Introduction
This document describes how to configure PerApp VPN on Apple iOS devices managed by Meraki Mobile Device Manager (MDM), System Manager (SM).
Prerequisites
Requirements
- AnyConnect v4.0 Plus or Apex license.
- ASA 9.3.1 or later to support Per App VPN.
- Cisco Enterprise Application Selector tool available on Cisco.com
Components Used
The information in this document is based on these software versions:
- ASA 5506W-X version 9.15(1)10
- iPad iOS version 15.1
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
This document does not include the listed processes:
- SCEP CA Configuration on Systems Manager for client certificate generation
- PKCS12 client certificate generation for the iOS clients
Configure
Step 1. Register iOS Device to Meraki Systems Manager
1.1. Navigate to Systems Manager > Add Devices
![SM - Dashboard](/c/dam/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220259-configure-anyconnect-perapp-vpn-for-ios-00.png)
1.2. Click on the iOS option to start the enrollment.
![Device enrollment type](/c/dam/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220259-configure-anyconnect-perapp-vpn-for-ios-01.png)
1.3. Enroll the device via internet browser or scan the QR code with the camera. In this document, the camera was used for the enrollment process.
![Enrollment menu for iOS device](/c/dam/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220259-configure-anyconnect-perapp-vpn-for-ios-02.png)
1.4. When the QR code is recognized by the camera, select the Open "meraki.com" in Safari notification that pops up.
![Enrollment menu view from iPad](/c/dam/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220259-configure-anyconnect-perapp-vpn-for-ios-03.png)
1.5. When prompted, select Register.
![Enrollment process](/c/dam/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220259-configure-anyconnect-perapp-vpn-for-ios-04.png)
1.6. Select Allow in order to allow the device to download the MDM profile.
![Enrollment process to grant access to download](/c/dam/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220259-configure-anyconnect-perapp-vpn-for-ios-05.jpeg)
1.7. Select Close to complete the download.
![Enrollment process - download complete](/c/dam/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220259-configure-anyconnect-perapp-vpn-for-ios-06.jpeg)
1.8. Navigate to the iOS Settings App and locate the Profile Downloaded option in the left pane and select the Meraki Management section.
![Enrollment process - profile selection](/c/dam/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220259-configure-anyconnect-perapp-vpn-for-ios-07.jpeg)
1.9. Select the Install option to install the MDM profile.
![Enrollment process - profile installation](/c/dam/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220259-configure-anyconnect-perapp-vpn-for-ios-08.jpeg)
1.10. You must grant the access to Install the SM application.
![SM approval](/c/dam/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220259-configure-anyconnect-perapp-vpn-for-ios-09.jpeg)
1.11. Open the recently downloaded application called Meraki MDM located in the home screen.
![SM view from iOS main menu](/c/dam/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220259-configure-anyconnect-perapp-vpn-for-ios-10.jpeg)
1.12. Verify all the statuses have a green tick that confirms the enrollment is in complete.
![SM compliance](/c/dam/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220259-configure-anyconnect-perapp-vpn-for-ios-11.jpeg)
Step 2. Setup Managed Apps
In order to setup the Tunneled Apps for PerApp later in this document, you need to manage those same applications via SM. In this configuration example, Firefox is intended to be tunneled via Per App, hence it is added to the managed Apps.
2.1. Navigate to Systems Manager > Manage > Apps in order to add the managed apps.
![SM device configuration](/c/dam/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220259-configure-anyconnect-perapp-vpn-for-ios-12.png)
2.2. Select the Add app option.
![SM add managed apps](/c/dam/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220259-configure-anyconnect-perapp-vpn-for-ios-13.png)
2.3. Select the type of application (App Store app, Custom, B2B) based on where the app is stored. Select Next once it is selected.
In this example the app is stored publicly in the App Store.
![SM add managed app](/c/dam/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220259-configure-anyconnect-perapp-vpn-for-ios-14.png)
2.4. When prompted, search for the desired application and select the region from where the application is downloaded from. Select Save once the app is selected.
Note: If the country does not match the Apple account's region, the user may experience problems with the application.
![SM select managed ap](/c/dam/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220259-configure-anyconnect-perapp-vpn-for-ios-15.png)
2.5. Click Save once you select all the desired applications.
Step 3. Configure PerApp VPN profile
3.1. Navigate to Systems Manager > Manage > Settings
![SM - add new device](/c/dam/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220259-configure-anyconnect-perapp-vpn-for-ios-16.png)
3.2. Select the Add profile option.
![SM - policy add new device](/c/dam/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220259-configure-anyconnect-perapp-vpn-for-ios-17.png)
3.3. Select Device profile (default) and click Continue.
![SM - search for type of policy](/c/dam/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220259-configure-anyconnect-perapp-vpn-for-ios-18.png)
3.4. Once the Profile Configuration menu is displayed, write the Name and select the target devices under Scope.
![Configure scope of perapp policy](/c/dam/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220259-configure-anyconnect-perapp-vpn-for-ios-19.png)
3.5. Select Add settings and filter the types of profile by iOS Per App VPN, select the option as seen below.
![Menu to select PerApp policy](/c/dam/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220259-configure-anyconnect-perapp-vpn-for-ios-20.png)
3.6. Once the menu is displayed, write the connection information based on the example below.
Systems Manager supports two certificate enrollments for these connections, SCEP and manual enrollment. In this example manual enrollment was used.
Note: Select Add credential once you filled the text-boxes since this option takes you to a new menu to add a certificate file.
![Menu to configure PerApp parameters](/c/dam/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220259-configure-anyconnect-perapp-vpn-for-ios-21.png)
3.7. Once you clicked on Add credential and you got redirected to the Certificate menu, write the Name of the Certificate, browse in your computer and look for the the Password that protects the .pfx file (encrypted certificate file).
![Menu to configure credentials (certificate)](/c/dam/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220259-configure-anyconnect-perapp-vpn-for-ios-22.png)
3.8. After the certificate is selected, the certificate filename is displayed.
![Menu to confirm credentials](/c/dam/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220259-configure-anyconnect-perapp-vpn-for-ios-23.png)
3.9. Once you selected the certificate, navigate to the VPN profile you were previously on and select the recently imported credential and Select the tunneled App (Firefox in this case).
Click Save once this is completed.
![Menu to confirm PerApp parameters prior to deployment](/c/dam/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220259-configure-anyconnect-perapp-vpn-for-ios-24.png)
3.10. Verify the profile is installed on the target devices.
![Confirm installation of profile](/c/dam/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220259-configure-anyconnect-perapp-vpn-for-ios-25.png)
Step 4. App Selector Configuration
4.1. Download app selector from cisco website https://software.cisco.com/download/home/286281283/type/282364313/release/AppSelector-2.0
Caution: Run the application on a Windows machine. The results displayed are not be the expected when the tool is used on MacOS devices.
4.2. Open the java application. Select iOS from the dropdown menu, add a friendly name and ensure you type *.* in the App ID.
![AppSelector wildcard](/c/dam/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220259-configure-anyconnect-perapp-vpn-for-ios-26.png)
4.3. Navigate to Policy and select View Policy
![AppSelector wildcard - view policy](/c/dam/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220259-configure-anyconnect-perapp-vpn-for-ios-27.png)
4.4. Copy the string displayed. (This is later used in the VPN headend configuration).
![AppSelector wildcard - view policy - export value](/c/dam/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220259-configure-anyconnect-perapp-vpn-for-ios-28.png)
Step 5. ASA Sample Per App VPN Configuration
conf t
webvpn
anyconnect-custom-attr perapp description PerAppVPN
anyconnect-custom-data perapp wildcard eJyrVnLOLE7Od84vqCzKTM8oUbJSgrMVNJI1FYwMDEwUwGoUgiuLS1Jzi3UUPPOS9ZR0lFxSyzKTU30yi4G6oquh3JDKglSgIYkFBTmpupn5xUB1jgUFcEVA8cwUoLyWnhZQJi0vMRekujwzJyU5sShFqTYWCAFHcjDB
ip local pool vpnpool 10.204.201.20-10.204.201.30 mask 255.255.255.0
access-list split standard permit 172.168.0.0 255.255.0.0
access-list split standard permit 172.16.0.0 255.255.0.0
group-policy GP-perapp internal
group-policy GP-perapp attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
split-tunnel-all-dns disable
anyconnect-custom perapp value wildcard
tunnel-group perapp type remote-access
tunnel-group perapp general-attributes
address-pool vpnpool
default-group-policy GP-perapp
tunnel-group perapp webvpn-attributes
authentication certificate
group-alias perapp enable
group-url https://vpn.cisco.com/perapp enable
Verify
6. Verify Profile Installation on AnyConnect Application
6.1. Open the AnyConnect Application and select Connections in the left pane. The PerApp VPN profile must be displayed under a new section called PER-APP VPN.
Select the i to display the advanced settings.
![Verify VPN connection profile](/c/dam/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220259-configure-anyconnect-perapp-vpn-for-ios-29.png)
6.2. Select the Advanced option.
![Verify VPN advanced parameters](/c/dam/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220259-configure-anyconnect-perapp-vpn-for-ios-30.png)
6.3. Select the App Rules option.
![Verify app rules](/c/dam/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220259-configure-anyconnect-perapp-vpn-for-ios-31.png)
6.4. Lastly, confirm the App Rule is installed. (Mozilla is the tunneled App desired in this document, so the app installation was successful).
![App Rules from perapp](/c/dam/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220259-configure-anyconnect-perapp-vpn-for-ios-32.png)
Troubleshoot
There are currently no specific troubleshooting steps for this document.