AnyConnect PerApp VPN

Differentiate Mobile Access

Connect Only Approved Applications Over VPN

AnyConnect Per App

Mobile User
• AnyConnect v4.0 Plus or Apex license.
Jabber
• ASA 9.3.1 or later to configure Per
App VPN tunneling Salesforce
.
• Cisco Enterprise Application Selector Facebook
tool available on CCO
LinkedIn
ASA

Benefits Capabilities
Provide highly secure remote access for
selected applications by user, role, device, • Apple iOS 8.3 > MDM requirement
etc. (Per App VPN) • Android ICS+ & Samsung Knox 2.0 MDM optional

Reduce the potential for non-approved • Cisco ASA Configuration and Enforcement of Per App policy
applications to compromise • Support for unmanaged devices (BYOD/ no MDM)
enterprise data
• Application Selector tool creates per app policy for ASA
Support a range of remote users and
endpoints (employees, partners,
contractors), streamlining IT operations
Minimum Requirements for Per App VPN

ASA 5500-X, Latest ASDM at Latest release

Samsung KNOX
5505, Virtual the time of of Cisco
iOS 8.x or later 2.x Android
ASA with ASA release of ASA AnyConnect®
device
code 9.3.1> 9.3.1> 4.x
 Allows application Allows wildcard
policy enforcement application package
by Cisco® ASA and identifiers to equal
Policy provisioned Cisco AnyConnect® com.anybird.* The lifetime of VPN
by third-party MDM is not necessarily in
vendor users’ control

Per App Managed

Per App Managed Flow
VPN Mobile Device ASA
Enterprise
Network
Request Connect
Authorization Challenge

Credentials/ACIDex
DAP to Per App
Configure with AC/AMP Profile
Policy

Is the traffic valid? Apply policy from

third-party MDM

Enforce app meets policy from ASA

configuration

Valid Application Traffic

Managed (MDM) Per App VPN iOS Use Case
Requirements
 Cisco AnyConnect® Enterprise Application Selector Tool
 Cisco® ASA 9.3.2 or newer
 ASDM 7.3.1
- AnyConnect custom attribute enhancement
 AnyConnect 4.0.03004 or newer
 This capability must be used in conjunction with an MDM
or EMM vendor
 A Plus or Apex license

Note: Android is also supported in the managed (MDM) use case

MDM Per App
The per app policy permits three apps
Policy Pushed to User by MDM
A per app policy with three permitted apps is pushed to the user’s device
Cisco AnyConnect Enterprise Application Selector Tool
Use This Tool to Create the Per App Policy Applied to Cisco ASA

Tool availability: cisco.com with

Cisco AnyConnect®
Import from iTunes, installed locally
on the admin’s machine
Creates a base64 blob discernable
only by the
Cisco® ASA
Cisco AnyConnect Enterprise
Application Selector

iOS policy
Importing from a disk requires
iTunes be locally installed with
desired apps
Manual rule configuration if app
ID is known:
IE; com.cisco.jabberIM
Select Apps to Be Added to the Policy
Use iTunes on a Local Disk
Completed Per App Policy
Used by the ASA to Enforce Per App VPN

The content of the per app policy will

first be compressed and then
Base64-encoded.

The per app policy will be delivered

as a custom attribute, which is
provided by the Cisco® ASA in the
aggregate authentication
configuration message.

Copy Base64 Blob to the ASA using

ASDM or CLI.
Per App ASA and ASDM Configuration
Cisco AnyConnect Custom Attribute
Per App ASA and ASDM Configuration
Cisco AnyConnect Custom Name (Policy)

Copy and paste the Base64 Blob from the

application selector tool here

This policy can be applied to either a group

policy or dynamic access policy
Applying the Per App Policy to the Dynamic Access
Policy
Applying the Per App Policy to the Group Policy
Testing an iPad Managed Per App VPN
User establishes a tunnel to the Cisco®
ASA based on the installed profile

User authenticates to the ASA

The user can optionally receive a banner
from the DAP
Click on the active profile and
“Advanced” to view the app rules
App rules provide insight into the
permitted apps
 Requires
fully-qualified
application package
identifiers to
Same enforcement equal The lifetime of VPN
as a managed com.anybird.fly is in the user’s
use case away control
Policy provisioned Configuration may
by the Cisco® ASA be persisted
and AnyConnect® between
(No MDM needed) connections

Per App Unmanaged

(Android Only)
Per App Unmanaged Flow
VPN, Mobile ASA
Device
Enterprise
Network
Request Connect

Authorization Challenge

Credentials/ACIDex
DAP to Per App
Configuration with Per App Policy Policy

Is the traffic valid? Applied Policy Sent from ASA

Enforce App Meets Policy from

ASA Configuration

Valid Application Traffic

Unmanaged Per App VPN Use Case
Android Only
A Cisco AnyConnect® client will be required to configure the device for
Per App tunneling.

The Per App configuration will be derived from the Per App policy provided by the ASA.

The Per App policy will be used both to configure which applications are tunneled and validate
the application when it attempts to pass traffic.

AnyConnect ICS+
Android 4.x ICS+
Android 5.0 Lolipop
AnyConnect for
Samsung KNOX
Note: If not using KNOX, it is recommended to
Android 4.3 + use Cisco® AnyConnect
ICS+ on Samsung devices
AnyConnect Enterprise Application Selector
Tool (Android)
Obtain Android App ID from Google Play
Example: Google Chrome equals com.android.chrome
Android Add Rule Known App ID

1 An Add Rule allows the admin to manually enter

3 in the known app IDs

2
Optional parameters
• Minimum version - The minimum version of the
chosen app as specified in the package's
manifest attribute is android:versionCode.
• Match certificate ID - This is a digest of the
application signing certificate.
• Allow shared UID - The default value is true. If it
is set to false, applications with an
android:sharedUserId attribute specified in the
package manifest will not match this rule, and
will be prevented from accessing the tunnel.
Android Import from Disk
Another option for Android is to import the
apps from the local disk.
• There are third-party tools that allow you to
download the apps in the apk format. We do not
recommend, nor do we support, any of these
available tools.
The original intent of the import from the local disk
option is for cases where in-house apps are
developed and not available on Google Play.
After the policy is complete you will copy and paste
the policy in its Base64 format to either a DAP or a
group policy.
Unmanaged Per App both configures and validates
the device and the apps permitted to traverse the
tunnel.
ASDM and ASA Per App Configuration
Configuration > Remote Access VPN > Network (Client) Access > Advanced > Cisco AnyConnect® Custom
Attributes
Defined once and used for all per app policies
ASMD and ASA Per App Configuration
Configuration > Remote Access VPN > Network (Client) Access > Advanced > Cisco AnyConnect® Custom
Attribute Names
Per app policies are defined here and used by dynamic access policies (DAPs) or group-policies.
A customer may have several different per app policies applied to DAPs or group-policies.
ASDM and ASA Per App Configuration - DAP
Edit an existing DAP or create a new DAP and apply the per app policy.
ASDM and ASA Per App Configuration - DAP
Apply the per app policy to the access/authorization policy attributes section of the dynamic
access policy.
Note: This simple DAP is configured to match on both Android and iOS devices.
Testing Android Unmanaged Per App VPN

AnyConnect
This connection
displays
is configured
the policy.
toAccording
use a certificate
to the
for
policy
Thisauthentication
only these
banner is the3result
to
apps
theare
Cisco
of permitted
the Adaptive
DynamictoAccess
Security
traverse
Appliance
the tunnel
Policy (ASA)to
assigned which makes the
the session. Wesession
optionally
establishment
added
Chrometext seamlesswhat
to indicate
Browser for the
appsuser.
are permitted to
traverse
Citrix the tunnel.
Note: Receiver
Certificate Authentication is only of several
ways to authenticate
Microsoft RDP App to the ASA.
Where Is This Applied on the ASA?
1. webvpn Command for the "Attribute Type":
anyconnect-custom-attr <AttributeType> description <AttributeTypesDescription>
NOTE: The AttriburteType MUST be lower case and called: perapp
anyconnect-custom-attr perapp description Used for Apple iOS PerApp VPN functionality

2. Global Command - This defines the "Attribute Name" and its "Value" (Opaque Blob):
(syntex) anyconnect-custom-data <AttributeType> <AttributeName> <AttributeNamesValue>

anyconnect-custom-data perapp iOSPerAppVPN ThisIsTheWhiteListBlob1

anyconnect-custom-data perapp iOSPerAppVPN ThisIsTheWhiteListBlob2
anyconnect-custom-data perapp DroidPerAppVPN ThisIsTheWhiteListBlobForAndroid1
anyconnect-custom-data perapp DroidPerAppVPN ThisIsTheWhiteListBlobForAndroid2

3. Group-Policy Command - This CLI is used to set the value of a custom AnyConnect® attribute in a group policy:
group-p iOSPerAppVPN att
(syntex) anyconnect-custom <AttributeType> value <AttributeName (which maps to the OpaqueBlob)>
anyconnect-custom perapp value iOSPerAppVPN

4. Dynamic-Access-Policy Command - This CLI is used to set the value of a custom AnyConnect attribute in a DAP record:
dynamic-access-policy-record AppleiOSPerAppVPN
anyconnect-custom <AttributeType> value <AttributeName (which maps to the OpaqueBlob)>
anyconnect-custom perapp value iOSPerAppVPN