MobileIron MDM

By downloading an XML file from Umbrella, optionally updating it, and then pasting its contents into your MobileIron system, MobileIron is able to push configuration information to both the Cisco Secure Client and Umbrella so that your Android device is registered with Umbrella. The result is that your Android device is protected by Umbrella.


MobileIron Details

For more information about using the Cisco Umbrella AnyConnect module with the MobileIron Mobile Device Manager, refer to MobileIron documentation, which is available online at MobileIron's website.

Table of Contents


  • An Android Enterprise compatible device deployment. The legacy Device Admin (DA) system is not supported at this time
  • Android mobile devices running Android OS version 6.0.1 and above. Devices examples are Samsung, Google, and Motorola. FireOS devices and other Android forks are not supported.
  • An MDM for deploying the software; in this case, MobileIron.
  • Access to an Umbrella subscription including mobile device coverage.
  • A network meeting access requirements.
    • Access over UDP 53 and UDP 443 to from the device.
  • For on-network scenarios, Trusted Network Detection (TND) may also be used to disable the client on network and pass traffic to a Virtual Appliance. The following prerequisites apply:
    • All VAs in use are defined by FQDN (IPs entered will not allow the client to go into trusted network mode) in the umbrella_va_fqdns configuration property.
      • The format for this field is comma separated, for example, (,
    • VAs must be registered to the same Umbrella organization as the Android devices.
    • HTTPS mode for user events enabled on the Virtual Appliance.
      • If the VA’s FQDN is not publicly signed, the self-signed root certificate for the VA domain used for HTTPS mode on the VA must also be pushed to the Android device to sign the connection.
      • VA certificates should contain Subject Alternate Name (SAN) matching the VA’s configured domain to successfully communicate with the VA over HTTPS mode.
      • For more information on how to configure HTTPS mode on the VA, see Umbrella Virtual Appliance: Receiving User-IP mappings Over a Secure Channel.

Configure the App

  1. In your MobileIron admin dashboard, add a label.
  2. In your MobileIron dashboard, navigate to Apps > App Catalog.
  1. Search for the app by name: AnyConnect or by bundle id:
  2. Click AnyConnect and open its Description page.
1600 888
  1. Click Edit and expand Default Configuration for AnyConnect.
  2. Scroll to Umbrella Organization Id, Umbrella Registration Token, and Umbrella VA FQDN.
  1. Open the file you saved in the section Android Configuration Download. Copy and paste the organizationid and regToken values from the file into Umbrella Organization Id and Umbrella Registration Token.
  2. Add the Umbrella VA FQDN IPs if there is a VA in the network.
  3. Click Save.
  4. Apply the label you created to the Android app. This label enables the administrator to push the app to managed Android devices.
  5. Upload the VA certificate to the MDM and push it to all users.
  6. Apply the label you created to the Android app.

The label enables you to push the app to specific users.

Push the App

  1. In your MobileIron dashboard, navigate to Devices & Users > Devices.
  2. Select a registered device from the Devices List.
  3. Apply the label to the device.
  4. Select Force Device Check-In from the Actions menu to push the app to the selected device.

Push User Identities

When user identities are pushed to Umbrella, you can identify and search users and devices. For more information, see Manage Identities.

Push the Umbrella Certificate

For more information, see Push the Umbrella Certificate to Devices.

Manage Pop-Ups and App Controls

For information about configuring the client's deployment options, see Manage Pop-Ups and App Controls.

Cisco Meraki MDM < MobileIron MDM > VMware Workspace One