Cisco Cisco AnyConnect Secure Mobility Client v4.x Release Notes
Traditional VPN system-tunneling, as a full-tunneling or split-tunneling configuration, directs packets over the tunnel or in-the-clear
based on the destination address. Per App VPN tunneling, operating at Layer 7, directs data over the tunnel or in-the-clear based on
the originating app. Per App VPN is split tunneling that allows only data from approved apps to reach the enterprise network.
based on the destination address. Per App VPN tunneling, operating at Layer 7, directs data over the tunnel or in-the-clear based on
the originating app. Per App VPN is split tunneling that allows only data from approved apps to reach the enterprise network.
In Per App VPN tunneling mode, a connection is established for a specific set of apps on the mobile device. The set of apps which
AnyConnect tunnels data for are defined by the administrator on the ASA headend using the AnyConnect Enterprise Application
Selector tool and the ASA Custom Attributes mechanism. This list of identified and approved apps is sent to the AnyConnect client
and used to enforce Per App VPN tunneling on the device. For all other apps not on the list, data is sent outside of the tunnel or
in-the-clear.
AnyConnect tunnels data for are defined by the administrator on the ASA headend using the AnyConnect Enterprise Application
Selector tool and the ASA Custom Attributes mechanism. This list of identified and approved apps is sent to the AnyConnect client
and used to enforce Per App VPN tunneling on the device. For all other apps not on the list, data is sent outside of the tunnel or
in-the-clear.
Your Mobile Device Managermust configure mobile devices to tunnel the same list of apps that AnyConnect is configured to tunnel.
A discrepancy in the set of tunneled apps between the ASA headend and the Mobile Device Manager may cause unexpected app
behavior. For a seamless, automatic configuration, configure App on Demand in your MDM configuration, and use digital certificates
for connectivity to the headend.
A discrepancy in the set of tunneled apps between the ASA headend and the Mobile Device Manager may cause unexpected app
behavior. For a seamless, automatic configuration, configure App on Demand in your MDM configuration, and use digital certificates
for connectivity to the headend.
AnyConnect determines which mode it operates in based on configuration information received from the ASA headend. Specifically,
the presence or absence of a Per App VPN custom attribute in the Group Policy or Dynamic Access Policy (DAP) associated with
the connection when the session is being established. If the Per App VPN list is present, AnyConnect operates in Per App VPN mode;
if it is absent, AnyConnect operates in system-tunneling mode.
the presence or absence of a Per App VPN custom attribute in the Group Policy or Dynamic Access Policy (DAP) associated with
the connection when the session is being established. If the Per App VPN list is present, AnyConnect operates in Per App VPN mode;
if it is absent, AnyConnect operates in system-tunneling mode.
Apple iOS AnyConnect Feature Matrix
The following features are supported in AnyConnect for Apple iOS devices:
Apple iOS
Category: Feature
Deployment and Configuration:
Yes
Install or upgrade from Application Store
Yes
Cisco VPN Profile support (manual import)
Yes
Cisco VPN Profile support (import on connect)
Yes
MDM configured connection entries
Yes
User-configured connection entries
Tunneling:
Yes
TLS
Yes
Datagram TLS (DTLS)
Yes
IPsec IKEv2 NAT-T
No
IKEv2 - raw ESP
Yes
Suite B (IPsec only)
Yes, 32-bit devices only
TLS compression
Yes
Dead peer detection
Yes
Tunnel keepalive
No
Multiple active network interfaces
11