70-21
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 70 Configuring Dynamic Access Policies
Configuring Endpoint Attributes Used in DAPs
Adding Mobile Posture Attributes to a DAP
Licensing
To benefit from mobile posture, customers need an AnyConnect Mobile license and either AnyConnect
Essentials or AnyConnect Premium licenses to be installed on the ASA. Here is the functionality you
receive based on the license you install.
• AnyConnect Premium License Functionality
Enterprises that install the AnyConnect Premium license will be able to enforce DAP policies, on
supported mobile devices, based on these DAP attributes and any other existing endpoint attributes.
This includes allowing or denying remote access from a mobile device.
• AnyConnect Essentials License Functionality
Enterprises that install the AnyConnect Essentials license will be able to do the following:
–
Enable or disable mobile device access on a per group basis and to configure that feature using
ASDM.
–
Display information about connected mobile devices via CLI or ASDM without having the
ability to enforce DAP policies or deny or allow remote access to those mobile devices.
Prerequisites
Configuring mobile posture attributes as selection criteria for DAP records is part of a larger process.
Read Configuring Dynamic Access Policies, page 70-10 before you configure Anti-Spyware and
Anti-Virus endpoint attributes.
Guidelines
• These mobile posture attributes can be included in a dynamic access polciy and enforced without
installing Host Scan or Cisco Secure Desktop on the endpoint.
• Some mobile posture attributes are relevant to the AnyConnect client running on mobile devices
only, some mobile posture attributes are relevant to both AnyConnect clients running on mobile
devices and AnyConnect desktop clients.
• When specifying mobile posture attributes and application attributes in a dynamic access policy,
they both should be set to AnyConnect.
Detailed Steps
Step 1 In the Endpoint Attribute Type list box, select AnyConnect.
Step 2 Check the Client Version check box and set the operation field to be equal to (=), not equal to (!=), less
than (<), greater than (>), less than or equal to (<=), or greater than or equal to (>=) the AnyConnect
client version number you then specify in the Client Version field.
You can use this field to evaluate the client version on mobile devices, such as mobile phones and tablets,
or desktop and laptop devices.
Step 3 Check the Platform check box and set the operation field to be equal to (=), or not equal to (!=) the
operating system you then select from the Platform list box.
You can use this field to evaluate the operating system on mobile devices, such as mobile phones and
tablets, as well as the operating system on desktop and laptop devices. Selecting Apple iOS or Android
platforms activates the additional attribute fields for Device Type and Device Unique ID.