Manage Pop-Ups and App Controls

You can set up the Cisco Secure Client (formerly known as AnyConnect) in your MDM to launch automatically on the managed Android devices in your organization. When you deploy the client for the first time, the app displays a series of pop-up windows that require the user to accept the app's configuration on the device. Though an MDM, you can configure various app settings to deploy the client seamlessly with Umbrella DNS security and remote VPN access.

Table of Contents

• App Settings and First-Time Launch
  • Benefits of Enabling Always-On VPN with Umbrella
• Configure the App for Umbrella DNS and Remote VPN
• Add Android Restriction
• Additional Notes

App Settings and First-Time Launch

Settings that affect the first-time launch of the app:

• SEULA (Software End User License Agreement)—You can accept the SEULA agreement on the device automatically by setting the accept_seula_for_user property key to true on the Managed App Configuration in the MDM.
• VPN Connection Request for Umbrella—You can accept the VPN Connection Request for Umbrella property on the device automatically by enabling the settings in your MDM for Always-on VPN.

Benefits of Enabling Always-On VPN with Umbrella

The Always-on VPN Android setting configures the client's VPN connection requests. Always-on VPN enables the managed devices in the organization to stay connected to the virtual private network.

• Users do not have to accept the VPN connection request manually during the first-time activation of the client.
• Users on an Android 14 device do not have to manually start the Umbrella service (click Activate Umbrella Protection) during the first-time activation of the client.

For more information about Always-on VPN, see Android Help.

Configure the App for Umbrella DNS and Remote VPN

• Configure the App for Umbrella without Remote VPN
• Configure the App for Umbrella with Remote VPN

Configure the App for Umbrella Without Remote VPN

Configure the client with Umbrella DNS security only. The client is not configured to make remote VPN connections.

1. On the VPN profile in your MDM, enable the Always-on VPN Android setting, and then choose Cisco Secure Client as the VPN app.
   Note: With Always-on VPN enabled, the Secure Client does not require that you enable the Lockdown Android setting. For more information, refer to your specific MDM documentation.
2. On the client's Managed App Configuration in your MDM, set the vpn_always_on_umbrella_only property key to true.

Note: When you configure Umbrella DNS security on a device without the option to make remove VPN connections, the Secure Client enables a VPN session only to get DNS traffic and protect the device with Umbrella DNS security. The Secure Client does not create an IPsec network tunnel to a remote VPN headend.

Configure the App for Umbrella With Remote VPN

Configure the client with Umbrella DNS security and enable the client to make remote VPN connections.

Umbrella DNS security is available only on Android devices that have the Cisco Secure Client VPN deployed. Android prevents more than one VPN app running on a device at the same time. The Secure Client does not function with third-party VPNs.

• Client configuration that enables the Always-on VPN Android setting.

1. On the VPN profile in your MDM, enable the Always-on VPN Android setting, and then choose Cisco Secure Client as the VPN app.
   Note: With Always-on VPN enabled, the Secure Client does not require that you enable the Lockdown Android setting. For more information, refer to your specific MDM documentation.
2. On the client's Managed App Configuration in your MDM, set the vpn_always_on_umbrella_only property key to false.

• Client configuration that disables the Always-on VPN Android setting.

1. On the VPN profile in your MDM, disable the Always-on VPN Android setting, and then choose Cisco Secure Client as the VPN app.
2. On the VPN profile in your MDM, disable  the Lockdown Android setting.

Add Android Restriction

You can enhance the security on your managed Android devices with additional app controls.

• Configure the App Permissions Android Setting with the Permissions list set to Fetch permissions and the Permissions configuration set to android.permission.POST_NOTIFICATION.
• Add the App Control Android setting in the MDM for the client. The App Control setting prevents users from uninstalling, clearing app data, and force stopping the client.

Additional Notes

• The client does not function with Per-app VPN (Android setting that configures the apps on the device that can send traffic to the VPN) or third-party VPNs.

• If you cannot disable Lockdown mode, then you must disable Always-on VPN. Otherwise, the client does not load properly.

• When you enable Always-on VPN, Lockdown mode can remain disabled. The Lockdown mode setting blocks all connections on the device.

• Not all MDMs are alike. MDMs may not support every option in the client's configuration. Refer to your specific MDM documentation for details.

• If you use Always-on VPN to connect to a remote VPN automatically, then no further changes are required. In this case, do not set the vpn_always_on_umbrella_only property.

• If you cannot enable Always-on VPN, the user must launch the Cisco Secure Client manually and accept the request in the VPN Connection Request for Umbrella pop-up. After the request is accepted, the client deploys and starts Umbrella DNS security on the device.

Push the Umbrella Certificates to Devices < Manage Pop-Ups and App Controls > Manage Identities