AnyConnect Mobile Platforms and Features
Android Supported Devices
Full support for AnyConnect on Android is provided on devices running Android 4.0 (Ice Cream Sandwich) through the latest release of Android.
AnyConnect on Kindle is available from Amazon for the Kindle Fire HD devices, and the New Kindle Fire. AnyConnect for Kindle is equivalent in functionality to the AnyConnect for Android package.
Per-App VPN is supported in managed and unmanaged environments. In a managed environment using Samsung KNOX MDM, Samsung devices running Android 4.3 or later with Samsung Knox 2.0, are required. When using Per App in an unmanaged environment, the generic Android methods are used.
For the Network Visibility Module (NVM) capabilities, Samsung devices that are running Samsung Knox 2.8 or later (including 3.2), which requires Android 7.0 or later, are required. For configuration of NVM, the AnyConnect Profile Editor from AnyConnect 4.4.3 or later is also required. Earlier releases do not support mobile NVM configurations.
Apple iOS Supported Devices
AnyConnect 4.10 is available on all iPhones, iPads, and iPod Touch devices running Apple iOS 10.3 and later.
If a device does not support Apple iOS 10.3 or later, only Legacy AnyConnect 4.0.05x , available on all iPhones, iPads, and iPod Touch devices running Apple iOS 6.0 and later, can be used. Per App tunneling in Legacy AnyConnect requires Apple iOS 8.3 or later.
Note |
AnyConnect on the iPod Touch appears and operates as on the iPhone. |
Google Chrome OS Supported Devices
AnyConnect on Google Chromebook requires Chrome OS 43 or later. Stability and feature enhancements are available in Chrome OS 45.
AnyConnect on Google Chromebook cannot be used from a standalone Chrome browser on another platform.
For all current Chromebooks, AnyConnect for Android is officially supported and strongly recommended for the optimal experience on ChromeOS. The native ChromeOS client is intended only for legacy Chromebooks incapable of running Android applications.
Universal Windows Platform Supported Devices
AnyConnect on Universal Windows Platform supports all UWP compatible devices including desktop.
AnyConnect Mobile Platforms Feature Matrix
Category: Feature | Android | Apple iOS | Chrome | Universal Windows Platform |
---|---|---|---|---|
Deployment and Configuration: |
||||
Install or upgrade from application store. | Yes | Yes | Yes | Yes |
Cisco VPN Profile support (manual import) | Yes | Yes | Yes | No |
Cisco VPN Profile support (import on connect) | Yes | Yes | Yes | No |
MDM- configured connection entries | Yes | Yes | Yes | Yes |
User-configured connection entries | Yes | Yes | Yes | Yes |
Tunneling: |
||||
TLS | Yes | Yes | Yes | Yes |
Datagram TLS (DTLS) | Yes | Yes | Yes | No |
DTLS v1.2 | Yes | |||
IPsec IKEv2 NAT-T | Yes | Yes | Yes | No |
IKEv2 - raw ESP | Yes | No | No | No |
Suite B (IPsec only) | Yes | Yes | No | No |
TLS compression | Yes | Yes, 32-bit devices only | No | No |
Dead peer detection | Yes | Yes | Yes | No |
Tunnel keepalive | Yes | Yes | Yes | No |
Multiple active network interfaces | No | No | No | No |
Per-App Tunneling | Yes, Android 5.0+ or Samsung Knox | Yes, requires Cisco AnyConnect 4.0.09xxx and iOS 10.3 or later. | No | Yes, by MDM provisioning only |
Per-App Tunneling (Disallowed Apps Mode) |
Yes |
No |
No |
No |
Multiple tunnel | No | Yes, with MDM configuration | No | No |
Full tunnel (OS may make exceptions on some traffic, such as traffic to the app store). | Yes | Yes | Yes | Yes |
Split tunnel (split include). | Yes | Yes | Yes | Yes |
Local LAN (split exclude). | No | Yes | Yes | No |
Split-DNS | Yes, works with split include. | Yes | No | Yes |
Auto Reconnect / Network Roaming | Yes, regardless of the Auto Reconnect profile specification, AnyConnect Mobile always attempts to maintain the VPN as users move between 3G and WiFi networks. | Yes | Yes, requires Chrome OS 51 or later and AnyConnect 4.0.0113 or later. | Yes,if user remains on the same network and the network connection has not terminated. |
VPN on-demand (triggered by destination) | No | Yes, compatible with Apple iOS Connect on Demand. | No | Yes |
VPN on-demand (triggered by application) | No | Yes, when operating in Per-App VPN mode only. | No | No |
Rekey | Yes | Yes | Yes | No |
IPv4 public transport | Yes | Yes | Yes | Yes |
IPv6 public transport | Yes, requires Android 5.0 or later. | Yes | No | Yes |
IPv4 over IPv4 tunnel | Yes | Yes | Yes | Yes |
IPv6 over IPv4 tunnel | Yes | Yes | No | Yes |
IPv6 over IPv4 tunnel | Yes | Yes | No | Yes |
IPv6 over IPv6 tunnel | Yes | Yes | No | Yes |
Default domain | Yes | Yes | Yes | Yes |
DNS server configuration | Yes | Yes | Yes | Yes |
Private-side proxy support | Direct proxy support on Android 10+. PAC proxy support on Android 11+. See note below. | Yes | Yes, using ASA configured proxy PAC URL | Yes, limited support |
Proxy Exceptions | No | Yes, but wildcard specifications not supported | No | No |
Public-side proxy support | No | No | No | No |
Pre-login banner | Yes | Yes | Yes | Yes |
Post-login banner | Yes | Yes | Yes | Yes |
DSCP Preservation | Yes | No | No | No |
Connecting and Disconnecting: |
||||
VPN load balancing | Yes | Yes | Yes | Yes |
Backup server list | Yes | Yes | Yes | No |
Optimal Gateway Selection | No | No | No | No |
Authentication: |
||||
Biometric protection of client certificate |
Yes | Yes | No | No |
SAML 2.0 | Yes | Yes | Yes | No |
Client Certificate Authentication (RSA) | Yes | Yes | Yes | Yes |
Client Certificate Authentication (ECDSA) | Yes | Yes | Yes | Yes |
SAML + Client Certificate Requests | Yes | Yes | No | No |
Certificate Revocation Checking | Online Certificate Status Protocol (OCSP) | either OCSP or CRL (Certificate Revocation List), depending on iOS version | No | No |
Manual user certificate management | Yes | Yes | Yes, using Chrome device capabilities | Yes |
Manual server certificate management | Yes | Yes | Yes | Yes |
SCEP legacy enrollment: Deprecated | No | No | No | No |
SCEP proxy enrollment Please confirm for your platform. | Yes | Yes | No | No |
Automatic certificate selection | Yes | Yes | No | Yes |
Manual certificate selection | Yes | Yes | Yes | No |
Smart card support | No | No | No | No |
Username and password | Yes | Yes | Yes | Yes |
Tokens/challenge | Yes | Yes | Yes | Yes |
Double authentication | Yes | Yes | Yes | Yes |
Group URL (specified in server address) | Yes | Yes | Yes | Yes |
Group selection (drop-down selection) | Yes | Yes | Yes | Yes |
Credential prefill from user certificate | Yes | Yes | Yes | Yes |
Save password | No | No | No | No |
Umbrella User Identities | Yes | No | No | No |
User interface: |
||||
Standalone GUI | Yes | Yes | Yes, limited functions | Yes, limited functions. |
Native OS GUI | No | Yes, limited functions | Yes, limited functions | Yes |
API / URI Handler (see below) | Yes | Yes | No | No |
UI customization | No | No | No | No |
UI localization | Yes, app contains pre-packaged languages. | Yes, app contains pre-packaged languages. | No | No |
User preferences | Yes | Yes | Yes | Partial |
AnyConnect specific status icon | Optional | No | No | No |
Dark mode | No | Yes | No | No |
Mobile Posture: (AnyConnect Identity Extensions, ACIDex) |
||||
Serial number or unique ID check | Yes | Yes | No | No |
OS and AnyConnect version shared with headend | Yes | Yes | Yes | Yes |
Siri support | No | Yes | No | No |
AnyConnect Network Visibility Module support |
Yes, with specific Samsung Knox and MDM requirements. |
No | No | No |
Ability to restrict the exporting of NVM flows | Yes | No | No | No |
Ability to securely send data to the collector over DTLS |
Yes |
No |
No |
No |
URI Handling: |
||||
QR code scanning | Yes | No | No | No |
Add connection entry | Yes | Yes | No | No |
Connect to a VPN | Yes | Yes | No | No |
Credential pre-fill on connect | Yes | Yes | No | No |
Disconnect VPN | Yes | Yes | No | No |
Import certificate | Yes | Yes | No | No |
Import localization data | Yes | Yes | No | No |
Import XML client profile | Yes | Yes | No | No |
External (user) control of URI commands | Yes | Yes | No | No |
Reporting and Troubleshooting: |
||||
Statistics | Yes | Yes | Yes | No |
Logging / Diagnostic Information (DART) | Yes | Yes | Yes | Yes, Field Medic app required |
Certifications: |
||||
FIPS 140-2 Level 1 | Yes | Yes | No | No |
Note |
Before deploying a PAC proxy configuration for AnyConnect Secure Mobility Client on Android, please ensure that your applications are compatible with PAC proxy. |
AnyConnect Mobile Related Documentation
For more information refer to the following documentation:
Additional information on using VPN connections with Apple iOS devices is available from Apple: