Cisco Cisco AnyConnect Secure Mobility Client v3.x Release Notes
10
Release Notes for Cisco AnyConnect Secure Mobility Client 3.0.x for Android Mobile Devices
New Features in AnyConnect 3.0.09073
SCEP Proxy
Simple Certificate Enrollment Protocol (SCEP) Proxy provides secure deployment of device certificates
from third-party Certificate Authorities (CAs). It allows a mobile user to enroll with an internal CA
without exposing the CA to external access.
from third-party Certificate Authorities (CAs). It allows a mobile user to enroll with an internal CA
without exposing the CA to external access.
With AnyConnect 3.0, an ASA 9.0 or later acts as a proxy for SCEP requests and responses that flow
between the AnyConnect mobile device and the internal CA. Mobile devices rely on the ASA to know
the identity of the CA, and do not access them directly. The received certificate is used to automatically
connect after being imported into the AnyConnect certificate store on the mobile device.
between the AnyConnect mobile device and the internal CA. Mobile devices rely on the ASA to know
the identity of the CA, and do not access them directly. The received certificate is used to automatically
connect after being imported into the AnyConnect certificate store on the mobile device.
For more information, see
section in the Cisco
AnyConnect Secure Mobility Client Administrator Guide, Release 3.0 manual.
Guidelines and Limitations
•
Depending on network characteristics, SCEP proxy activity can take more than a few seconds. The
user receives a message when the certificate has been received by the AnyConnect client.
user receives a message when the certificate has been received by the AnyConnect client.
•
Using SCEP for certificate enrollment, proxy method or legacy method, is not compatible with
mobile devices running in FIPS mode. Plan your deployment accordingly.
mobile devices running in FIPS mode. Plan your deployment accordingly.
Trusted Network Detection
Trusted Network Detection (TND) provides AnyConnect the ability to automatically disconnect a VPN
when the user is inside the corporate network (on a trusted network) and to start the VPN connection
when the user is outside the corporate network (on an untrusted network).
when the user is inside the corporate network (on a trusted network) and to start the VPN connection
when the user is outside the corporate network (on an untrusted network).
Administrators enable this feature in the AnyConnect client profile, define which networks are trusted
or untrusted, and set behavior when it detects network transitions. For details, see the
or untrusted, and set behavior when it detects network transitions. For details, see the
section in the Cisco AnyConnect Secure Mobility Client Administrator
Guide, Release 3.0 manual.
AnyConnect 3.0 on Android allows users to disable and enable Trusted Network Detection (TND) on
their own device if it has been configured by the administrator. To do this, users set the
Menu > Settings > Trusted Network Detection option.
their own device if it has been configured by the administrator. To do this, users set the
Menu > Settings > Trusted Network Detection option.
TND requires the AnyConnect app to be running. If the user has exited the application using Menu >
Exit or has forced the app to stop using the Android settings, AnyConnect will be unable to detect a
trusted network.
Exit or has forced the app to stop using the Android settings, AnyConnect will be unable to detect a
trusted network.
TND does not interfere with the user’s ability to manually establish a VPN connection and does not
disconnect a VPN connection started while on a trusted network. TND only disconnects the VPN session
if the device first connects (automatically or manually) while on an untrusted network and then moves
into a trusted network.
disconnect a VPN connection started while on a trusted network. TND only disconnects the VPN session
if the device first connects (automatically or manually) while on an untrusted network and then moves
into a trusted network.
Note
The Trusted Network Detection feature is not available in the AnyConnect ICS+ package, the Android
VPN Framework Package. It is only available in the brand-specific and rooted AnyConnect packages.
VPN Framework Package. It is only available in the brand-specific and rooted AnyConnect packages.