Set up the Zero Trust Access App for Android on Samsung Devices

End users can access private resources from their Samsung mobile devices running the Android operating system using the Zero Trust Access app. This Cisco Secure Client app uses platform-native zero trust network access technology.

Cisco Zero Trust Access app:

Table of Contents

• Requirements and Prerequisites
• Configure Settings in Cisco Secure Access
• Install the App
• (Optional) Set up the Android device for Zero Trust Access using MDM
  • Add the app to MDM
  • Set up the App on the Samsung Device
• Enroll the Device in Zero Trust Access
• Notes for administrators

Requirements and Prerequisites

• Samsung device running Android version 14+ and Samsung Knox 3.10 or higher. Example: Samsung S23.
• A Mobile Device Management (MDM) System where Samsung Knox Service Plugin (KSP) can be configured. Cisco has tested Ivanti Neurons, formerly known as MobileIron cloud version.
• A Google Play store account.

Configure Settings in Cisco Secure Access

1. Configure a posture profile for client-based Zero Trust Connections that includes Android devices:
   Navigate to Secure > Endpoint Posture Profiles. For information, see Add a Client-Based Zero Trust Access Posture Profile.
2. Configure a private resource that allows client-based ZTA connections:
   Navigate to Resources > Private Resources. For information, see Add a Private Resource.
3. Ensure that a network tunnel or resource connector is configured to send ZTA traffic to this resource.
   Navigate to Connect > End User Connectivity. For information, see Manage Network Connections.
4. Configure a private access rule that allows the user ID associated with the Samsung Android device to access the private resource you configured above. Select a posture profile that includes Android devices.
   Navigate to Secure > Access Rules. For information, see Add a Private Access Rule.

Install the App

There are two ways to distribute the app to Android Samsung devices:

• You or end users can obtain the app from the Google Play store:
  https://play.google.com/store/apps/details?id=com.cisco.secureclient.zta
• You can use your EMM/MDM vendor ecosystem

(Optional) Set up the Android device for Zero Trust Access using MDM

If your organization uses a Mobile Device Management (MDM) solution, you can streamline and automate the deployment and configuration of the Zero Trust Access (ZTA) app on Android devices. Using MDM allows you to enforce consistent security policies across all devices and makes the setup process easier for end users.

The following procedures describe how to:

1. Add the app to MDM
2. Set up the App on the Samsung Device

Add the app to MDM

Follow these steps to deploy the Knox Service Plugin (KSP) and configure the Cisco Secure Client (Zero Trust Access) app for Samsung devices using Ivanti.

1. Sign in to your Ivanti dashboard with administrator credentials.
2. Add Knox Service Plugin to App Catalog.
   1. Navigate to Apps > App Catalog and click +Add.
   2. From the Source drop-down, choose Google Play store.
   3. In the search field, type Knox Service Plugin. The app should appear. If it does not, check your spelling, network, or permissions.
   4. Click Knox Service Plugin and then click Approve if prompted.
   5. Click Select. Change the category for the app if needed, then click Next.
3. Assign the App to Users or Devices.
   1. By default, Delegate this app to all spaces is selected. Click Next.
   2. Choose which people or devices will get the KSP app. By default, Everyone is selected. Click Next.
4. Configure Managed Settings.
   1. If Managed Configurations for Android does not appear, add it and give it a name.
   2. Enable Auto-launch on install.
   3. In the Managed Configurations section, click Expand All to display all settings.
5. Enter Knox and ZTNA Details.
   1. If you need to obtain a free Knox License key for the next steps, see Manage Knox Licenses.
   2. In the Profile name(version) field, enter your Samsung Knox profile name and make sure the slider is set to On.
   3. In the Knox License key(Knox Suite, DualDAR, etc) field, enter your Samsung Knox license key and set the slider On.
   4. Enable Debug Mode.
6. Select Device Enrollment Type.
   1. In the Device-wide policies section, choose the device enrollment type as:
      Fully Manage Device (DO)
      or
      Work Profile-on company owned devices (WP-C), also known as PO (Profile Owner)
      Note: PO enrollment is more common. These instructions assume PO enrollment.

      🚧

      Important

      If you are doing a PO-type enrollment, ensure your device is not part of any other configuration, as it could conflict with the PO config.

7. Configure ZTNA Policy.
   1. Scroll down to the ZTNA Policy section.
   2. Enable the Enable ZTNA controls setting.
   3. In the Package Name field, enter "com.cisco.secureclient.zta" (if needed, click the Refresh button to the right of the field to allow typing).
   4. You can leave Package Signature blank.
8. Click Next to finish Managed App configuration.
9. Set Device Installation Requirements.
   1. For Install on device, add a config or edit the config if one is listed.
   2. Enable both Device Installation Configurations and Require installation on device.
   3. Click Update or Save to retain your changes.
10. Assign and Distribute the Configuration.
    1. From the left menu, navigate to Configurations.
    2. Find the configuration called Android enterprise: Work Profile (Android for Work) or similar, and click it.
    3. Click the pencil to edit the configuration.
    4. Click Next on the first screen.
    5. On the Distribute screen, make sure your user/device/group is selected.
    6. Click Done.

Set up the App on the Samsung Device

Follow these steps to enroll your Samsung device and install the Cisco Zero Trust Access app using Ivanti MDM.

1. Enroll the Device in Ivanti MDM.
   1. On the Samsung device, sign in to your Google Play store account.
   2. Install the Ivanti Go app from the Google Play store.
   3. Open the Ivanti Go app and enter your work email address to begin MDM enrollment.
   4. Enter your Ivanti password.
   5. Follow the remaining steps to complete MDM enrollment.
2. Verify Work Profile Creation.
   1. Once enrollment is complete, your device will have a Work profile managed by your MDM.
      This is a separate partition on the device for “work apps,” which appear with a small briefcase icon to distinguish them from personal apps.
   2. To view your work apps:
      1. Swipe up from the bottom of the phone to show all installed apps.
      2. At the bottom, select Work to display apps installed in the work profile.
      3. Personal will show your regular apps.
3. Confirm App Installation in Ivanti.
   1. In the Ivanti dashboard, navigate to Devices > Devices.
   2. Locate your device by name or model number.
   3. Click on your device, then select the Installed Apps tab.
   4. Wait a few minutes for the Knox Service Plugin (KSP) app to appear in the list of installed apps.
      The KSP app and any other configured apps should be installed automatically.
4. Activate and Update KSP.
   1. On the device, open the Knox Service Plugin app from the Work profile.
   2. The work profile should display a configuration and indicate a successful setup.
   3. If the configuration is not successful, tap the APPLY LATEST POLICIES button to update it.
5. Add Google Play Account to Work Profile.
   1. On your Samsung device, add your Google Play store account to the Work profile. (Navigate to Android Settings > Manage Accounts > Work > Add Account.)
6. Install the Cisco Zero Trust Access App.
   1. In the work profile, open the Play Store app and ensure the correct Google Play account is selected.
   2. In the search field, enter Cisco Zero Trust Access or the app ID com.cisco.secureclient.zta.
   3. Tap and install the Cisco Zero Trust Access app or use this direct link.

Enroll the Device in Zero Trust Access

If you do not use an EMM/MDM tool to install the app, either you or the end user can install the app from the Google Play store. After the app is installed, either you or the user can enroll the app in Zero Trust Access.

If applicable, you can give these instructions to the end user:

1. If your administrator has not yet installed the Zero Trust Access app on your device:
   Install the app from the Google Play store.
2. The first time you start the Zero Trust Access app, if your administrator has not yet enrolled your device, the app will prompt you to enroll in Zero Trust Access.
3. In order to enroll your device for Zero Trust Access, you will need your work email address and your single sign-on credentials.
4. Start the Zero Trust app. 
5. Follow the instructions on the screens.
   1. Important! You must allow notifications or the app will not work!
   2. You will be prompted to sign in using Single sign-on credentials.
   3. When you see an Approve prompt, verify that the information on the screen is correct, then tap Approve.
   4. You may need to sign in again the first time you access an application on your network.
6. You may be required to sign in again periodically in order to access applications on your network. This is expected.

Notes for administrators

• To monitor and troubleshoot client-based zero trust access connections from mobile devices, see Monitor and Troubleshoot Zero Trust Access from Mobile Devices.

Set up the Zero Trust Access App for Android Devices< Set up the Zero Trust Access App for Android on Samsung Devices > Monitor and Troubleshoot Zero Trust Access from Mobile Devices