisco Employee
Cisco Employee

AnyConnect Per-Application VPN (PerApp VPN) solves the problem of providing BYOD VPN support to AnyConnect on mobile devices where tunneling only applications defined by a policy to the corporate network is desired. PerApp not only protects the targeted corporate data but also protects the user’s personal data and applications since only applications explicitly permitted by the ASA administrator will be permitted access to VPN head-end and ultimately the corporate network. This solution is essentially split-tunneling at Layer 7 without the inherent risks associated with L3 split-tunneling.

This use case focuses on Apple iOS devices which are required to be managed by an MDM/EMM solution.  MDM servers such as MobileIron are able to push PerApp VPN configurations when managing devices.  When devices are managed, the AnyConnect VPN Client behaves as an application filter and performs validation of the application prior to allowing the traffic to be tunneled. This validation is accomplished using a PerApp Policy applied to the ASA.  Applications not permitted by the PerApp policy will not have its packets forwarded to the ASA.

Level 1
Level 1

Hi Pcarco,


Great explanation !

I used your manual to implement PerApp with Airwatch MDM for Apple IOS devices and it is working fine.

I also used in the App Selector the wildcard ID: *.* like this we defined in airwatch which Apps should be used for PerApp centrally and it is working fine.

However for Android device i did the same thing in the APP selector but it is not working.

When i go to the Android device and click on the APP, the VPN is not initiated.

I saw in the Anyconnect user guide the following:


If you are using Android apps in your policy, you must have the Android SDK and the Android SDK Build-tools
installed on your system. If you do not, install them as follows.
a) Install the latest version of the Android SDK Tools for the platform you are running the Application
Selector Tool on.
Install the recommended SDK Tools Only package for your platform using the default paths and settings,
including: Install for All Users, so access to package entities is as described.
b) Using the Android SDK Manager, install the latest version of the Android SDK Build-tools.


I performed this but also with no luck.

Do we just need to install the Android SDK tool on the PC where the APP selector is installed or do something else?


Please advise and thank you in advance

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: