Prerequisites
- An Android Enterprise compatible device deployment. The legacy Device Admin (DA) system is not supported at this time.
- Private DNS must be turned off for DNS interception to function properly.
- Android mobile devices running Android OS version 6.0.1 and above. Devices examples are Samsung, Google, and Motorola. FireOS devices and other Android forks are not supported.
- An MDM for deploying the software. The following MDMs have been tested, and you should be able to use any MDM:
- MobileIron
- Meraki
- VMWare WorkspaceOne (Airwatch)
- Microsoft InTune
- Samsung Knox
- Google Admin Console (Google Workspace)
- Access to a Secure Access subscription, including mobile device coverage
- A network meeting access requirements
- For IPv4 or Dual Stack networks, ensure that UDP ports 53, 5353, and 443 are accessible to the IP address 208.67.222.64.
- For IPv6 or Dual Stack networks, ensure that UDP ports 53, 5353, and 443 are accessible to the
IP address 2620:119:53::64.
For IPv6-only networks, the NAT64 and DNS64 or 464XLAT gateways are required.
*DNS64 (RFC 6147) is meant for single-stack IPv6 networks. This is to help with IPv4 to IPv6 transitions. If you are using Umbrella DNS on devices without IPv4 access, these resolvers will synthesize records that can reach those destinations through a NAT64 gateway using the Well-Known Prefix. More details available in DNS64: DNS Extensions for Network Address Translation from IPv6 Clients to IPv4 Servers.
- For on-network scenarios, Trusted Network Detection (TND) may also be used to disable the
client on network and pass traffic to a Virtual Appliance. The following prerequisites
apply:
- All VAs in use are defined by FQDN (IPs entered will not allow the client to go into
trusted network mode) in the umbrella_va_fqdns configuration property.
- The format for this field is comma separated, for example, (va1.domain.com, va2.domain.com)
- VAs must be registered to the same Secure Access organization as the Android devices
- HTTPS mode for user events enabled on the Virtual Appliance
- If the VA's FQDN is not publicly signed, the self-signed root certificate for the VA domain used for HTTPS mode on the VA must also be pushed to the Android device to sign the connection.
- VA certificates should contain Subject Alternate Name (SAN) matching the VA's configured domain to successfully communicate with the VA over HTTPS mode
- For more information on how to configure HTTPS mode on the VA, see Umbrella Virtual Appliance: Receiving User-IP mappings Over a Secure Channel.
- All VAs in use are defined by FQDN (IPs entered will not allow the client to go into
trusted network mode) in the umbrella_va_fqdns configuration property.