Skip to main content

Cisco Security Connector and Additional MDMs

Alexander Harrison
  • Updated
  • min read

Overview

 

 

The Cisco Security Connector (CSC) for iOS is full Umbrella DNS protection for your iPhone. Before consulting this guide for deployments, please read our CSC deployment guide. Your device must be in the supervised mode to utilize the CSC. 

This document overviews additional mobile device management (MDM) software support for the CSC. These MDMs have been validated by a successful deployment, but are not yet present on the Dashboard directly. 

To verify that a profile exists on an iOS device, open your iOS device and navigate to:

Settings->General->Device Management->Profile Name->more details  and look for the profile type "DNS Proxy" with app and provider bundle details com.cisco.ciscosecurity.app and com.cisco.ciscosecurity.ciscoumbrella respectively.

The iOS profile details to configure can be found on Apple's MDM site at https://support.apple.com/guide/mdm/dns-proxy-payload-settings-mdm500f65271/web.

 

All MDMs

 

 

The following steps apply for deployment to all MDMs. Please follow these steps first!

  1. Ensure your admin email address is added to the dashboard under the Mobile Devices page, settings option
  2. Download the Umbrella Root CA .cer file for use on the iOS device. This certificate allows for errorless HTTPS block pages. To obtain the Root CA:
    1. Navigate to Deployments > Configuration > Root Certificate.
    2. Click "Download Certificate".
    3. Save as a .cer file.

 

Mobile Iron Cloud

 

 

Currently, the Mobile Iron download on the dashboard supports the on prem version only. The Cloud version utilizes different device variables than the on premise software. Deployment is very similar to on prem, with several exceptions. MobileIron Core depending on version may or may not require this modification. To deploy to Mobile Iron Cloud:

  1. Ensure your admin email address is added to the dashboard under the Mobile Devices page, settings option.
  2. Download the Mobile Iron profile from the Umbrella dashboard.
  3. Replace the variable “$DEVICE_SN$” to ${deviceSN} 
  4. Replace* the variable “$DEVICE_MAC$” to ${deviceWifiMacAddress} (*This is only used for the Clarity component of the CSC, not used for the Umbrella component. If you do not use Clarity, there will be no $DEVICE_MAC$ to replace.)

  

Citrix Endpoint Management MDM

 

 

To deploy to Citrix:

Preparation steps:

  1. Ensure your admin email address is added to the dashboard under the Mobile Devices page, settings option.-Cisco Steps-
  2. Download the generic MDM config from Umbrella (AMP is configured in the same way)
  3. Download the root cert for Umbrella
  4. Modify the configuration & replace the generic place-holder for Serial_Number with ${device.serialnumber} and MAC_Address (only required if using Clarity) with ${device.MAC_ADDRESS} the correct variable for the Citrix MDM.

MDM Steps:

  1. Configure the MDM to install the CSC app using VPP (volume purchase program, now called Apple business manager (ABM)).
  2. Upload the Umbrella and/or Clarity configuration modified in the preparation steps (above)
    1. Use the steps here to import the profile: https://docs.citrix.com/en-us/citrix-endpoint-management/policies/import-ios-mac-os-x-profile-policy.html
  3. Upload the certificate for the device to trust the Umbrella root Certificate Authority.
  4. Configure the policies to push the profiles, 1 CA & the 1 CSC app to the required device(s)

 

Lightspeed MDM

 

 

Lightspeed MDM supports text-based configuration of the iOS DNS proxy. This can be accomplished with a modification of the generic MDM profile. 

  1. Download the “generic mobileconfig file” and change the file extension from .xml to .txt.
  2. Open the file and change the placeholder serial number string on line 58 to %serial_number%
  3. In Lightspeed, add the Cisco Security Connection to the DNS Proxy Profile as shown below
    image001__3_.png
  4. Add the modified generic mobileconfig file to the DNS proxy configuration option underneath of the App.image002.png
  5. Finally, download the Cisco Root CA from and deploy it in Lightspeed to ensure certificate-free block pages.image003.png

The following steps apply for deployment to all MDMs. Please follow these steps first!

 

JAMF Schools

 

 

Deploying CSC with JAMF Schools differs from JAMF. Start with the generic profile and see the steps at https://docs.jamf.com/jamf-school/deploy-guide-docs/Setting_Up_the_Cisco_Security_Connector_App_with_Jamf_School.html.

 

Below is an example configuration of where to select and which variable to use for serial number:

  • <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    <key>PayloadContent</key>
    <array>
    <dict>
    <key>AppBundleIdentifier</key>
    <string>com.cisco.ciscosecurity.app</string>
    <key>PayloadDescription</key>
    <string>Cisco Umbrella</string>
    <key>PayloadDisplayName</key>
    <string>Cisco Umbrella</string>
    <key>PayloadIdentifier</key>
    <string>com.apple.dnsProxy.managed.{pre-filled in the download}</string>
    <key>PayloadType</key>
    <string>com.apple.dnsProxy.managed</string>
    <key>PayloadUUID</key>
    <string>{pre-filled in the download}</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>ProviderBundleIdentifier</key>
    <string>com.cisco.ciscosecurity.app.CiscoUmbrella</string>
    <key>ProviderConfiguration</key>
    <dict>
    <key>disabled</key>
    <false/>
    <!-- Copy from here to paste into the Jamf School UI to provision a DNS proxy -->
    <dict>
    <key>disabled</key>
    <false/>
    <key>internalDomains</key>
    <array>
    <string>10.in-addr.arpa</string>
    <string>16.172.in-addr.arpa</string>
    <string>17.172.in-addr.arpa</string>
    <string>18.172.in-addr.arpa</string>
    <string>19.172.in-addr.arpa</string>
    <string>20.172.in-addr.arpa</string>
    <string>21.172.in-addr.arpa</string>
    <string>22.172.in-addr.arpa</string>
    <string>23.172.in-addr.arpa</string>
    <string>24.172.in-addr.arpa</string>
    <string>25.172.in-addr.arpa</string>
    <string>26.172.in-addr.arpa</string>
    <string>27.172.in-addr.arpa</string>
    <string>28.172.in-addr.arpa</string>
    <string>29.172.in-addr.arpa</string>
    <string>30.172.in-addr.arpa</string>
    <string>31.172.in-addr.arpa</string>
    <string>168.192.in-addr.arpa</string>
    <string>local</string>
    </array>
    <key>logLevel</key>
    <string>verbose</string>
    <key>orgAdminAddress</key>
    <string>{pre-filled in the download}</string>
    <key>organizationId</key>
    <string>{pre-filled in the download}</string>
    <key>regToken</key>
    <string>{pre-filled in the download}</string>
    <key>serialNumber</key>
    <string> %SerialNumber% </string>
    </dict>
    <!-- End copy -->
    <key>PayloadDisplayName</key>
    <string>Cisco Security</string>
    <key>PayloadIdentifier</key>
    <string>com.cisco.ciscosecurity.app.CiscoUmbrella.{pre-filled in the download}</string>
    <key>PayloadRemovalDisallowed</key>
    <false/>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>{pre-filled in the download}</string>
    <key>PayloadVersion</key>
    <integer>{pre-filled in the download}</integer>
    </dict>
    </plist>

  • Create a new profile in Jamf School.
    For more information, see Device Profiles.

  • Use the DNS Proxy payload to configure the following settings:

    1. Enter "com.cisco.ciscosecurity.app" in the App Bundle ID field.

    2. Enter "com.cisco.ciscosecurity.app.CiscoUmbrella" in the Provider Bundle ID field.

  • Add the XML file you created in step 2 to the Provider Configuration.

 

JAMF below 10.2.0

 

 

Deploying the CSC with JAMF requires significant profile modification. Follow the steps below to deploy the CSC with JAMF MDM.  

  1. Looking for a step by step guide with images? See the attached JAMF PDF!
  2. Ensure your admin email address is added to the dashboard under the Mobile Devices page, settings option.
  3. Add the root CA
    1. New > Certificate.
    2. Configure.
    3. Provide a name for the certificate select Upload Certificate.
    4. Upload the .cer from above.
    5. Upload, leaving the password field blank.
    6. Apply to the scope of your devices to push out this certificate.
  4. Download the generic profile from the Umbrella dashboard
  5. Using JAMF Pro v.10.2.0 or higher? Skip this step. You may import as-is, just add the following.
    <key>serialNumber</key>
    <string>$SERIALNUMBER</string>
    <key>label</key>
    <string>$DEVICENAME</string>
    1. Using a lower JAMF version? Edit the XML profile extensively as follows in this example profile. Remove any red, bold text and add any blue, italic underlined text. Do not copy this example, it is not functional as-is. Only use the generic download configuration from your dashboard.  

      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
      <plist version="1.0">
      <dict>
      <key>PayloadContent</key>
      <array>
      <dict>
      <key>AppBundleIdentifier</key>
      <string>com.cisco.ciscosecurity.app</string>
      <key>PayloadDescription</key>
      <string>Cisco Umbrella</string>
      <key>PayloadDisplayName</key>
      <string>Cisco Umbrella</string>
      <key>PayloadIdentifier</key>
      <string>com.apple.dnsProxy.managed.DBE2A157-E134-3E8C-B4FB-23EDF48A0CD1</string>
      <key>PayloadType</key>
      <string>com.apple.dnsProxy.managed</string>
      <key>PayloadUUID</key>
      <string>59401AAF-CDBF-4FD7-9250-443A58EAD706</string>
      <key>PayloadVersion</key>
      <integer>1</integer>
      <key>ProviderBundleIdentifier</key>
      <string>com.cisco.ciscosecurity.app.CiscoUmbrella</string>
      <key>ProviderConfiguration</key>
      <dict>
      <key>disabled</key>
      <false/>
      <key>internalDomains</key>
      <array>
      <string>10.in-addr.arpa</string>
      <string>16.172.in-addr.arpa</string>
      <string>17.172.in-addr.arpa</string>
      <string>18.172.in-addr.arpa</string>
      <string>19.172.in-addr.arpa</string>
      <string>20.172.in-addr.arpa</string>
      <string>21.172.in-addr.arpa</string>
      <string>22.172.in-addr.arpa</string>
      <string>23.172.in-addr.arpa</string>
      <string>24.172.in-addr.arpa</string>
      <string>25.172.in-addr.arpa</string>
      <string>26.172.in-addr.arpa</string>
      <string>27.172.in-addr.arpa</string>
      <string>28.172.in-addr.arpa</string>
      <string>29.172.in-addr.arpa</string>
      <string>30.172.in-addr.arpa</string>
      <string>31.172.in-addr.arpa</string>
      <string>168.192.in-addr.arpa</string>
      <string>local</string>
      <string>cisco.com</string>
      </array>
      <key>logLevel</key>
      <string>{pre-filled in the download}</string>
      <key>orgAdminAddress</key>
      <string>{pre-filled in the download}</string>
      <key>organizationId</key>
      <string>{pre-filled in the download}</string>
      <key>regToken</key>
      <string>{pre-filled in the download}</string>
      <key>serialNumber</key>
      <string>$SERIALNUMBER</string>
      <key>label</key>
      <string>$DEVICENAME</string>
      </dict>
      </dict>
      </array>
      <key>PayloadDisplayName</key>
      <string>Cisco Security</string>
      <key>PayloadIdentifier</key>
      <string>com.cisco.ciscosecurity.app.CiscoUmbrella.{pre-filled in the download}</string>
      <key>PayloadRemovalDisallowed</key>
      <false/>
      <key>PayloadType</key>
      <string>Configuration</string>
      <key>PayloadUUID</key>
      <string>{pre-filled in the download}</string>
      <key>PayloadVersion</key>
      <integer>{pre-filled in the download}</integer>
      </dict>
      </plist>
  6. Import to JAMF:
    1. Under the main MDM configuration window, click New to create a new profile.
      Note: This must be a separate profile and must not be used with the certificate profile created above. In order for the app to work, these two profiles must be pushed to the device separately.
    2. Name the profile and scroll to DNS Proxy.
    3. Click Configure under the DNS proxy.
    4. Set the proxy configuration to Umbrella details:

      1. Set APP BUNDLE ID:
        com.cisco.ciscosecurity.app

      2. Set PROVIDER BUNDLE ID:
        com.cisco.ciscosecurity.app.CiscoUmbrella

      3. Paste the edited XML content from Umbrella
        into the PROVIDER CONFIGURATION
        XML section.

    5. Click Scope and apply to the proper scope of devices.

 

 

InTune

 

 

InTune is now directly added into the dashboard - https://docs.umbrella.com/deployment-umbrella/docs/intune-registration.  Please refer to our official docs.

This older article may help for some use cases: this PDF instruction guide. Note:  The PDF instruction guide above references the need to modify the generic profile.  This is no longer necessary as the preconfigured profile is available straight from the dashboard. 

Note:

Clarity is a product of Cisco AMP for Endpoints; If you are not currently licensed for this product, please skip the related setup portion.

 

 

 

Mosyle

 

 

Mosyle support is in the form of the DNS Proxy configuration.

App Bundle ID: com.cisco.ciscosecurity.app

Provider Bundle ID: com.cisco.ciscosecurity.app.CiscoUmbrella

Add the content within the XML <key>ProviderConfiguration</key> to the Mosyle Provider Configuration field:

<dict>
<key>anonymizationLevel</key>
<integer>0</integer>

***

<key>serialNumber</key>
<string>%SerialNumber%</string>
</dict>

Note: the settings require the devices to be scoped to receive the configuration, and scopes are not added by default.

 

Securly

 

 

Configure Securly on the dns-proxy profile page.

App identifier - com.cisco.ciscosecurity.app

Bundle identifier - com.cisco.ciscosecurity.app.CiscoUmbrella

Start with the JAMF deployment template - and edit the the file into a .plist with only the <dict> through </dict> inside the comments. That will look like the following. Replace the serialNumber key with "$serialnumber" for Securly. Then upload to the dns-proxy configuration.

 

  1. <dict>
    <key>disabled</key>
    <false/>
    <key>internalDomains</key>
    <array>
    <string>10.in-addr.arpa</string>
    <string>16.172.in-addr.arpa</string>
    <string>17.172.in-addr.arpa</string>
    <string>18.172.in-addr.arpa</string>
    <string>19.172.in-addr.arpa</string>
    <string>20.172.in-addr.arpa</string>
    <string>21.172.in-addr.arpa</string>
    <string>22.172.in-addr.arpa</string>
    <string>23.172.in-addr.arpa</string>
    <string>24.172.in-addr.arpa</string>
    <string>25.172.in-addr.arpa</string>
    <string>26.172.in-addr.arpa</string>
    <string>27.172.in-addr.arpa</string>
    <string>28.172.in-addr.arpa</string>
    <string>29.172.in-addr.arpa</string>
    <string>30.172.in-addr.arpa</string>
    <string>31.172.in-addr.arpa</string>
    <string>168.192.in-addr.arpa</string>
    <string>local</string>
    <string>cisco.com</string>
    </array>
    <key>logLevel</key>
    <string>{pre-filled in the download}</string>
    <key>orgAdminAddress</key>
    <string>{pre-filled in the download}</string>
    <key>organizationId</key>
    <string>{pre-filled in the download}</string>
    <key>regToken</key>
    <string>{pre-filled in the download}</string>
    <key>serialNumber</key>
    <string>$serialnumber</string>

    </dict>

Was this article helpful?

3 out of 5 found this helpful
Have more questions? Submit a request

Related articles