https://community.cisco.com/t5/endpoint-security/anyconnect-hostscan-question/m-p/4130416#M5592 <P>The Catalina Mac OS is not compatabile with hostscan so VPN can't be used on laptops with the new OS.</P><P>&nbsp;</P><P>We are needing to upgrade (<A href="https://www.cisco.com/c/en/us/td/docs/security/asa/migration/guide/HostscanMigration43x-46x.html" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/td/docs/security/asa/migration/guide/HostscanMigration43x-46x.html</A>) but the question i have is there any way to have hostscan working for the older macs/windows but turn off for newer macs.</P><P>&nbsp;</P><P>From my understanding no Hostscan has to be on due to the way it works and classify all endpoints otherwise it can be 'fooled' or is pointless.</P><P>&nbsp;</P><P>From the workaround on the field notice I believe the only workaround is to do the migration or turn off completley for all endpoints.</P><P>&nbsp;</P><P><A href="https://www.cisco.com/c/en/us/support/docs/field-notices/704/fn70445.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/field-notices/704/fn70445.html</A></P><P>" <STRONG>Workaround</STRONG></P><P>If an upgrade to HostScan package 4.8.00175 or later is not an option, administrators of systems with HostScan package&nbsp;4.3.x and earlier can disable HostScan on their ASA&nbsp;head-end&nbsp;in order to restore VPN connectivity. If disabled, all HostScan posture functionality and dynamic access policies (DAPs) that depend on endpoint information will be unavailable."</P><P>&nbsp;</P><P>Any thoughts/comments would be appreciated on design.</P><P>&nbsp;</P><P>Thanks</P> Tue, 04 Aug 2020 21:40:30 GMT georgehewittuk1 2020-08-04T21:40:30Z https://community.cisco.com/t5/endpoint-security/anyconnect-hostscan-question/m-p/4130416#M5592 <P>The Catalina Mac OS is not compatabile with hostscan so VPN can't be used on laptops with the new OS.</P><P>&nbsp;</P><P>We are needing to upgrade (<A href="https://www.cisco.com/c/en/us/td/docs/security/asa/migration/guide/HostscanMigration43x-46x.html" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/td/docs/security/asa/migration/guide/HostscanMigration43x-46x.html</A>) but the question i have is there any way to have hostscan working for the older macs/windows but turn off for newer macs.</P><P>&nbsp;</P><P>From my understanding no Hostscan has to be on due to the way it works and classify all endpoints otherwise it can be 'fooled' or is pointless.</P><P>&nbsp;</P><P>From the workaround on the field notice I believe the only workaround is to do the migration or turn off completley for all endpoints.</P><P>&nbsp;</P><P><A href="https://www.cisco.com/c/en/us/support/docs/field-notices/704/fn70445.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/field-notices/704/fn70445.html</A></P><P>" <STRONG>Workaround</STRONG></P><P>If an upgrade to HostScan package 4.8.00175 or later is not an option, administrators of systems with HostScan package&nbsp;4.3.x and earlier can disable HostScan on their ASA&nbsp;head-end&nbsp;in order to restore VPN connectivity. If disabled, all HostScan posture functionality and dynamic access policies (DAPs) that depend on endpoint information will be unavailable."</P><P>&nbsp;</P><P>Any thoughts/comments would be appreciated on design.</P><P>&nbsp;</P><P>Thanks</P> Tue, 04 Aug 2020 21:40:30 GMT https://community.cisco.com/t5/endpoint-security/anyconnect-hostscan-question/m-p/4130416#M5592 georgehewittuk1 2020-08-04T21:40:30Z