Articles in this section

CSC and Additional MDMs

Avatar
Alexander Harrison
  • Updated
Follow

Overview

 

 

The Cisco Security Connector (CSC) for iOS is full Umbrella DNS protection for your iPhone. Before consulting this guide for deployments, please read our CSC deployment guide. Your device must be in the supervised mode to utilize the CSC. 

This document overviews additional mobile device management (MDM) software support for the CSC. These MDMs have been validated by a successful deployment, but are not yet present on the Dashboard directly. 

To verify that a profile exists on an iOS device, open your iOS device and navigate to:

Settings->General->Device Management->Profile Name->more details  and look for the profile type "DNS Proxy" with app and provider bundle details com.cisco.ciscosecurity.app and com.cisco.ciscosecurity.ciscoumbrella respectively.

 

All MDMs

 

 

The following steps apply for deployment to all MDMs. Please follow these steps first!

  1. Ensure your admin email address is added to the dashboard under the Mobile Devices page, settings option
  2. Download the Umbrella Root CA .cer file for use on the iOS device. This certificate allows for errorless HTTPS block pages. To obtain the Root CA:
    1. Navigate to Deployments > Configuration > Root Certificate.
    2. Click "Download Certificate".
    3. Save as a .cer file.

 

Mobile Iron Cloud

 

 

Currently, the Mobile Iron download on the dashboard supports the on prem version only. The Cloud version utilizes different device variables than the on premise software. Deployment is very similar to on prem, with several exceptions. MobileIron Core depending on version may or may not require this modification. To deploy to Mobile Iron Cloud:

  1. Ensure your admin email address is added to the dashboard under the Mobile Devices page, settings option.
  2. Download the Mobile Iron profile from the Umbrella dashboard.
  3. Replace the variable “$DEVICE_SN$” to ${deviceSN} 
  4. Replace* the variable “$DEVICE_MAC$” to ${deviceWifiMacAddress} (*This is only used for the Clarity component of the CSC, not used for the Umbrella component. If you do not use Clarity, there will be no $DEVICE_MAC$ to replace.)

  

Citrix MDM

 

 

To deploy to Citrix:

Preparation steps:

  1. Ensure your admin email address is added to the dashboard under the Mobile Devices page, settings option.-Cisco Steps-
  2. Download the generic MDM config from Umbrella & AMP
  3. Download the root cert for Umbrella
  4. Modify the configuration & replace the generic place-holder for Serial_Number with ${device.serialnumber} and MAC_Address (only required if using Clarity) with ${device.MAC_ADDRESS} the correct variable for the Citrix MDM.

MDM Steps:

  1. Configure the MDM to install the CSC app using VPP (volume purchase program, now called Apple business manager (ABM)).
  2. Upload the Clarity configuration that you modified in the preparation steps (above)
  3. Upload the Umbrella configuration that you modified in preparation steps (above)
  4. Upload the certificate (ideally use the desktop version to perform this) for the device to trust the Umbrella root Certificate Authority.
  5. Configure the policies to push the 2 profiles, 1 CA & the 1 CSC app to the required device(s)

 

Lightspeed MDM

 

 

Lightspeed MDM supports text-based configuration of the iOS DNS proxy. This can be accomplished with a modification of the generic MDM profile. 

  1. Download the “generic mobileconfig file” and change the file extension from .xml to .txt.
  2. Open the file and change the placeholder serial number string on line 58 to %serial_number%
  3. In Lightspeed, add the Cisco Security Connection to the DNS Proxy Profile as shown below
    image001__3_.png
  4. Add the modified generic mobileconfig file to the DNS proxy configuration option underneath of the App.image002.png
  5. Finally, download the Cisco Root CA from and deploy it in Lightspeed to ensure certificate-free block pages.image003.png

The following steps apply for deployment to all MDMs. Please follow these steps first!

JAMF

 

 

Deploying the CSC with JAMF requires significant profile modification. Follow the steps below to deploy the CSC with JAMF MDM.  

  1. Looking for a step by step guide with images? See the attached JAMF PDF!
  2. Ensure your admin email address is added to the dashboard under the Mobile Devices page, settings option.
  3. Add the root CA
    1. New > Certificate.
    2. Configure.
    3. Provide a name for the certificate select Upload Certificate.
    4. Upload the .cer from above.
    5. Upload, leaving the password field blank.
    6. Apply to the scope of your devices to push out this certificate.
  4. Download the generic profile from the Umbrella dashboard
  5. Using JAMF Pro v.10.2.0 or higher? Skip this step. You may import as-is, just add the following.
    <key>serialNumber</key>
    <string>$SERIALNUMBER</string>
    <key>label</key>
    <string>$DEVICENAME</string>
    1. Using a lower JAMF version? Edit the XML profile extensively as follows in this example profile. Remove any red, bold text and add any blue, italic underlined text. Do not copy this example, it is not functional as-is. Only use the generic download configuration from your dashboard.  

      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
      <plist version="1.0">
      <dict>
      <key>PayloadContent</key>
      <array>
      <dict>
      <key>AppBundleIdentifier</key>
      <string>com.cisco.ciscosecurity.app</string>
      <key>PayloadDescription</key>
      <string>Cisco Umbrella</string>
      <key>PayloadDisplayName</key>
      <string>Cisco Umbrella</string>
      <key>PayloadIdentifier</key>
      <string>com.apple.dnsProxy.managed.DBE2A157-E134-3E8C-B4FB-23EDF48A0CD1</string>
      <key>PayloadType</key>
      <string>com.apple.dnsProxy.managed</string>
      <key>PayloadUUID</key>
      <string>59401AAF-CDBF-4FD7-9250-443A58EAD706</string>
      <key>PayloadVersion</key>
      <integer>1</integer>
      <key>ProviderBundleIdentifier</key>
      <string>com.cisco.ciscosecurity.app.CiscoUmbrella</string>
      <key>ProviderConfiguration</key>
      <dict>
      <key>disabled</key>
      <false/>
      <key>internalDomains</key>
      <array>
      <string>10.in-addr.arpa</string>
      <string>16.172.in-addr.arpa</string>
      <string>17.172.in-addr.arpa</string>
      <string>18.172.in-addr.arpa</string>
      <string>19.172.in-addr.arpa</string>
      <string>20.172.in-addr.arpa</string>
      <string>21.172.in-addr.arpa</string>
      <string>22.172.in-addr.arpa</string>
      <string>23.172.in-addr.arpa</string>
      <string>24.172.in-addr.arpa</string>
      <string>25.172.in-addr.arpa</string>
      <string>26.172.in-addr.arpa</string>
      <string>27.172.in-addr.arpa</string>
      <string>28.172.in-addr.arpa</string>
      <string>29.172.in-addr.arpa</string>
      <string>30.172.in-addr.arpa</string>
      <string>31.172.in-addr.arpa</string>
      <string>168.192.in-addr.arpa</string>
      <string>local</string>
      <string>cisco.com</string>
      </array>
      <key>logLevel</key>
      <string>{pre-filled in the download}</string>
      <key>orgAdminAddress</key>
      <string>{pre-filled in the download}</string>
      <key>organizationId</key>
      <string>{pre-filled in the download}</string>
      <key>regToken</key>
      <string>{pre-filled in the download}</string>
      <key>serialNumber</key>
      <string>$SERIALNUMBER</string>
      <key>label</key>
      <string>$DEVICENAME</string>
      </dict>
      </dict>
      </array>
      <key>PayloadDisplayName</key>
      <string>Cisco Security</string>
      <key>PayloadIdentifier</key>
      <string>com.cisco.ciscosecurity.app.CiscoUmbrella.{pre-filled in the download}</string>
      <key>PayloadRemovalDisallowed</key>
      <false/>
      <key>PayloadType</key>
      <string>Configuration</string>
      <key>PayloadUUID</key>
      <string>{pre-filled in the download}</string>
      <key>PayloadVersion</key>
      <integer>{pre-filled in the download}</integer>
      </dict>
      </plist>
  6. Import to JAMF:
    1. Under the main MDM configuration window, click New to create a new profile.
      Note: This must be a separate profile and must not be used with the certificate profile created above. In order for the app to work, these two profiles must be pushed to the device separately.
    2. Name the profile and scroll to DNS Proxy.
    3. Click Configure under the DNS proxy.
    4. Set the proxy configuration to Umbrella details:

      1. Set APP BUNDLE ID:
        com.cisco.ciscosecurity.app

      2. Set PROVIDER BUNDLE ID:
        com.cisco.ciscosecurity.app.CiscoUmbrella

      3. Paste the edited XML content from Umbrella
        into the PROVIDER CONFIGURATION
        XML section.

    5. Click Scope and apply to the proper scope of devices.

 

 

InTune

 

 

InTune added support in July 2019 - https://docs.microsoft.com/en-us/intune/whats-new. Microsoft  added variable support to ios custom policies which now includes the serial number parameter {{serialnumber}} (documented here -  https://docs.microsoft.com/en-us/intune/custom-settings-ios near the end). Thanks to this addition, the CSC may now be deployed to InTune MDM by making use of the {{serialnumber}} variable! 

For more details on how to deploy the CSC with InTune, refer to this PDF instruction guide attached to this article.

Note:

Clarity is a product of Cisco AMP for Endpoints; If you are not currently licensed for this product, please skip the related setup portion.

 

 

 

Mosyle

 

 

Mosyle support is in the form of the DNS Proxy configuration. Add the content between the main <dict> tags inside the Bundle name definitions. Note, the settings require the devices to be scoped to receive the configuration, and scopes are not added by default.

Securly

 

 

Configure Securly on the dns-proxy profile page.

App identifier - com.cisco.ciscosecurity.app

Bundle identifier - com.cisco.ciscosecurity.app.CiscoUmbrella

Start with the JAMF deployment template - and edit the the file into a .plist with only the <dict> through </dict> inside the comments. That will look like the following. Replace the serialNumber key with "$serialnumber" for Securly. Then upload to the dns-proxy configuration.

 

  1. <dict>
    <key>disabled</key>
    <false/>
    <key>internalDomains</key>
    <array>
    <string>10.in-addr.arpa</string>
    <string>16.172.in-addr.arpa</string>
    <string>17.172.in-addr.arpa</string>
    <string>18.172.in-addr.arpa</string>
    <string>19.172.in-addr.arpa</string>
    <string>20.172.in-addr.arpa</string>
    <string>21.172.in-addr.arpa</string>
    <string>22.172.in-addr.arpa</string>
    <string>23.172.in-addr.arpa</string>
    <string>24.172.in-addr.arpa</string>
    <string>25.172.in-addr.arpa</string>
    <string>26.172.in-addr.arpa</string>
    <string>27.172.in-addr.arpa</string>
    <string>28.172.in-addr.arpa</string>
    <string>29.172.in-addr.arpa</string>
    <string>30.172.in-addr.arpa</string>
    <string>31.172.in-addr.arpa</string>
    <string>168.192.in-addr.arpa</string>
    <string>local</string>
    <string>cisco.com</string>
    </array>
    <key>logLevel</key>
    <string>{pre-filled in the download}</string>
    <key>orgAdminAddress</key>
    <string>{pre-filled in the download}</string>
    <key>organizationId</key>
    <string>{pre-filled in the download}</string>
    <key>regToken</key>
    <string>{pre-filled in the download}</string>
    <key>serialNumber</key>
    <string>$serialnumber</string>

    </dict>

Related articles

Comments

0 comments

Please sign in to leave a comment.