Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
19634
Views
2
Helpful
1
Comments

How To Implement iOS AnyConnect Per-App with MobileIron

pcarco
Cisco Employee
Cisco Employee

on ‎06-03-2016 01:07 PM

AnyConnect Per-Application VPN (PerApp VPN) solves the problem of providing BYOD VPN support to AnyConnect on mobile devices where tunneling only applications defined by a policy to the corporate network is desired. PerApp not only protects the targeted corporate data but also protects the user’s personal data and applications since only applications explicitly permitted by the ASA administrator will be permitted access to VPN head-end and ultimately the corporate network. This solution is essentially split-tunneling at Layer 7 without the inherent risks associated with L3 split-tunneling.


This use case focuses on Apple iOS devices which are required to be managed by an MDM/EMM solution.  MDM servers such as MobileIron are able to push PerApp VPN configurations when managing devices.  When devices are managed, the AnyConnect VPN Client behaves as an application filter and performs validation of the application prior to allowing the traffic to be tunneled. This validation is accomplished using a PerApp Policy applied to the ASA.  Applications not permitted by the PerApp policy will not have its packets forwarded to the ASA.

Labels:
Preview file
1852 KB
Comments
bern81
Level 1
Level 1
‎03-07-2019 04:49 AM

Hi Pcarco,

 

Great explanation !

I used your manual to implement PerApp with Airwatch MDM for Apple IOS devices and it is working fine.

I also used in the App Selector the wildcard ID: *.* like this we defined in airwatch which Apps should be used for PerApp centrally and it is working fine.

However for Android device i did the same thing in the APP selector but it is not working.

When i go to the Android device and click on the APP, the VPN is not initiated.

I saw in the Anyconnect user guide the following:

 

If you are using Android apps in your policy, you must have the Android SDK and the Android SDK Build-tools
installed on your system. If you do not, install them as follows.
a) Install the latest version of the Android SDK Tools for the platform you are running the Application
Selector Tool on.
Install the recommended SDK Tools Only package for your platform using the default paths and settings,
including: Install for All Users, so access to package entities is as described.
b) Using the Android SDK Manager, install the latest version of the Android SDK Build-tools.

 

I performed this but also with no luck.

Do we just need to install the Android SDK tool on the PC where the APP selector is installed or do something else?

 

Please advise and thank you in advance

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents