Summary:
* Group setting in VPN Payload doesn't work on new version of AnyConnect iOS App
* VPN Payload from Apple Configurator 2.7 doesn't seem to meet Cisco's requirements
* Configuration Profile Reference doesn't include Group of VPN Payload. Why?
Details:
I develop a configuration profile distribution server (MDM server). And now new version of Cisco AnyConnect iOS App has been launched. It was 4.0.07x and 4.6 is available on App Store now. But VPN payload for this app doesn't work partially. The previous app remains as "Cisco AnyConnect Legacy" on the store.
I implemented Group, OnDemand and Proxy settings in VPN payload for AnyConnect. These three settings work correctly on Legacy app. But Group setting doesn't work on New AnyConnect so far. The value of Group isn't set on the app's group form.
So I asked Cisco about it. But they didn't seem to know about this behavior. They said they don't support any additional MDM configuration, except their three requirements, that is, VPNType (VPN), VPNSubType (com.cisco.anyconnect) and ProviderType (packet-tunnel).
If Cisco doesn't relate to this bug, I think iOS operates configuration profile settings. And it sets the values in the profile to VPN client app when it is used. Right? These requirements are described on AnyConnect's release notes.
But Apple Configurator 2.7 doesn't meet the requirements. I compared my VPN payload and the app's one. Then a payload issued from Apple Configurator 2.7 didn't have ProiderType Key.
This is a part of my mobileconfig including VPN payload for new Cisco AnyConnect with Group Key (not including OnDeman and Proxy).
New AnyConnect recognizes this profile except Group (checked on iOS 11.2).
<key>PayloadIdentifier</key>
<string>vpn.profile.vpn</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadUUID</key>
<string>7337488b-ed30-40bf-b3ef-6bf1aa19c8ce</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadOrganization</key>
<string>testOrganization</string>
<key>PayloadDescription</key>
<string>Configures VPN settings, including authentication.</string>
<key>PayloadDisplayName</key>
<string>VPN configurationtest</string>
<key>UserDefinedName</key>
<string>VPN configurationtest</string>
<key>VendorConfig</key>
<dict>
<key>Group</key>
<string>testgroup</string>
</dict>
<key>VPNType</key>
<string>VPN</string>
<key>VPNSubType</key>
<string>com.cisco.anyconnect</string>
<key>ProviderType</key>
<string>packet-tunnel</string>
<key>VPN</key>
<dict>
<key>AuthenticationMethod</key>
<string>Certificate</string>
<key>PayloadCertificateUUID</key>
<string>333df7d5-2726-4290-c50b-9082c0d0f14c</string>
<key>RemoteAddress</key>
<string>10.30.170.1</string>
</dict>
<key>Proxies</key>
<dict></dict>And this is a mobileconfig for new AnyConnect from Apple Configurator 2.7. You can check this does not have ProviderType which is required by Cisco.
I haven't checked the behavior of this profile because of my environment. Only configured and omitted a mobileconfig.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>0</integer>
</dict>
<key>PayloadDescription</key>
<string>VPN Configurationす</string>
<key>PayloadDisplayName</key>
<string>VPN</string>
<key>PayloadIdentifier</key>
<string>com.apple.vpn.managed.934BA5EF-8995-4821-96F7-E0B8A3B32D3D</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadUUID</key>
<string>934BA5EF-8995-4821-96F7-E0B8A3B32D3D</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Proxies</key>
<dict>
<key>HTTPEnable</key>
<integer>0</integer>
<key>HTTPSEnable</key>
<integer>0</integer>
</dict>
<key>UserDefinedName</key>
<string>vpn test</string>
<key>VPN</key>
<dict>
<key>AuthenticationMethod</key>
<string>Certificate</string>
<key>RemoteAddress</key>
<string>10.30.170.1</string>
</dict>
<key>VPNSubType</key>
<string>com.cisco.anyconnect</string>
<key>VPNType</key>
<string>VPN</string>
<key>VendorConfig</key>
<dict>
<key>Group</key>
<string>testgroup</string>
</dict>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>No Settings</string>
<key>PayloadIdentifier</key>
<string>iMac.271F108D-3DF3-4988-BF5F-2F863881DB24</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>28F6A4B6-FCF0-40B5-A84F-E6F847EB1791</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>Also, this Group Key is not described at VPN Payload section on Apple Configuration Profile Reference. But this has been active on Cisco AnyConnect Legacy.
Is this just a lack of the reference?
I have submitted the same report to Bug Reporter.
Anyone has the same issues?
Thanks,