Documente Academic
Documente Profesional
Documente Cultură
Benefits Capabilities
Provide highly secure remote access for
selected applications by user, role, device, • Apple iOS 8.3 > MDM requirement
etc. (Per App VPN) • Android ICS+ & Samsung Knox 2.0 MDM optional
Reduce the potential for non-approved • Cisco ASA Configuration and Enforcement of Per App policy
applications to compromise • Support for unmanaged devices (BYOD/ no MDM)
enterprise data
• Application Selector tool creates per app policy for ASA
Support a range of remote users and
endpoints (employees, partners,
contractors), streamlining IT operations
Minimum Requirements for Per App VPN
Credentials/ACIDex
DAP to Per App
Configure with AC/AMP Profile
Policy
iOS policy
Importing from a disk requires
iTunes be locally installed with
desired apps
Manual rule configuration if app
ID is known:
IE; com.cisco.jabberIM
Select Apps to Be Added to the Policy
Use iTunes on a Local Disk
Completed Per App Policy
Used by the ASA to Enforce Per App VPN
Authorization Challenge
Credentials/ACIDex
DAP to Per App
Configuration with Per App Policy Policy
The Per App configuration will be derived from the Per App policy provided by the ASA.
The Per App policy will be used both to configure which applications are tunneled and validate
the application when it attempts to pass traffic.
AnyConnect for
AnyConnect ICS+
Samsung KNOX
Note: If not using KNOX, it is recommended to
Android 4.x ICS+ Android 4.3 + use Cisco® AnyConnect
Android 5.0 Lolipop ICS+ on Samsung devices
AnyConnect Enterprise Application Selector
Tool (Android)
Obtain Android App ID from Google Play
Example: Google Chrome equals com.android.chrome
Android Add Rule Known App ID
2
Optional parameters
• Minimum version - The minimum version of the
chosen app as specified in the package's
manifest attribute is android:versionCode.
• Match certificate ID - This is a digest of the
application signing certificate.
• Allow shared UID - The default value is true. If it
is set to false, applications with an
android:sharedUserId attribute specified in the
package manifest will not match this rule, and
will be prevented from accessing the tunnel.
Android Import from Disk
Another option for Android is to import the
apps from the local disk.
• There are third-party tools that allow you to
download the apps in the apk format. We do not
recommend, nor do we support, any of these
available tools.
The original intent of the import from the local disk
option is for cases where in-house apps are
developed and not available on Google Play.
After the policy is complete you will copy and paste
the policy in its Base64 format to either a DAP or a
group policy.
Unmanaged Per App both configures and validates
the device and the apps permitted to traverse the
tunnel.
ASDM and ASA Per App Configuration
Configuration > Remote Access VPN > Network (Client) Access > Advanced > Cisco AnyConnect® Custom
Attributes
Defined once and used for all per app policies
ASMD and ASA Per App Configuration
Configuration > Remote Access VPN > Network (Client) Access > Advanced > Cisco AnyConnect® Custom
Attribute Names
Per app policies are defined here and used by dynamic access policies (DAPs) or group-policies.
A customer may have several different per app policies applied to DAPs or group-policies.
ASDM and ASA Per App Configuration - DAP
Edit an existing DAP or create a new DAP and apply the per app policy.
ASDM and ASA Per App Configuration - DAP
Apply the per app policy to the access/authorization policy attributes section of the dynamic
access policy.
Note: This simple DAP is configured to match on both Android and iOS devices.
Testing Android Unmanaged Per App VPN
AnyConnect
This connection
displays
is configured
the policy.
toAccording
use a certificate
to the
for
policy
Thisauthentication
only these
banner is the3result
to
apps
theare
Cisco
of permitted
the Adaptive
DynamictoAccess
Security
traverse
Appliance
the tunnel
Policy (ASA)to
assigned which makes the
the session. Wesession
optionally
establishment
added
Chrometext seamlesswhat
to indicate
Browser for the
appsuser.
are permitted to
traverse
Citrix the tunnel.
Note: Receiver
Certificate Authentication is only of several
ways to authenticate
Microsoft RDP App to the ASA.
Where Is This Applied on the ASA?
1. webvpn Command for the "Attribute Type":
anyconnect-custom-attr <AttributeType> description <AttributeTypesDescription>
NOTE: The AttriburteType MUST be lower case and called: perapp
anyconnect-custom-attr perapp description Used for Apple iOS PerApp VPN functionality
2. Global Command - This defines the "Attribute Name" and its "Value" (Opaque Blob):
(syntex) anyconnect-custom-data <AttributeType> <AttributeName> <AttributeNamesValue>
3. Group-Policy Command - This CLI is used to set the value of a custom AnyConnect® attribute in a group policy:
group-p iOSPerAppVPN att
(syntex) anyconnect-custom <AttributeType> value <AttributeName (which maps to the OpaqueBlob)>
anyconnect-custom perapp value iOSPerAppVPN
4. Dynamic-Access-Policy Command - This CLI is used to set the value of a custom AnyConnect attribute in a DAP record:
dynamic-access-policy-record AppleiOSPerAppVPN
anyconnect-custom <AttributeType> value <AttributeName (which maps to the OpaqueBlob)>
anyconnect-custom perapp value iOSPerAppVPN