Deploy Secure Client with Umbrella Protection on Android via Zero-Touch MDM

Available Languages

Download Options

PDF (873.7 KB)
View with Adobe Reader on a variety of devices
ePub (941.9 KB)
View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle) (710.5 KB)
View on Kindle device or Kindle app on multiple devices

Updated:October 27, 2025

Document ID:225302

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes how to deploy Cisco Secure Client with the Umbrella module on Android devices using zero-touch deployment.

Background Information

You can deploy Cisco Secure Client with the Umbrella module on Android devices using zero-touch deployment through MDM solutions such as Workspace One, Cisco Meraki, or Microsoft Intune. This process enables seamless DNS-layer protection for apps and browser traffic, ensures Always On VPN is enabled, and eliminates user intervention for VPN and SEULA acceptance.

Prerequisites

Complete Android Enterprise Mobility Management (EMM) registration and device enrollment with work profile creation.
The MDM app (Hub) must be visible under the work profile.
Assign and install Cisco Secure Client only after publishing and installing the Always On VPN profile to Intelligent Hub.

Deployment Steps

A. Create the Always On VPN Profile

Navigate to Profiles:
- Go toResources > Profiles & Baselines > Profiles.
- ClickAddto create a new profile.
Profile Setup:
- SelectAndroidas the platform.
- Choose the requiredManagement Type.
Configure VPN Settings:
- In the profile section, go toVPN Settingand clickAdd.
- Fill in the required fields:
  - Connection Type:Cisco AnyConnect
  - Server:cisco://local
  - EnableAlways On VPNand configure other properties as needed.
  - EnablePer-App VPN Rules.
  - EnableSet Active.
- ClickNext.
Assign Profile:
- Leave the Smart Group empty.
- Assign the profile to the necessary devices.
- Select deployment values.
- ClickSave & Publish.

assign profile

B. Assign the Cisco Secure Client App

Add the App:
- Go toResources > Native > Public.
- AddCisco Secure Clientfrom the Play Store if not already available.
App Assignment:
- Select the app and fill in required values.
- In the assignment section, create a new assignment.
Configure Distribution:
- Enter details in the Distribution section.
Enable Managed Access:
- In theRestrictionstab, enableManaged Access.
Select Profile:
- In theTunneloption, select the previously created profile ('Always On VPN') underAndroid (Custom DPC).
Application Configuration:
- Enter application configuration details such asOrg IDandReg Tokenfrom the Android Config File downloaded from the Umbrella Dashboard.
- EnableAccept SEULA For Usersto bypass manual SEULA acceptance.
- EnableAlways On VPN Mode for Umbrella Protection Onlyfor seamless VPN management by Cisco Secure Client.
- Block users from creating new VPN connections (leave the Host field empty).
Save and Publish:
- Save changes and publish the Cisco Secure Client app.
Push the Umbrella Certificate:
- For instructions, see: Push the Umbrella Certificate to Devices