Support Umbrella Roaming Clients and User Attribution

Available Languages

Download Options

  • PDF     (326.5 KB)
    View with Adobe Reader on a variety of devices
Updated:October 1, 2025
Document ID:224998

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes support for Umbrella roaming clients and user attribution (Azure AD, OKTA, JAMF Connect, and so on).

    Overview

    One of the core features of the Umbrella roaming client is the ability to apply a user identity from anywhere to the DNS and Web traffic captured by the client. Currently, there are two major limitations as user identities have evolved. This article describes each limitation and what Cisco Umbrella is doing to address them. 

    Windows

    On Windows platforms, Umbrella currently relies on a Generated UID, or GUID to perform user identification. This value is ubiquitous on traditional Active Directory; however, does not exist on Azure AD (by default), Okta, or other cloud-based identity platforms. As a result, a migration is required. 

    Roaming client versions that fully support Azure AD and other "user name/email"-based identity platforms that are supported by Umbrella cloud include: 

    • Cisco Secure Client (formerly AnyConnect)
      • Cisco Secure Client 5.0 and higher
      • AnyConnect 4.10 MR6 (and higher on 4.10)
    • Umbrella Roaming Client (end of life)
      • 3.0.328 and higher

    macOS

    There are many options to implement user identity with macOS, from traditional native binding (phasing out), Enterprise Connect (end of life), NoMaD (acquired and launched as JAMF Connect), JAMF Connect, and AppSSO. Cisco currently supports:

    • Native Binding
    • NoMaD branded implementations
    • Enterprise Connect

    At this time Cisco Umbrella has not yet added support for JAMF Connect (formerly NoMaD/NoMaD Login) or AppSSO (Kerberos Extension) in the roaming client. In the future, Cisco releses a native MDM profile support for user identity. Any MDM can push a managed preferences profile containing a user email address to set the current user by MDM. 

    Support versions:

    • Cisco Secure Client (formerly AnyConnect)
      • Cisco Secure Client 5.0 and higher
      • AnyConnect 4.10 MR6 (and higher on 4.10)
    • Umbrella Roaming Client
      • 3.0.22 and higher

    This profile must be pushed to "Managed Preferences" (*/Library/Managed Preferences). This does not function without a version listed above. Contact the Umbrella support team to request a preview version for testing purposes. 

    note-icon

    Note: Manual deployment of the .plist profile is not supported, as it is removed upon device reboot.

    com.cisco.umbrella.client.plist
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    <key>UPN</key>
    <string>user@domain.com</string>
    </dict>
    </plist>

    Example configuration (JAMF):

    Here is an example of distribution with JAMF. Configuration can differ based on your MDM provider.

    jamf2.pngjamf2.pngjamf3.pngjamf3.png

    Revision History

    Revision Publish Date Comments
    1.0
    01-Oct-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products