The Umbrella Documentation Hub

Welcome to the Umbrella documentation hub. Here you'll find access to all of our Cisco Umbrella user guides.

Get Started    

Umbrella Module for AnyConnect (Android OS)


The Cisco Umbrella Module for AnyConnect for Android OS is a roaming client for managed Android devices that offers protection from internet threats at the DNS layer. The Umbrella module adds DNS level protection to the Android device. This protection extends to both apps and browser-based traffic.

A mobile device management system (MDM) is required to deploy this client to mobile devices and to push the Umbrella configuration to the mobile devices.

Device Security

There are two deployment modes for the Umbrella module for AnyConnect:

  • Personal "bring your own device" (BYOD)
  • Organization-owned device

The main difference between the two scenarios is that on a personal device, only the traffic generated within the work profile is protected. If the device is corporate-owned and entirely under MDM management, traffic from all apps and browsers on the device is protected. The following illustration shows the difference:


  • Android Enterprise compatible Device Admin (DA) is not supported at this time.
  • An MDM for deploying the software. The following MDMs have been tested, and you should be able to use any MDM:
    • MobileIron
    • Meraki
    • VMWare WorkspaceOne (Airwatch)
    • Microsoft InTune
    • Samsung Knox
    • Google Admin Console (GSuite)
  • Android (e.g., Samsung, Google Pixel) mobile devices with Android OS version 6.0.1 and above.
  • Umbrella license to configure DNS policies, manage registered Android devices, and for reporting.
  • If VA detection is not enabled, your firewall should allow all outbound connections to Umbrella resolvers ( on ports 443 and 53 from Android devices.
  • For Trusted Network Detection (TND):
    • Umbrella module backs off only when detecting a virtual appliance (VA) with HTTPS enabled in the network.
    • All VA FQDN in umbrella_va_fqdns must be enabled.
    • If the VA is not configured to support HTTPS then the Umbrella cannot back off.
    • A VA certificate should be pushed to all the Android devices
    • VA certificates should contain Subject Alternate Name (SAN) for umbrella to back off

Known Issues

The app download may fail in the Google Play store after enabling the Umbrella AnyConnect module. This is a known limitation from Google on Android OS. To avoid this, download the apps before enabling the Umbrella module. Google has fixed this behavior in Android OS “Q”. For more information, see the Google issue tracker.

Some features may not work correctly on Huawei devices. For more information, see Troubleshooting and the Frequently Asked Questions.

Umbrella Android Module for AnyConnect > Android Configuration Download

Updated a day ago

Umbrella Module for AnyConnect (Android OS)

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.