Contents

• AnyConnect for BlackBerry Release Notes
• AnyConnect for Blackberry Mobile Devices
• BlackBerry Supported Devices
• Install or Upgrade AnyConnect on BlackBerry Devices
• New Features in AnyConnect 4.0.0.1833 for BlackBerry Mobile Devices
• New Features in AnyConnect 4.0.0.1830 for BlackBerry Mobile Devices
• New Features in AnyConnect 4.0.0.1827 for BlackBerry Mobile Devices
• New Features in AnyConnect 4.0.0.1826 for BlackBerry Mobile Devices
• New Features in AnyConnect 4.0.0.1823 for BlackBerry Mobile Devices
• BlackBerry AnyConnect Feature Matrix
• Adaptive Security Appliance Requirements
• Guidelines and Limitations for AnyConnect on BlackBerry
• Open Issues in AnyConnect for BlackBerry
• Resolved Issues in AnyConnect for BlackBerry
• Resolved Issues in AnyConnect 4.0.0.1827 for BlackBerry
• Resolved Issues in AnyConnect 4.0.0.1826 for BlackBerry
• AnyConnect Mobile Related Documentation

First Published:

Last Updated:

Text Part Number:

AnyConnect for BlackBerry Release Notes

---

AnyConnect for Blackberry Mobile Devices

The AnyConnect Secure Mobility Client provides remote users with secure VPN connections to the Cisco ASA 5500 Series. It provides seamless and secure remote access to enterprise networks allowing installed applications to communicate as though connected directly to the enterprise network. AnyConnect supports connections to IPv4 resources over an IPv4 or IPv6 tunnel.

This document, written for system administrators of the AnyConnect Secure Mobility Client and the Adaptive Security Appliance (ASA) 5500, supplements the Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.0 and provides release specific information for AnyConnect running on BlackBerry devices.

The AnyConnect app is available on BlackBerry World only. Cisco does not distribute AnyConnect mobile apps. Nor can you deploy the mobile app from the ASA. You can deploy other releases of AnyConnect for desktop devices from the ASA while supporting this mobile release.

AnyConnect Mobile Support Policy

Cisco supports the AnyConnect version that is currently available in the app store; however, fixes and enhancements are provided only in the most recently released version.

AnyConnect Licensing

To connect to the ASA headend an AnyConnect 4.x Plus or Apex license is required, trial licenses are available, see the Cisco AnyConnect Ordering Guide.

For the latest end-user license agreement, see Cisco End User License Agreement, AnyConnect Secure Mobility Client, Release 4.x.

For our open source licensing acknowledgments, see Open Source Software Used In Cisco AnyConnect Secure Mobility Client Release 4.0 for Mobile

BlackBerry Supported Devices

Full support for Cisco AnyConnect on BlackBerry is provided on devices running BlackBerry OS 10.3.2 and later. For the best AnyConnect experience, Cisco strongly recommends you upgrade your device to 10.3.2.

See BlackBerry User Guide for Cisco AnyConnect Secure Mobility Client, Release 4.0.x for installation and upgrade procedures.

Install or Upgrade AnyConnect on BlackBerry Devices

Before You Begin

Verify you are using a device supported by AnyConnect, see BlackBerry Supported Devices for details.

Procedure

AnyConnect is available in the BlackBerry World store at http:/​/​appworld.blackberry.com/​webstore/​content/​59952066.

New Features in AnyConnect 4.0.0.1833 for BlackBerry Mobile Devices

This release of Cisco AnyConnect Secure Mobility Client on BlackBerry devices addresses the most recent OpenSSL vulnerabilities.

Cisco recommends that you update to this release. Please review the information on the app page and the Guidelines and Limitations for AnyConnect on BlackBerry to be aware of current operational considerations.

See the BlackBerry AnyConnect Feature Matrix for a list of supported features in this app.

New Features in AnyConnect 4.0.0.1830 for BlackBerry Mobile Devices

This release of Cisco AnyConnect Secure Mobility Client on BlackBerry devices addresses the most recent OpenSSL vulnerabilities.

Cisco recommends that you update to this release. Please review the information on the app page and the Guidelines and Limitations for AnyConnect on BlackBerry to be aware of current operational considerations.

See the BlackBerry AnyConnect Feature Matrix for a list of supported features in this app.

New Features in AnyConnect 4.0.0.1827 for BlackBerry Mobile Devices

AnyConnect 4.0.0.1827 is a maintenance release of Cisco AnyConnect Secure Mobility Client on BlackBerry that resolves OpenSSL December 2015 vulnerabilities (CSCux97316).

Cisco recommends that you update to this release and review the Guidelines and Limitations for AnyConnect on BlackBerry to be aware of current operational considerations.

See the BlackBerry AnyConnect Feature Matrix for a list of supported features in this app.

New Features in AnyConnect 4.0.0.1826 for BlackBerry Mobile Devices

AnyConnect 4.0.0.1826 is a maintenance release of Cisco AnyConnect Secure Mobility Client on BlackBerry. See the BlackBerry AnyConnect Feature Matrix for a list of supported features in this app.

Cisco recommends that you review the Guidelines and Limitations for AnyConnect on BlackBerry to be aware of current operational considerations.

New Features in AnyConnect 4.0.0.1823 for BlackBerry Mobile Devices

AnyConnect 4.0.0.1823 is the initial release of Cisco AnyConnect Secure Mobility Client on BlackBerry. See the BlackBerry AnyConnect Feature Matrix for a list of supported features in this app.

Cisco recommends that you review the Guidelines and Limitations for AnyConnect on BlackBerry to be aware of current operational considerations.

BlackBerry AnyConnect Feature Matrix

The following remote access features are supported by Cisco AnyConnect on BlackBerry:

Category: Feature	BlackBerry
Deployment and Configuration:
Install or upgrade from Application Store	Yes
Cisco VPN Profile support (manual import)	No
Cisco VPN Profile support (import on connect)	Yes, new profile overwrites existing one.
MDM configured connection entries	Yes, using BDS, new profile overwrites existing one.
User-configured connection entries	Yes
Tunneling:
TLS	Yes
Datagram TLS (DTLS)	Yes
IPsec IKEv2 NAT-T	Yes, must be enabled and configured on the device by the user. Only EAP authentication is supported.
IKEv2 - raw ESP	No
Suite B (IPsec only)	Yes
TLS compression	Yes
Dead peer detection	Yes, disabled by default. If no response is received to three DPD packets in a row, the device will close the tunnel or the ASA will suspend the tunnel until DPD exchange is re-established.
Tunnel keepalive	Yes, disabled by default
Multiple active network interfaces	No
Per App Tunneling (requires Plus or Apex license and ASA 9.4.2 or later)	No
Full tunnel (OS may make exceptions on some traffic, such as traffic to the app store)	Yes
Split tunnel (split include)	Yes
Local LAN (split exclude)	No
Split-DNS	Yes, Until BlackBerry supports more than 2 DNS servers, the Admin should configure only one private DNS server on the ASA end.
Auto Reconnect / Network Roaming	Yes, BBRY OS feature, when enabled the VPN connection will be automatically established. May require the user to re-enter credentials.
VPN on-demand (triggered by destination)	No
VPN on-demand (triggered by application)	No
Rekey	Yes, for TLS and DTLS inline (same socket) and new-tunnels (new socket).
IPv4 public transport	Yes
IPv6 public transport	No
IPv4 over IPv4 tunnel	Yes
IPv6 over IPv4 tunnel	No
Default domain	Yes
DNS server configuration	Yes, max of 2
Private-side proxy support	Yes, for URL, HTTP and HTTPS. These take precedence of other proxy setting pushed to the device. FTP and Auto proxy not supported.
Proxy Exceptions	No
Public-side proxy support	No
Pre-login banner	Yes, if BlackBerry's Auto-Connect is enabled, a banner will be shown only once for the session. If BDS pushes credentials to the device, banners may not be shown.
Post-login banner	Yes
DSCP Preservation	No
Connecting and Disconnecting:
VPN load balancing	Yes
Backup server list	Yes
Optimal Gateway Selection	No
Authentication:
SAML 2.0	No
Client Certificate Authentication	Yes
Online Certificate Status Protocol (OCSP)	No
Manual user certificate management	Yes, using BBRY device capabilities.
Manual server certificate management	Yes, using BBRY device capabilities.
SCEP legacy enrollment Please confirm for your platform.	Yes, if enabled, these obtained certificates will override BDS pushed certificates. BDS may disable this feature.
SCEP proxy enrollment Please confirm for your platform.	Yes
Automatic certificate selection	No
Manual certificate selection	Yes
Smart card support	No
Username and password	Yes, also pushed in BDS VPN Profile.
Tokens/challenge	Yes
Double authentication	Yes
Group URL (specified in server address)	Yes
Group selection (drop-down selection)	Yes
Credential prefill from user certificate	Yes, AnyConnect or BDS
Save password	Yes, by BDS, AnyConnect does not save passwords.
User interface:
Standalone GUI	No
Native OS GUI	Yes
API / URI Handler (see below)	No
UI customization	Yes
UI localization	No
User preferences	No
Home screen widgets for one-click VPN access	No
AnyConnect specific status icon	No
Mobile Posture: (AnyConnect Identity Extensions, ACIDex)
Serial number or unique ID check	No
OS and AnyConnect version shared with headend	Yes
URI Handling:
Add connection entry	No
Connect to a VPN	No
Credential pre-fill on connect	No
Disconnect VPN	No
Import certificate	No
Import localization data	No
Import XML client profile	No
External (user) control of URI commands	No
Reporting and Troubleshooting:
Statistics	Yes
Logging / Diagnostic Information (DART)	Yes
Certifications:
FIPS 140-2 Level 1	No

Adaptive Security Appliance Requirements

A minimum release of the ASA is required for the following features:

Note	Refer to the feature matrix for your platform to verify the availability of these features in the current AnyConnect mobile release.

• You must upgrade to ASA 9.3.2 or later to use TLS 1.2.

• You must upgrade to ASA 9.0 to use the following mobile features:

  • IPsec IKEv2 VPN

  • Suite B cryptography

  • SCEP Proxy

  • Mobile Posture

• ASA Release 8.0(3) and Adaptive Security Device Manager (ASDM) 6.1(3) are the minimum releases that support AnyConnect for mobile devices.

Guidelines and Limitations for AnyConnect on BlackBerry

• Enabling Split DNS can break VPN connections. Blackberry supports a maximum of two DNS servers. Our ASA configured DNS server takes precedence because it is prepended in the DNS server list, so our ASA configured DNS server is applied to the tun adapter. If the ASA configures two private DNS servers without DNS forwarding in the ASA side, then DNS resolution of public network will fail.

  Work around: Until BlackBerry supports more than 2 DNS servers, the Admin should configure only one private DNS server on the ASA end.

• AnyConnect VPN profiles which are pushed to devices from an ASA headend, block all untrusted servers by default. This may be preventing a successful VPN connection. Disable this setting to provide the user with the option to accept or deny connections to untrusted servers

• IPsec IKEv2 VPN connections must be enabled and configured manually on the device by the user. Only EAP authentication is supported when connecting to the ASA headend.

Open Issues in AnyConnect for BlackBerry

None

Resolved Issues in AnyConnect for BlackBerry

Resolved Issues in AnyConnect 4.0.0.1827 for BlackBerry

Identifier	Headline
CSCuw64759	VPN disconnecting for Auto proxy enabled profile
CSCux01580	BB10: Challenge authentication message displayed as strange characters
CSCux97316	Evaluation of anyconnect for OpenSSL December 2015 vulnerabilities

Resolved Issues in AnyConnect 4.0.0.1826 for BlackBerry

Identifier	Headline
CSCuw64759	VPN disconnecting for Auto proxy enabled profile
CSCux01580	BB10: Challenge authentication message displayed as strange characters

AnyConnect Mobile Related Documentation

For more information refer to the following documentation:

• AnyConnect Release Notes

• AnyConnect Administrator Guides

• Navigating the Cisco ASA Series Documentation

Copyright © 2015-2017, Cisco Systems, Inc. All rights reserved.