Introduction
This document describes support for Umbrella roaming clients and user attribution (Azure AD, OKTA, JAMF Connect, and so on).
Overview
One of the core features of the Umbrella roaming client is the ability to apply a user identity from anywhere to the DNS and Web traffic captured by the client. Currently, there are two major limitations as user identities have evolved. This article describes each limitation and what Cisco Umbrella is doing to address them.
Windows
On Windows platforms, Umbrella currently relies on a Generated UID, or GUID to perform user identification. This value is ubiquitous on traditional Active Directory; however, does not exist on Azure AD (by default), Okta, or other cloud-based identity platforms. As a result, a migration is required.
Roaming client versions that fully support Azure AD and other "user name/email"-based identity platforms that are supported by Umbrella cloud include:
- Cisco Secure Client (formerly AnyConnect)
- Cisco Secure Client 5.0 and higher
- AnyConnect 4.10 MR6 (and higher on 4.10)
- Umbrella Roaming Client (end of life)
macOS
There are many options to implement user identity with macOS, from traditional native binding (phasing out), Enterprise Connect (end of life), NoMaD (acquired and launched as JAMF Connect), JAMF Connect, and AppSSO. Cisco currently supports:
- Native Binding
- NoMaD branded implementations
- Enterprise Connect
At this time Cisco Umbrella has not yet added support for JAMF Connect (formerly NoMaD/NoMaD Login) or AppSSO (Kerberos Extension) in the roaming client. In the future, Cisco releses a native MDM profile support for user identity. Any MDM can push a managed preferences profile containing a user email address to set the current user by MDM.
Support versions:
- Cisco Secure Client (formerly AnyConnect)
- Cisco Secure Client 5.0 and higher
- AnyConnect 4.10 MR6 (and higher on 4.10)
- Umbrella Roaming Client
This profile must be pushed to "Managed Preferences" (*/Library/Managed Preferences). This does not function without a version listed above. Contact the Umbrella support team to request a preview version for testing purposes.
Note: Manual deployment of the .plist profile is not supported, as it is removed upon device reboot.
com.cisco.umbrella.client.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>UPN</key>
<string>user@domain.com</string>
</dict>
</plist>
Example configuration (JAMF):
Here is an example of distribution with JAMF. Configuration can differ based on your MDM provider.
jamf2.png
jamf3.png