With many more people working remotely, tools like Windows Autopilot that enable users to self-deploy corporate laptops without needing the corporate network or IT assistance are extremely powerful.
If always-on is enabled, and a captive portal is not present, the client continues to attempt to connect to the VPN and updates the status message accordingly.If always-on VPN is enabled, the connect failure policy is closed, captive portal remediation is disabled, and AnyConnect detects the presence of a captive portal, the AnyConnect GUI displays the following message once per connection and once per reconnect. Cisco has disclosed a zero-day vulnerability, tracked as CVE-2020-3556, in the Cisco AnyConnect Secure Mobility Client software with the public availability of a proof-of-concept exploit code. The CVE-2020-3556 flaw resided in the interprocess communication (IPC) channel of Cisco AnyConnect Client, it can be exploited by authenticated and local. When 'Always On' is enabled, then the GUI cannot be exited, so even this work-around is not possible and the user must completely exit the Vault in order to attempt a new connection. Conditions: A quarantined AnyConnect VPN connection made from within the CSD Vault.
However, for organisations that use Active Directory and have their devices set-up as Hybrid Azure AD Joined devices, Windows Autopilot fell foul of VPN connectivity making Hybrid Windows Autopilot a missed opportunity.
Windows Autopilot until now has only worked 100% remotely for Azure AD Joined devices. For devices which are Hybrid Azure AD Joined via Active Directory, Windows Autopilot could fail as it required the device to have line-of-sight to a Domain Controller to perform the Domain Join operation. With the introduction of support for Hybrid Windows Autopilot over VPN (Bring Your Own VPN as the Microsoft documentation calls it) the game has changed.
The way it works, to get 100% remotely deployable Hybrid Windows Autopilot devices is like this; skip the check during the deployment for domain connectivity until the device is able to establish a VPN connection. How does it do the VPN connection you ask? Well through your Microsoft Intune Configuration Profiles of course.
Deploying VPN via Microsoft Intune
Deployment of a VPN connection, software package, or other type of VPN connection via Intune is not new: we’ve had this option for some time. I’m not going to dwell on that for this post as we have another one in the works talking about some of the Microsoft options for VPN focusing on security.
To work with Windows Autopilot, however, you need to make sure that the VPN solution being deployed is going to be compatible with Hybrid Windows Autopilot.
Hybrid Windows Autopilot VPN compatibility
To work, the solution must use device authentication and not user authentication. As a new machine, the user has never logged on before so we don’t have a cached credential for them to use. This is the reason for the VPN connection prior to the user logging in. We need to establish the connection from the Windows 10 login screen using the Network Sign-in option.
Microsoft doesn’t provide an exhaustive list of supported solutions but there are some third-party solutions that are expected to work.
- Cisco AnyConnect
- Pule Secure
- GlobalProtect
- Checkpoint
- Citrix NetScaler
- SonicWall
- F5 BIG-IP Edge Client
Of course not included in this list but supported is Windows 10 Always On VPN. To re-iterate, the key to success is that the connection must both be set-up to perform device authentication and also to support Windows 10 Network Sign-in at the login screen.
In order to use device authentication, we require a way to authenticate the device which generally means certificates. To get certificates on to a brand new device deployed with Autopilot, that means we don’t have domain connectivity so we can’t rely on Group Policy to push Active Directory Certificate Services settings and auto-enrolment of certificates to the device.
Deploying certificates for Hybrid Windows Autopilot devices
In order to get a certificate to the device as part of the Hybrid Windows Autopilot build process, we need to use something designed for the cloud. That solution is called SCEP or Simple Certificate Enrolment Protocol.
By integrating an on-premises Active Directory Domain Services (ADCS) Public Key Infrastructure with Microsoft Intune, we can deploy certificates to these devices via Microsoft Intune using a Device Configuration Profile.
This sounds complex and like a security concern but honestly, once you are familiar with how it works, it is quite secure due to the way the connectors work using outbound connections and not inbound connections (*). So long as the environment is set-up correctly and the various steps are followed, it also doesn’t need to be that complicated.
* this is assuming that you use Azure AD Application Proxy to publish the Network Device Enrolment (NDES) service but you can publish it via Web Application Proxy and other routes too.
The only real challenge is dealing with certificate validation through the Certificate Revocation List (CRL) and even that’s easily solved with a bit of automation and an Azure Storage Account that costs pennies per month.
With everything set-up and working, Windows Autopilot devices will be able to request and retrieve a certificate via Microsoft Intune from your on-premises PKI, trust the certificate by trusting your Certificate Authority, install any VPN clients that are required even if they are Win32 app and not just using the native Windows VPN client.
You can even use the same methodology with SCEP to deploy certificates and a VPN connection to Android, iOS, and macOS devices too.
Device deployment nirvana
With everything set-up and working correctly, you can achieve what you always wanted with Endpoint Configuration Manager but never could quite manage. A device that you can literally hand to a user, fresh out the box, set-up exactly how your organisation needs it, apps and all, no matter where the user is so long as they have an Internet connection.
If you want to be able to achieve this level of self-service and hands-off machine deployment or you want to get started with Microsoft Intune and find out more about what you can do with Azure Active Directory to assist in device management, let us know and we’ll be happy to assist.
The guarantee of Cisco Security
Imagine taking your corporate laptop and smartphone to wherever you feel most comfortable: public transport, a coffee shop, or a swanky hotel conference room. These are all public spaces where your personal information is at risk. When you jump unto an open WiFi connection, your device is exposed to possible phishing scams and data breaches. Instead of being confined to your desk, check out Cisco AnyConnect and experience freedom in working here and there, and everywhere. The infinite protection was created to ensure your organization is safe and protected no matter where you are. As a unified security endpoint agent, it delivers multiple security services for all. It has a wide range of security services like remote access, posture enforcement, web security features, and roaming protection. Overall, it has all the features necessary to provide a heavily-armed and highly secure experience for any user.
Gold-standard in cyber security
Protect yourself from hacking and data breaches with the best cyber security program available today
The Cisco AnyConnect Secure Mobility Client has raised the bar for end users who are looking for a secure network. No matter what operating system you or your workplace uses, Cisco enables highly secure connectivity for every device. As a mobile worker roaming to different locations, the always-on intelligent VPN efficiently adapts to a tunneling protocol. For example, AnyConnect’s Datagram Transport Layer Security (DTLS) thrives in offices that are constantly on VoIP applications. The impenetrable security keeps all your calls, messages, and files safe from outsiders. In AnyConnect version 4.4, you’ll experience a wide range of endpoint security services and streamlined IT operations from a single unified agent. Achieve tighter security controls and enable direct, highly secure, per-application access to corporate resources in Cisco’s mobile per-application VPN services. Trust AnyConnect’s strong compliance capabilities to block an endpoint’s compromised state and isolating the integrity of your company’s network. This is possible because of the software’s endpoint posture assessment and remediation capabilities of wired, wireless and VPN environments that are in conjunction with Cisco Identity Services Engine 1.3. Any out-of-compliance endpoints get automated remediation actions or commands based on policy requirements.
Work anywhere
Monitor endpoint application usage both on an off-premises with AnyConnect’s Network Visibility Module. Whether you use Windows or Mac OS X platforms, you can uncover potential behavior anomalies. It will assist you to make more informed network and service design decisions, which is always of big help. You can also share rich contextual data from the AnyConnect Network Visibility Module to the growing number of Internet Protocol Flow Export (IPFIX)-capable network-analysis tools. Of course, the AnyConnect client offers basic web security and malware threat defense. Choose from any of the built-in features like the premise-based Cisco Web Security Appliance, cloud-based Cisco Web Security, or Cisco Umbrella Roaming. Along with remote access, the comprehensive and highly secure enterprise mobility solution automatically blocks phishing and command-and-control attacks. Work in a protected and productive work environment by operating with consistent, context-aware security policies.
Connect with Ease
AnyConnect 4.4 offers simplified licensing to meet your company’s needs. The AnyConnect Plus includes basic VPN services such as device and per-application VPN, trusted network detection, basic device context collection, and Federal Information Processing Standards (FIPS) compliance. This plan also offers non-VPN related services like AnyConnect Network Access Manager, Cloud Web Security module, and the Cisco Umbrella Roaming module. The second and more advanced offer is AnyConnect Apex. This plan includes more advanced cybersecurity measures like endpoint posture checks, network visibility, next-generation VPN encryption, and clientless remote access VPN.
Whether you choose the Plus or Apex plan, Cisco guarantees that both licenses eliminate the need to purchase per headend connections and dedicated license servers. You must also think that Apex offers all Plus license functionality. In this case, only one type of license is required for each user. This model lets you design and combine license tiers in one network, shifting licensing from simultaneous connections to total unique users.
Where can you run this program?
AnyConnect version 4.4 is compatible with these operating systems and requirements: Windows, Mac, Android and iPhone
Is there a better alternative?
Cisco AnyConnect is an unbeatable provider of cybersecurity. But, creating your best work often needs strong, reliable and fast WiFI. With IPVanish, you can get the best of both worlds. Enjoy high-speed internet in a secure and private connection with this virtual private network app. The VPN service assures you that all your devices are protected from outside computers, smartphones, and routers. Their 360-degree approach to protection keeps you safe from hackers and snoopers, and at the same time, offers unlimited bandwidth on all platforms. This is a perfect match for you if you need supreme internet connectivity and cyber security.
Our take
Cisco AnyConnect Secure Mobility is a great solution for creating a flexible working environment. Work anywhere on any device while always protecting your interests and assets from Internet-based threats. Its availability does depend on Cisco hardware, but it is a minor-added expense to the safest cyber security network available today.
Should you download it?
Cisco Anyconnect For Windows 10
Yes. It is an excellent investment, and definitely worth downloading to your smartphone and PC.
Highs
- Complete user access
- Insightful user and endpoint behavior
- Single agent management
- Multiple Integrations
Cisco AnyConnect Secure Mobility Clientfor Windows
Meraki Always On Vpn
4.9.06037 Star story: the horizon escape download for mac.