Set up the Zero Trust Access App for Android on Samsung Devices

End users can access private resources from their Samsung mobile devices running the Android operating system using the Zero Trust Access app. This Cisco Secure Client app uses platform-native zero trust network access technology.

Requirements and Prerequisites

• Samsung device running Android version 14+ and Samsung Knox 3.10 or higher. Example: Samsung S23.
• A Mobile Device Management (MDM) System where Samsung Knox Service Plugin (KSP) can be configured. Cisco has tested Ivanti Neurons, formerly known as MobileIron cloud version.
• A Google Play store account.

Configure Cisco Secure Access

1. Configure a posture profile for client-based Zero Trust Connections that includes Android devices:
   Navigate to Secure > Endpoint Posture Profiles.
2. Configure a private resource that allows client-based ZTA connections:
   Navigate to Resources > Private Resources.
3. Ensure that a network tunnel or resource connector is configured to send ZTA traffic to this resource.
   Navigate to Connect > End User Connectivity.
4. Configure a private access rule that allows the user ID associated with the Samsung Android device to access the private resource you configured above. Select a posture profile that includes Android devices.
   Navigate to Secure > Access Rules.

Install the App

There are two ways to distribute the app to Android Samsung devices:

• You or end users can obtain the app from the Google Play store:
  https://play.google.com/store/apps/details?id=com.cisco.secureclient.zta
• You can use your EMM/MDM vendor ecosystem

(Optional) Set up the Android device for Zero Trust Access using MDM

Add the app to MDM

1. Sign in to your Ivanti dashboard.
2. Navigate to Apps > App Catalog and click +Add.
3. Choose Google Play store as a source in the drop-down.
4. In the search field type "Knox Service Plugin". The app should be displayed.
5. Click Knox Service Plugin and then click "Approve" if it appears as an option.
6. Click "Select” and change the category for the app if needed. Then click Next.
7. "Delegate this app to all spaces" is a default selection. Click Next.
8. Choose which people or devices will get the Knox Service Plugin (KSP) app. By default, “Everyone” is selected. Click Next.
9. If "Managed Configurations for Android" does not appear, add it and give it a name.
10. Enable "Auto-launch on install".
11. In the "Managed Configurations" section click "Expand All".
12. If you need to obtain a free Knox License key for the next steps, visit https://docs.samsungknox.com/admin/knox-admin-portal/how-to-guides/manage-knox-licenses/#get-license.
13. In the "Profile name(version)" field, enter your Samsung Knox profile name and make sure the slider is set to "On".
14. In the "Knox License key(Knox Suite, DualDAR, etc)" field, enter your Samsung Knox license key and make sure the slider is set to "On".
15. Enable "Debug Mode".
16. From the section "Device-wide policies", choose the device enrollment type:
    Fully Manage Device (DO)
    or
    Work Profile-on company owned devices (WP-C), also known as PO (Profile Owner) – This is more common. These instructions assume PO enrollment.
17. Scroll down to the "ZTNA Policy" section.
18. Enable the "Enable ZTNA controls" setting.
19. In the "Package Name" field, enter "com.cisco.secureclient.zta" (if needed, click the refresh button to the right of the field to allow typing).
20. You can leave "Package Signature" blank.
21. Click Next at the bottom (this completes the Managed App config).
22. For "Install on device" add a config, or edit the config if one is listed.
23. Enable "Device Installation Configurations" and "Require installation on device".
24. Click Update or Save to retain your changes.
25. In the left side menu, navigate to Configurations.
26. Find the configuration called "Android enterprise: Work Profile (Android for Work)" or similar and click it.
27. Click the pencil to edit the configuration.
28. Click Next on the first screen.
29. On the "Distribute" screen, make sure your user/device/group is selected.
30. Click Done.
31. If you are doing a PO-type enrollment, make sure your device is not part of any other configuration as it could conflict with the PO config.

Set up the App on the Samsung Device

1. On the Samsung device, sign into your Google Play store account.
2. Install the Ivanti Go app from the Google Play store.
3. Load the Ivanti Go app and enter your work email address, which will enroll you to the MDM.
4. Enter your Ivanti password.
5. Follow the remaining steps to complete MDM enrollment.
6. Your device should now have a Work profile managed by your MDM. This is a partitioned space on the phone where "work apps" can be installed separate from your personal apps.  Work apps appear with a small briefcase over them to help distinguish them from personal apps.
7. On the device, swipe up from the bottom of the phone.  This should show a list of installed apps. Notice at the bottom it will show "Personal" and "Work".  Tapping Work will show the apps installed on the work profile.
8. In the Ivanti dashboard, navigate to Devices > Devices.
9. Find your device in the list by name or model number.
10. Click the device and click the "Installed Apps" tab.
11. It may take a few minutes, but the KSP app should be installed on the device and appear in this list along with any other apps that are configured to install.
12. On the device, open the Knox Service Plugin app (KSP) from the Work profile.
13. The work profile should display a configuration and a successful result. If not, tap the "APPLY LATEST POLICIES" button to update it.
14. Add your Google Play store account to the work profile (Android Settings -> ‘Manage Accounts’ -> select ‘Work’ -> ‘Add Account’.
15. In the work profile, open the Play Store app and make sure to select the user’s Google Play store account.
16. In the search field, type “Cisco Zero Trust Access” (or the app ID "com.cisco.secureclient.zta"). This should display the Cisco Zero Trust Access app.
17. Tap and install the Cisco Zero Trust Access app from https://play.google.com/store/apps/details?id=com.cisco.secureclient.zta.

Enroll the Device in Zero Trust Access

If you do not use an EMM/MDM tool to install the app, either you or the end user can install the app from the Google Play store. After the app is installed, either you or the user can enroll the app in Zero Trust Access.

If applicable, you can give these instructions to the end user:

1. If your administrator has not yet installed the Zero Trust Access app on your device:
   Install the app from the Google Play store.
2. The first time you start the Zero Trust Access app, if your administrator has not yet enrolled your device, the app will prompt you to enroll in Zero Trust Access.
3. In order to enroll your device for Zero Trust Access, you will need your work email address and your single sign-on credentials.
4. Start the Zero Trust app. 
5. Follow the instructions on the screens.
   1. Important! You must allow notifications or the app will not work!
   2. You will be prompted to sign in using Single sign-on credentials.
   3. When you see an Approve prompt, verify that the information on the screen is correct, then tap Approve.
   4. You may need to sign in again the first time you access an application on your network.
6. You may be required to sign in again periodically in order to access applications on your network. This is expected.

Notes for administrators

• To monitor and troubleshoot client-based zero trust access connections from mobile devices, see Monitor and Troubleshoot Zero Trust Access from Mobile Devices.

Set up the Zero Trust Access App for iOS Devices < Set up the Zero Trust Access App for Android on Samsung Devices > Monitor and Troubleshoot Zero Trust Access from Mobile Devices