Cisco Secure Client 5 is the latest and recommended version available on all iPhones, iPads, and iPod Touch devices running Apple iOS 13.0 and later.

Cisco Secure Client 5 is the latest and recommended version available on all iPhones, iPads, and iPod Touch devices running Apple iOS 10.3 and later.

For the Zero Trust Access feature available as an application download separately from Cisco Secure Client, you must have a device running iOS/iPadOS 17.2 (or later).

Note	Cisco Secure Client on the iPod Touch appears and operates as on the iPhone.

* Local LAN access is enabled for iOS devices regardless of the configuration of the Cisco Secure Firewall ASA due to operating system implementation.

A minimum release of the Cisco Secure Firewall ASA is required to use the following features:

Note	Refer to the feature matrix for your platform to verify the availability of these features in the current Cisco Secure Client mobile release.

• SAML authentication —Secure Firewall ASA 9.7.1.24, 9.8.2.28, 9.9.2.1 or later. Make sure that both the client and server versions are up-to-date.

• TLS 1.3—Secure Firewall ASA 9.19.1 or later.

• TLS 1.2—Secure Firewall ASA 9.3.2 or later.

• Per-App VPN tunneling mode—Secure Firewall ASA 9.3.2 or later.

• IPsec IKEv2 VPN, Suite B cryptography, SCEP Proxy, or Mobile Posture—Secure Firewall ASA 9.0.

Cisco Secure Client SSL connectivity is supported on Cisco IOS 15.3(3)M+/15.2(4)M+.

Cisco Secure Client IKEv2 connectivity is supported on Cisco ISR g2 15.2(4)M+.

Cisco Secure Client SSL and IKEv2 is supported on Cisco Secure Firewall Threat Defense, release 6.2.1 and later.

• (Cisco Zero Trust Access on iOS)—Because iOS does not support service processes, it uses push notifications to trigger a config sync. Therefore, instead of the config sync happening about every 10 minutes as it does on other platforms, it can take up to four hours.

• (iOS 14.0.x and later)—When tunnel DNS servers are configured without a split DNS domain name specified, failure to resolve an address with the tunnel DNS servers does not result in a fallback to the device's public DNS servers. Changes in iOS caused this different behavior.

• (iOS 14.0.x only) CSCvv50495—After a network change, a transition from one network to another, or a network pause and resume, traffic stops. You can disable and re-enable your VPN connection to resume. This issue is fixed in iOS 14.1.

• CSCvs82209—While accessing client certificates that are imported via SCEP and that require biometrics for access, a "no valid certificate found" error results on iOS 13.3.1 and later. iOS 13.3.1 removed the ability for the Cisco Secure Client Network Extension to use SCEP-imported certificates that have the security property requiring biometrics (TouchID / FaceID / passcode) for access. Until the client can be redesigned to accommodate this change, deploy certificates using SCEP without the biometric option.

• Cisco Secure Client can be configured by the user (manually), by the Cisco Secure Client VPN Profile, generated by the iPhone Configuration Utility (available in the Mac App Store), or using an Enterprise Mobile Device Manager.

• The Apple iOS device supports no more than one Cisco Secure Client VPN profile. The contents of the generated configuration always match the most recent profile. For example, if you connect to vpn.example1.com and then to vpn.example2.com, the Cisco Secure Client VPN profile imported from vpn.example2.com replaces the one imported from vpn.example1.com.

• This release supports the tunnel keepalive feature; however, it reduces the battery life of the device. Increasing the update interval value mitigates this issue.

• DHE Incompatibility—With the introduction of DHE cipher support, incompatibility issues result in Cisco Secure Firewall ASA versions before 9.2. If you are using DHE ciphers with ASA releases earlier than 9.2, you must disable DHE ciphers on those Secure Firewall ASA versions.

  With the introduction of DHE cipher support, incompatibility issues result in Cisco Secure Firewall ASA versions before 9.2. If you are using DHE ciphers with ASA releases earlier than 9.2, you must disable DHE ciphers on those Secure Firewall ASA versions.

Apple iOS Connect On-Demand Considerations:

• VPN sessions, which are automatically connected as a result of iOS On-Demand logic and have Disconnect on Suspend configured, are disconnected when the device sleeps. After the device wakes up, On-Demand logic will reconnect the VPN session when it is necessary again.

• Cisco Secure Client collects device information when the UI is launched, and a VPN connection is initiated. Therefore, there are circumstances in which Cisco Secure Client can misreport mobile posture information if the user relies on iOS’s Connect On-Demand feature to make a connection initially, or after device information (such as the OS version) has changed.

• Split tunneling to the Cisco Secure Firewall ASA headend does not work when tunneling IPv6 only (no IPv4 address assigned) in a split exclude configuration.

  All traffic should be tunneled except for the exclude list entries, yet the split exclude list is not honored, and all IPv6 traffic is excluded. Refer to CSCvb80768: IPv6 Split Exclude & IPv4 DropAll will exclude all v6 traffic from the tunnel. (RADAR 29623849).

• If the Cisco Secure Client UI remains open and iOS mistakenly disconnects the Inter-Process Communication (IPC) between the UI and the internal Cisco Secure Client extension, any UI activity fails with an error or an incorrect response.

  To recover from this, you must close and restart the Cisco Secure Client UI which will re-establish the IPC. If the unexpected IPC disconnect occurs when the UI is closed, the next time you open the UI, it will be re-established. Refer to CSCvb95722: Fails to get to Paused state (RADAR 29313229).

• For On-Demand connections, the Cisco Secure Client UI must be opened when an updated VPN connection profile has been pushed to the client by the Cisco Secure Firewall ASA. If the UI is not opened, the updated profile will not be synchronized and therefore the changes will not be used.

• In a managed Per-App configuration, app traffic, configured for Per App, will flow over a user-created (unmanaged) VPN connection when it should not.

  Refer to CSCvc36024: PerApp - Apps can pass traffic over non-PAV full tunnel (RADAR 29513803). Apple confirmed this is expected behavior.

These less secure cipher suites have been removed:

• For SSL VPN, Cisco Secure Client no longer supports the following cipher suites from both TLS and DTLS: DHE-RSA-AES256-SHA and DES-CBC3-SHA

• For IKEv2/IPsec, Cisco Secure Client no longer supports the following algorithms:

  • Encryption algorithms: DES and 3DES

  • Pseudo Random Function (PRF) algorithm: MD5

  • Integrity algorithm: MD5

  • Diffie-Hellman (DH) groups: 2, 5, 14, 24