CSC and Additional MDMs

Overview

The Cisco Security Connector (CSC) for iOS is full Umbrella DNS protection for your iPhone. Before consulting this guide for deployments, please read our CSC deployment guide. Your device must be in the supervised mode to utilize the CSC. 

This document overviews additional mobile device management (MDM) software support for the CSC. These MDMs have been validated by a successful deployment, but are not yet present on the Dashboard directly. 

All MDMs

The following steps apply for deployment to all MDMs. Please follow these steps first!

1. Ensure your admin email address is added to the dashboard under the Mobile Devices page, settings option
2. Download the Umbrella Root CA .cer file for use on the iOS device. This certificate allows for errorless HTTPS block pages. To obtain the Root CA:
   1. Navigate to Deployments > Configuration > Root Certificate.
   2. Click "Download Certificate".
   3. Save as a .cer file.

Mobile Iron Cloud

Currently, the Mobile Iron download on the dashboard supports the on prem version only. The Cloud version utilizes different device variables than the on premise software. Deployment is very similar to on prem, with several exceptions. MobileIron Core depending on version may or may not require this modification. To deploy to Mobile Iron Cloud:

1. Ensure your admin email address is added to the dashboard under the Mobile Devices page, settings option.
2. Download the Mobile Iron profile from the Umbrella dashboard.
3. Replace the variable “$DEVICE_SN$” to ${deviceSN} 
4. Replace* the variable “$DEVICE_MAC$” to ${deviceWifiMacAddress} (*This is only used for the Clarity component of the CSC, not used for the Umbrella component. If you do not use Clarity, there will be no $DEVICE_MAC$ to replace.)

Citrix MDM

Currently, the Mobile Iron download on the dashboard supports the on prem version only. The Cloud version utilizes different device variables than the on premise software. Deployment is very similar to on prem, with several exceptions. To deploy to Mobile Iron Cloud:

Preparation steps:

1. Ensure your admin email address is added to the dashboard under the Mobile Devices page, settings option.-Cisco Steps-
2. Download the generic MDM config from Umbrella & AMP
3. Download the root cert for Umbrella
4. Modify the configuration & replace the generic place-holder for Serial_Number with ${device.serialnumber} and MAC_Address (only required if using Clarity) with ${device.MAC_ADDRESS} the correct variable for the Citrix MDM.

MDM Steps:

1. Configure the MDM to install the CSC app using VPP (volume purchase program, now called Apple business manager (ABM)).
2. Upload the Clarity configuration that you modified in the preparation steps (above)
3. Upload the Umbrella configuration that you modified in preparation steps (above)
4. Upload the certificate (ideally use the desktop version to perform this) for the device to trust the Umbrella root Certificate Authority.
5. Configure the policies to push the 2 profiles, 1 CA & the 1 CSC app to the required device(s)

JAMF

Deploying the CSC with JAMF requires significant profile modification. Follow the steps below to deploy the CSC with JAMF MDM.  

1. Looking for a step by step guide with images? See the attached JAMF PDF!
2. Ensure your admin email address is added to the dashboard under the Mobile Devices page, settings option.
3. Add the root CA
   1. New > Certificate.
   2. Configure.
   3. Provide a name for the certificate select Upload Certificate.
   4. Upload the .cer from above.
   5. Upload, leaving the password field blank.
   6. Apply to the scope of your devices to push out this certificate.
4. Download the generic profile from the Umbrella dashboard
5. Using JAMF Pro v.10.2.0 or higher? Skip this step. You may import as-is, just add the following.
   <key>serialNumber</key>
   <string>$SERIALNUMBER</string>
   <key>label</key>
   <string>$DEVICENAME</string>
   
   1. Using a lower JAMF version? Edit the XML profile extensively as follows in this example profile. Remove any red, bold text and add any blue, italic underlined text. Do not copy this example, it is not functional as-is. Only use the generic download configuration from your dashboard.  
      
      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
      <plist version="1.0">
      <dict>
      <key>PayloadContent</key>
      <array>
      <dict>
      <key>AppBundleIdentifier</key>
      <string>com.cisco.ciscosecurity.app</string>
      <key>PayloadDescription</key>
      <string>Cisco Umbrella</string>
      <key>PayloadDisplayName</key>
      <string>Cisco Umbrella</string>
      <key>PayloadIdentifier</key>
      <string>com.apple.dnsProxy.managed.DBE2A157-E134-3E8C-B4FB-23EDF48A0CD1</string>
      <key>PayloadType</key>
      <string>com.apple.dnsProxy.managed</string>
      <key>PayloadUUID</key>
      <string>59401AAF-CDBF-4FD7-9250-443A58EAD706</string>
      <key>PayloadVersion</key>
      <integer>1</integer>
      <key>ProviderBundleIdentifier</key>
      <string>com.cisco.ciscosecurity.app.CiscoUmbrella</string>
      <key>ProviderConfiguration</key>
      <dict>
      <key>disabled</key>
      <false/>
      <key>internalDomains</key>
      <array>
      <string>10.in-addr.arpa</string>
      <string>16.172.in-addr.arpa</string>
      <string>17.172.in-addr.arpa</string>
      <string>18.172.in-addr.arpa</string>
      <string>19.172.in-addr.arpa</string>
      <string>20.172.in-addr.arpa</string>
      <string>21.172.in-addr.arpa</string>
      <string>22.172.in-addr.arpa</string>
      <string>23.172.in-addr.arpa</string>
      <string>24.172.in-addr.arpa</string>
      <string>25.172.in-addr.arpa</string>
      <string>26.172.in-addr.arpa</string>
      <string>27.172.in-addr.arpa</string>
      <string>28.172.in-addr.arpa</string>
      <string>29.172.in-addr.arpa</string>
      <string>30.172.in-addr.arpa</string>
      <string>31.172.in-addr.arpa</string>
      <string>168.192.in-addr.arpa</string>
      <string>local</string>
      <string>cisco.com</string>
      </array>
      <key>logLevel</key>
      <string>{pre-filled in the download}</string>
      <key>orgAdminAddress</key>
      <string>{pre-filled in the download}</string>
      <key>organizationId</key>
      <string>{pre-filled in the download}</string>
      <key>regToken</key>
      <string>{pre-filled in the download}</string>
      <key>serialNumber</key>
      <string>$SERIALNUMBER</string>
      <key>label</key>
      <string>$DEVICENAME</string>
      </dict>
      </dict>
      </array>
      <key>PayloadDisplayName</key>
      <string>Cisco Security</string>
      <key>PayloadIdentifier</key>
      <string>com.cisco.ciscosecurity.app.CiscoUmbrella.{pre-filled in the download}</string>
      <key>PayloadRemovalDisallowed</key>
      <false/>
      <key>PayloadType</key>
      <string>Configuration</string>
      <key>PayloadUUID</key>
      <string>{pre-filled in the download}</string>
      <key>PayloadVersion</key>
      <integer>{pre-filled in the download}</integer>
      </dict>
      </plist>
6. Import to JAMF:
   1. Under the main MDM configuration window, click New to create a new profile.
      Note: This must be a separate profile and must not be used with the certificate profile created above. In order for the app to work, these two profiles must be pushed to the device separately.
   2. Name the profile and scroll to DNS Proxy.
   3. Click Configure under the DNS proxy.
   4. Set the proxy configuration to Umbrella details:

      1. Set APP BUNDLE ID:
         com.cisco.ciscosecurity.app

      2. Set PROVIDER BUNDLE ID:
         com.cisco.ciscosecurity.app.CiscoUmbrella

      3. Paste the edited XML content from Umbrella
         into the PROVIDER CONFIGURATION
         XML section.

   5. Click Scope and apply to the proper scope of devices.