SOTI Pulse Logo

Certificate template - Certificate won't be imported in CISCO AnyConnect

JK
Jan Kruse
Dataport AöR

Hi,

let me outline the situation in our company.

We use the SCEP device template with serialnumber as identifier. See attached: screen 1.

We use Android Enterprise "Fully Managed Devices" with Samsung Galaxy S9 (Android 10).

We use Managed Google Play and push CISCO AnyConnect with managed configuration on the device. In managed configuration we set “KeyChain certificate alias” to %SERIALNUM%

Expected behaviour:

To import the device certificate in AnyConnect

Actual behaviour:

The certificate can’t be imported.

Reason:

Maybe a wrong implementation of SOTI? CISCO describes the functionality and how it should work here: Managed Configuration for AnyConnect for Android - Cisco

The device certificate doesn’t have the serialnumber as identifier. That means the certificate as serialnumber won’t be found. See attached: screen3.

What can we do so that the certificate will be imported automatically in CISCO AnyConnect?

 Screen 1

 

Screen 2 (Overview in MobiControl, Security panel)

Screen 3

4 years ago
Android
ANSWERS
RC
Raymond Chan Diamond Contributor
4 years ago

Support of some macros in AppConfig parameters of managed Google apps has only be added quite recently.  What are the version and build numbers of your MobiControl server?

JK
Jan Kruse
4 years ago

Hi Raymond,

we have the newest MobiControl version. CISCO describes the requirements.

When this value is present, AnyConnect will call KeyChain.choosePrivateKeyAlias to start the import (if the alias has not already been imported). Normally, this will result in an OS prompt for the user to approve the request. For a more seamless user experience, the EMM app may implement onChoosePrivateKeyAlias to avoid prompting the user.

Most EMM portals allow the admin to input a special tokenized value for the vpn_keychain_cert_alias field. Once the EMM app has imported the certificate into Android KeyChain, it will use the actual certifiate alias in place of the special token.

Note: the value of of vpn_keychain_cert_alias must match the actual KeyChain alias of the certificate. Otherwise, the user may be prompted repeatedly because AnyConnect thinks the certificate has not been imported.

To recap the process of EMM provisioning of client certificate:

  1. EMM app obtains the certificate (e.g. via SCEP) and imports it into Android KeyChain.
  2. (Recommended) EMM app implements DeviceAdminReceiver.onChoosePrivateKeyAlias() so AnyConnect will be auto-approved to use the certificate
  3. EMM app sets the KeyChain alias of the imported certificate into the vpn_keychain_cert_alias field of AnyConnect's managed configuration.

@SOTI; Can you have a look und tell me more about your implementation. 

I need the functionallity for thousand of devices.

Regards,

Jan

JK
Jan Kruse
4 years ago

Dear SOTI Team,

is there anybody to have a look?

Regards,

Jan

JK
Jan Kruse
4 years ago

Hi,

after many calls with SOTI and many supporters I got a solution. It could be interesting for you.

This issue is already fixed and released under version 15.2.3. So customer has to upgrade to version 15.2.3.

Note: Most important,  customer is sending wrong value of 'vpn_connection_keychain_cert_alias' in managed configuration. It should be in format '%CertificateTemplate_tempalate_name%', where 'template_name' is certificate template name.

Regards,

Jan

Similar Discussions