AnyConnect Mobile Platforms and Features

Android Supported Devices

Full support for Cisco AnyConnect on Android is provided on devices running Android 4.0 (Ice Cream Sandwich) through the latest release of Android.

Cisco AnyConnect on Kindle is available from Amazon for the Kindle Fire HD devices, and the New Kindle Fire. AnyConnect for Kindle is equivalent in functionality to the AnyConnect for Android package.

Per App VPN is supported in managed and unmanaged environments. In a managed environment using Samsung KNOX MDM, Samsung devices running Android 4.3 or later with Samsung Knox 2.0, are required. When using Per App in an unmanaged environment, the generic Android methods are used.

For the Network Visibility Module (NVM) capabilities, Samsung devices that are running Samsung Knox 2.8 or later (including 3.2), which requires Android 7.0 or later, are required. For configuration of NVM, the AnyConnect Profile Editor from AnyConnect 4.4.3 or later is also required. Earlier releases do not support mobile NVM configurations.

See Android User Guide for Cisco AnyConnect Secure Mobility Client, Release 4.6 for installation and upgrade procedures.

Apple iOS Devices Supported

Cisco AnyConnect 4.0.07x and later is the latest and recommended version available on all iPhones, iPads, and iPod Touch devices running Apple iOS 10.3 and later.

If a device does not support Apple iOS 10.3 or later, only Legacy AnyConnect 4.0.05x, available on all iPhones, iPads, and iPod Touch devices running Apple iO 6.0 and later, can be used. Per App tunneling in Legacy AnyConnect requires Apple iOS 8.3 or later.


Note

AnyConnect on the iPod Touch appears and operates as on the iPhone.


Google Chrome OS Supported Devices

Cisco AnyConnect on Google Chromebook requires Chrome OS 43 or later. Stability and feature enhancements are available in Chrome OS 45 (currently available on the Google Chrome Dev channel).

AnyConnect on Google Chromebook cannot be used from a standalone Chrome browser on another platform.

Many new Chromebooks are capable of supporting Android applications. While the Cisco AnyConnect on Android application can run on a Chromebook with this support, the OS only tunnels Android applications when using Android AnyConnect. At this time, we recommend only using the Chrome version of AnyConnect on Chromebooks. It is our expectation that this will change in the future when the Android application becomes the primary version for these Chromebooks, but this is not the case today.

See Google Chrome OS User Guide for Cisco AnyConnect Secure Mobility Client, Release 4.0.x for installation and upgrade procedures.

Windows Phone Supported Devices

Windows 10 Mobile Support

AnyConnect on Windows Mobile or Windows Phone is supported on mobile devices that run Microsoft Windows 10 Mobile.

Windows 10 Mobile is not intended for non-mobile Windows 10 devices. Cisco has a fully featured version of AnyConnect available for non-mobile devices, which is not distributed in the Windows store.

Windows Phone 8.1 Support


Note

“Effective December 31 2017, Cisco will no longer provide AnyConnect for Windows Phone 8.1 for new downloads in the Windows App Store. Microsoft has previously announced End of Support for this operating system https://support.microsoft.com/en-us/help/4001737/products-reaching-end-of-support-for-2017.


Till December 31, 2017 AnyConnect is also supported on mobile devices that run Microsoft Windows Phone 8.1 Update which includes the following versions: 8.10.14141.167, 8.10.14147.180, 8.10.14157.200, 8.10.14176.243, 8.10.14192.280, 8.10.14203.206, 8.10.14219.341, or 8.10.14226.359. The OS on the phone must be one of the listed versions in order for AnyConnect to work properly.

Users can verify their OS version at Settings > About > More Information on their device. For more OS version information see Microsoft's Windows Phone 8.1 update history.


Note

Earlier versions of Windows Phone 8.1 will allow AnyConnect installation, but it will not operate or be available to configure under Settings > VPN > AddProfile > Type.


See Windows Phone User Guide for Cisco AnyConnect Secure Mobility Client, Release 4.1.x for installation and upgrade procedures.

AnyConnect Mobile Platforms Feature Matrix

Category: Feature Android VPN Apple iOS BlackBerry Chrome Windows Phone

Deployment and Configuration:

Install or upgrade from application store. Yes Yes Yes Yes Yes
Cisco VPN Profile support (manual import) Yes Yes No Yes No
Cisco VPN Profile support (import on connect) Yes Yes Yes, new profile overwrites existing one. Yes No
MDM configured connection entries Yes Yes Yes, using BDS, new profile overwrites existing one. Yes Yes
User-configured connection entries Yes Yes Yes Yes Yes

Tunneling:

TLS Yes Yes Yes Yes Yes
Datagram TLS (DTLS) Yes Yes Yes Yes No
IPsec IKEv2 NAT-T Yes Yes Yes, must be enabled and configured on the device by the user. Only EAP authentication is supported. Yes No
IKEv2 - raw ESP Yes No No No No
Suite B (IPsec only) Yes Yes Yes No No
TLS compression Yes Yes, 32-bit devices only Yes No No
Dead peer detection Yes Yes Yes, disabled by default. If no response is received to three DPD packets in a row, the device closes the tunnel or the ASA suspends the tunnel until DPD exchange is re-established. Yes No
Tunnel keepalive Yes Yes Yes, disabled by default. Yes No
Multiple active network interfaces No No No No No
Per App Tunneling Yes, Android 5.0+ or Samsung Knox Yes, requires Cisco AnyConnect 4.0.09xxx and iOS 10.3 or later. No No No
Full tunnel (OS may make exceptions on some traffic, such as traffic to the app store). Yes Yes Yes Yes Yes
Split tunnel (split include). Yes Yes Yes Yes Yes
Local LAN (split exclude). No Yes No Yes No, defect in Windows Phone 8.1.
Split-DNS Yes, works with split include. Yes Yes, Until BlackBerry supports more than 2 DNS servers, the Admin can configure only one private DNS server on the ASA end. No Yes
Auto Reconnect / Network Roaming Yes, regardless of the Auto Reconnect profile specification, AnyConnect Mobile always attempts to maintain the VPN as users move between 3G and WiFi networks. Yes Yes, BBRY OS feature. When enabled the VPN connection is automatically established. This may require the user to re-enter credentials. Yes, requires Chrome OS 51 or later and Cisco AnyConnect 4.0.0113 or later. Yes, if user remains on the same network and the network connection has not terminated.
VPN on-demand (triggered by destination) No Yes, compatible with Apple iOS Connect on Demand. No No Yes
VPN on-demand (triggered by application) No Yes, when operating in Per App VPN mode only. No No No
Rekey Yes Yes Yes, for TLS and DTLS inline (same socket) and new-tunnels (new socket). Yes Yes, initiated by gateway only.
IPv4 public transport Yes Yes Yes Yes Yes
IPv6 public transport Yes, requires Android 5.0 or later. Yes No No Yes
IPv4 over IPv4 tunnel Yes Yes Yes Yes Yes
IPv6 over IPv4 tunnel Yes Yes No No Yes
IPv6 over IPv4 tunnel Yes Yes No No Yes
IPv6 over IPv6 tunnel Yes Yes No No Yes
Default domain Yes Yes Yes Yes Yes
DNS server configuration Yes Yes Yes, max of 2 Yes Yes
Private-side proxy support No, WiFi proxies are disabled when the VPN is established. Yes Yes, for URL, HTTP and HTTPS. These take precedence of other proxy setting pushed to the device. FTP and Auto proxy not supported. Yes, using ASA configured proxy PAC URL Yes, limited support in Windows Phone 8.1.
Proxy Exceptions No Yes, but wildcard specifications not supported No No No
Public-side proxy support No No No No No
Pre-login banner Yes Yes Yes, if BlackBerry's Auto-Connect is enabled. A banner is shown only once for the session. If BDS pushes credentials to the device, banners may not be shown. Yes Yes
Post-login banner Yes Yes Yes Yes Yes
DSCP Preservation Yes No No No No

Connecting and Disconnecting:

VPN load balancing Yes Yes Yes Yes Yes
Backup server list Yes Yes Yes Yes No
Optimal Gateway Selection No No No No No

Authentication:

Touch ID

No No No No No
SAML 2.0 Yes Yes No Yes No
Client Certificate Authentication Yes Yes Yes Yes Yes
Online Certificate Status Protocol (OCSP) Yes No No No No
Manual user certificate management Yes Yes Yes, using BBRY device capabilities. Yes, using Chrome device capabilities Yes, using Windows Phone capabilities.
Manual server certificate management Yes Yes Yes, using BBRY device capabilities. Yes Yes
SCEP legacy enrollment Please confirm for your platform. Yes Yes Yes, if enabled, these obtained certificates override BDS pushed certificates. BDS may disable this feature. No No
SCEP proxy enrollment Please confirm for your platform. Yes Yes Yes No No
Automatic certificate selection Yes Yes No No Yes
Manual certificate selection Yes Yes Yes Yes No
Smart card support No No No No No
Username and password Yes Yes Yes, also pushed in BDS VPN Profile. Yes Yes
Tokens/challenge Yes Yes Yes Yes Yes
Double authentication Yes Yes Yes Yes Yes
Group URL (specified in server address) Yes Yes Yes Yes Yes
Group selection (drop-down selection) Yes Yes Yes Yes Yes
Credential prefill from user certificate Yes Yes Yes, AnyConnect or BDS Yes Yes
Save password No No Yes, by BDS, AnyConnect does not save passwords. No No

User interface:

Standalone GUI Yes Yes No Yes, limited functions. Yes, limited functions.
Native OS GUI No Yes, limited functions Yes Yes, limited functions. Yes
API / URI Handler (see below) Yes Yes No No No
UI customization No No Yes No No
UI localization Yes, app contains pre-packaged languages. Yes, app contains pre-packaged languages. No No No
User preferences Yes Yes No Yes Partial
Home screen widgets for one-click VPN access Yes No No No No
AnyConnect specific status icon Optional No No No No

Mobile Posture: (AnyConnect Identity Extensions, ACIDex)

Serial number or unique ID check Yes Yes No No No
OS and AnyConnect version shared with headend Yes Yes Yes Yes Yes

AnyConnect NVM support

Yes, with specific Samsung Knox and MDM requirements.

No No No No

URI Handling:

Add connection entry Yes Yes No No No
Connect to a VPN Yes Yes No No No
Credential pre-fill on connect Yes Yes No No No
Disconnect VPN Yes Yes No No No
Import certificate Yes Yes No No No
Import localization data Yes Yes No No No
Import XML client profile Yes Yes No No No
External (user) control of URI commands Yes Yes No No No

Reporting and Troubleshooting:

Statistics Yes Yes Yes Yes No
Logging / Diagnostic Information (DART) Yes Yes Yes Yes Yes, Field Medic app required.

Certifications:

FIPS 140-2 Level 1 Yes Yes No No No