Configure Application-Based VPN Tunnels

After you install and configure your MDM software, you can enable Per App VPN on the threat defense headend device. Once enabled on the headend, your MDM software will control which applications are tunneled over the VPN to the corporate network.

Before you begin

  • Ensure that you have a remote access VPN policy in the management center.

  • Configure Per App VPN using MDM and enroll each device to the MDM server.

  • Download the Cisco AnyConnect Enterprise Application Selector.

Procedure

Step 1

Use the Cisco AnyConnect Enterprise Application Selector to define the Per App VPN policy.

We recommend that you create a simple Allow All policy, and define the allowed applications in the MDM. However, you can specify a list of applications to allow and control the list from the headend. If you want to include specific applications, create a separate rule for each application, using a unique name and the application’s app ID. For more information on getting the app IDs, see Determine the Application IDs for Mobile Apps.

To create an Allow All policy that supports both Android and iOS platforms using the AnyConnect Enterprise Application Selector:

  1. Choose Android from the drop-down list as the platform type and configure the following options:

    • Friendly Name—Enter a name for the policy. For example, Allow_All.

    • App ID—Enter *.* to match all possible applications.

    • Leave the other options.

  2. Choose iOS from the drop-down list as the platform type and configure the following options:

    • Friendly Name—Enter a name for the policy. For example, Allow_All.

    • App ID—Enter *.* to match all possible applications.

    • Leave the other options.

  3. Choose Policy > View Policy to get the base64 encoded string for the policy.

    This string contains an encrypted XML file that allows the threat defense to see the policies. Copy this value. You need this string when you configure Per App VPN on the threat defense.

Step 2

Use the management center to enable the Per App on the threat defense headend device.

  1. Choose Devices > Remote Access.

  2. Select a remote access VPN policy and click Edit.

  3. Select a connection profile and click Edit.

  4. Click Edit Group Policy.

  5. Click the Secure Client tab.

  6. Click Custom Attributes and click +.

  7. Choose Per App VPN from the Secure Client Attribute drop-down list.

  8. Choose an object from the Custom Attribute Object drop-down list or click + to add an object.

    When you add a new custom attribute object for Per App VPN, enter the name, description, and the base64 encoded policy string from the Cisco AnyConnect Enterprise Application Selector.

  9. Click Save.

  10. Click Add and click Save.

Step 3

Deploy your changes on the management center.

What to do next

  1. Launch the Secure Client, select the VPN profile, and connect to the VPN.

  2. Verify the configuration. For more information, see Verify Per App Configuration.