Frequently Asked Questions
Does the Umbrella Android client (UAC) require an Cisco Secure Client - AnyConnect license?
No. Only an active Secure Access subscription is required to use the Secure Access module on Cisco Secure Client - AnyConnect. No additional licenses are required.
Which MDMs are supported?
The client is MDM-agnostic and any MDM should be able to deploy it. However, we have validated the following MDMs in our lab: Cisco Meraki, MobileIron, VMware Workspace One and Microsoft Intune.
Which versions of Android OS are supported by the UAC?
UAC supports Android OS versions 6.0.1 and above.
Does the UAC client work on unmanaged Android devices?
No. The current Umbrella Android Client (UAC) works on managed (fully managed and work profile) Android devices only. However, support for unmanaged devices is planned for inclusion in future releases.
Does this client protect my entire Android mobile device?
For full details on device protection, refer to the Secure Access Android mobile security documentation.
Does this client support the Umbrella Secure Internet Gateway (SIG)?
No. The client supports DNS-layer security only.
Are there any differences between the UAC and the Endpoint Roaming Client (ERC)?
The feature differences between UAC and ERC are detailed below:
| Feature | ERC | UAC |
|---|---|---|
| Supported Platforms | Windows, MacOS | Android |
| DNS-layer security blocks phishing and malicious domains | Yes | Yes |
| DNS logs augmented with endpoint IP information | Yes | Yes |
| Intelligent Proxy | Yes | Yes |
| EDNS message encryption between client and resolver | Yes | Yes |
| Customizable block page | Yes | Yes |
| User-based policies | Yes | Yes |
| Organization-wide policies | Yes | Yes |
| Safe Search | Yes | Yes |
| IP Blocking | Yes | No |
Why does app download stop working as soon as the Secure Access protection is active?
A VPN connection is used to provide Secure Access protection on Android devices. After connecting to a VPN session one cannot download anything from the Google Play store. This is a known limitation in Android OS v9 and lower. To avoid this, download the apps before enabling VPN (i.e. Secure Access protection). This situation was corrected as of Android OS v10. Very few Android device manufacturers have included the update in their releases for Android versions older than v10. Refer to the Google issue tracker for more details.
Can I use a private DNS along with Secure Access protection?
No. Any private DNS must be turned off for DNS interception to work.
Can I use another VPN client along with the Cisco Secure Client - AnyConnect?
No. Due to Android OS limitations, two VPN sessions cannot run simultaneously. Cisco Secure Client - Anyconnect supports remote access VPN connections along with Secure Access DNS protection. As a best practice, Cisco recommends using Cisco Secure Client - AnyConnect for both Remote Access VPN and Secure Access protection needs.
Does UAC support IPv6?
Not in the current release. This feature planned for inclusion in future releases.
Does UAC support TCP DNS requests?
No. The current release supports only DNS on UDP.
How do I get the Android ID?
To obtain your Android ID, either:
- Launch the Cisco Secure Client - AnyConnect app, or
- In Secure Access Security, click Options. Then navigate to Secure Access Statistics to find the Android ID.
Why do I see multiple entries on the Secure Access dashboard for the same serial number?
Multiple entries for the same device appear in these circumstances:
- The user creates and deletes work profiles several times.
- The device is used my more than one user, each with their own login.
- The user tries to factory reset the device multiple times.
As an admin, how can I know whether users are using the app and the device is protected?
In the Secure Access dashboard, navigate to Deployments > Core Identities > Mobile Devices. Once there:
- Verify that the Android ID of the device is registered with Secure Access.
- Verify that the Android ID of the device is syncing regularly by checking for the last sync details.
Why am I able to browse blocked websites when the device says I am protected?
When the UAC is installed within the work profile, only the browser installed within the work profile is blocked from browsing blocked websites. When the UAC is installed in a fully managed device, and Secure Access protection is on, all the browsers on the device are blocked from such sites.
Can I use Secure Access Protection with the AnyConnect VPN?
Yes, Secure Access protection can be used when the remote VPN is on (that is, when the Cisco Secure Client - AnyConnect VPN is active).
How can I verify that Trusted Network Detection is working (Secure Access protection deactivates when a VA is detected in the network)?
Secure Access protection is deactivated when the UAC detects a VA in the network, unless the prerequisites are not met. For example:
- The VA and Android device belong to different Secure Access organizations
- The VA is not configured to HTTPS event mode
- The VA domain is not signed with a public certificate or the self-signed certificate has not been installed on the Android device.
For more information, see Android module prerequisites.
Troubleshooting < Frequently Asked Questions
Updated about 22 hours ago