Frequently Asked Questions

Does the Cisco Secure Client with Umbrella module require an AnyConnect license?
No. Only an active Umbrella subscription is required to use the Cisco Secure Client with Umbrella module. No additional licenses are required.

Which MDMs are supported?
The client is MDM-agnostic and any MDM should be able to deploy it. However, we have validated the following MDMs in our lab: Cisco Meraki, MobileIron, VMware Workspace One, Microsoft Intune, and Samsung Knox.

Which versions of Android OS are supported by the Cisco Secure Client?
Cisco Secure Client supports Android OS versions 6.0.1 and above.

Does the Cisco Secure Client work on unmanaged Android devices?
Yes. The Cisco Secure Client works on managed (fully managed and work profile) and unmanaged Android devices. For more information, see End-User Actions.

Does this client protect my entire Android mobile device?
For full details on device protection, see Cisco Secure Client (Android OS).

Does the Cisco Secure Client support the Umbrella Secure Internet Gateway (SIG)?
No. The client supports DNS-layer security only.

Are there any differences between the Cisco Secure Client with Umbrella module and the Endpoint Roaming Client (ERC)?
The feature differences between Cisco Secure Client and ERC are detailed below:

FeatureERCCisco Secure Client
Supported PlatformsWindows, MacOSAndroid
DNS-layer security blocks phishing and malicious domainsYesYes
DNS logs augmented with endpoint IP informationYesYes
Intelligent ProxyYesYes
EDNS message encryption between client and resolverYesYes
Customizable block pageYesYes
User-based policiesYesYes
Organization-wide policiesYesYes
Safe SearchYesYes
IP BlockingYesNo

Why does app download stop working as soon as the Umbrella protection is active?
A VPN connection is used to provide Umbrella protection on Android devices. After connecting to a VPN session one cannot download anything from the Google Play store. This is a known limitation in Android OS v9 and lower. To avoid this, download the apps before enabling VPN (i.e. Umbrella protection). This situation was corrected as of Android OS v10. Very few Android device manufacturers have included the update in their releases for Android versions older than v10. Refer to the Google issue tracker for more details.

Can I use a private DNS along with Umbrella protection?
No. Any private DNS must be turned off for DNS interception to work.

Can I use another VPN client along with the Cisco Secure Client with Umbrella module?
No. Due to Android OS limitations, two VPN sessions cannot run simultaneously. AnyConnect supports remote access VPN connections along with Umbrella DNS protection. As a best practice, Cisco recommends using AnyConnect for both Remote Access VPN and Umbrella protection needs.

Does Cisco Secure Client support IPv6?
Not in the current release. This feature planned for inclusion in future releases.

Does Cisco Secure Client support TCP DNS requests?
No. The current release supports only DNS on UDP.

How do I get the Android ID?
To obtain your Android ID, either:

  • Launch the AnyConnect app, or
  • In Umbrella Security, click Options. Then navigate to Umbrella Statistics to find the Android ID.

Why do I see multiple entries on the umbrella dashboard for the same serial number?
Multiple entries for the same device appear in these circumstances:

  • The user creates and deletes work profiles several times.
  • The device is used my more than one user, each with their own login.
  • The user tries to factory reset the device multiple times.

As an admin, how can I know whether users are using the app and the device is protected?
In the Umbrella dashboard, navigate to Deployments > Core Identities > Mobile Devices. Once there:

  • Verify that the Android ID of the device is registered with Umbrella.
  • Verify that the Android ID of the device is syncing regularly by checking for the last sync details.

Why am I able to browse blocked websites when the device says I am protected?
When the UAC is installed within the work profile, only the browser installed within the work profile is blocked from browsing blocked websites. When the UAC is installed in a fully managed device, and Umbrella protection is on, all the browsers on the device are blocked from such sites.

Can I use Umbrella Protection with the AnyConnect VPN?
Yes, Umbrella protection can be used when the remote VPN is on (that is, when the AnyConnect VPN is active).

How can I verify that Trusted Network Detection is working (Umbrella protection deactivates when a VA is detected in the network)?
Umbrella protection is deactivated when the UAC detects a VA in the network, unless the prerequisites are not met. For example:

  • The VA and Android device belong to different Umbrella organizations
  • The VA is not configured to HTTPS event mode
  • The VA domain is not signed with a public certificate or the self-signed certificate has not been installed on the Android device.

For more information, see Android module prerequisites.

Troubleshooting < Frequently Asked Questions