On iOS and Android, the platform restricts app access to persistent device identifiers like MAC address, iTunes UDID, and IMEI/MEID. These types of identifiers are typically used by AnyConnect for reporting and authorization of VPN connections. As a workaround, AnyConnect allows EMM/MDM to provision a device identifier that will be reported to the ASA, which forwards it as an RADIUS attribute via the AnyConnect Identifier Extensions protocol. Specifically, the identifier is reported in the device-uid and device-uid-global RADIUS attributes.
The identifier itself is treated as an opaque string by AnyConnect and must be no greater than 256 bytes in length. It is sent as a XML attribute, so it may not contain illegal characters such as: ", ', &, <
On iOS, AnyConnect parses VendorConfig section in the iOS MDM VPN configuration profile. The identifier must be provided as a string to the key DeviceUniqueIdentifier, as follows:
<key>VendorConfig</key>
<dict>
<key>DeviceUniqueIdentifier</key>
<string>mdm_provisioned_device_id</string>
</dict>
On Android, AnyConnect parses Managed Application Configurations. The identifier must be provided as a value to the key vpn_connection_device_id