The info @Marcelo Morais shared is accurate

You can also create an ISEPostureCFG.xml via the AnyConnect Profile Editor - specifically the ISE Posture Profile Editor and then upload to ISE for deployment and/or manually add it to the respective location on a test client.  Do note though that changes on ISE side to support this would still be required (AnyConnect Config - Profile Selection area).  

Any luck with DART bundle logs? I have utilized bundles in the past to point me in the right direction to fix an issue.  

Hi @Anthony O'Reilly 

I am having the same issue. "The System Scan is showing the same status "No Policy Server Detected". We also use a pre-deploy approach via SCCM and install Core-VPN and ISE-Posture module. 

But the thing is, when we tried with a Web-Deploy approach with URL redirection, client download the AnyConnect and installed, it is working as expected with the compliance checking and all.

This is only happened with the pre-deploy approach. I am not sure why ? 

The ISEPostureCFG.xml file were missing in the path C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\”. for both type of deployment approach. But for web-deploy is working but not pre-deploy.

FYSA

The ISEPostureCFG.xml goes here on Win clients: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture

Does the .xml file needed to be uploaded on ISE as well ? or just need to be deployed on the client endpoints only. Because from the ISE CPP resources I can only import files with .pkg and .dmg format.

-This all depends on if you use CPP to provision clients.  If you wish to rely on CPP, the profile selection area when configuring an AnyConnect Configuration profile requires that you select an ISE Posture profile to push to clients when hitting a CPP with the respective result.  You have the ability to import .xml files.  Go to Policy->Policy Elements->Results->Client Provisioning->Resources: Click Add: Agent Resources from Local Disk: Customer Created: AnyConnect Profile: <your profile>

HTH!

I am going to try to cover most of the questions.  I strongly recommend taking a peek at the following resources to understand the workflow: ISE Posture Prescriptive Deployment Guide - Cisco Community

Do I have to create TWO separate AnyConnect profile on ISE (CPP Resources) ?

-No.  You have the option to manually create it in ISE itself, or via profile editor and the upload method.

One is for the pre-deploy by importing customer created package and one more is created directly from the Resources. And how do actually Anyconnect select the profile on ISE and match.

-You only need 1 profile in the respective shared location.

And how about the Policy Sets ? Because of the CPP, I have only configured Authorization Rules and Authz Profiles for CPP Redirection, Compliant and Non-Compliant.

-There should be three states.  Unknown, which is what clients are first matched/deemed against, compliant or noncompliant which is the result post assessment.  See shared documentation above.

Because of this, even when we pre-deployed the AnyConnect, it will return the CPP Portal and ask user for download even the AnyConnect is already there. Since the Anyconnect is unable to detect the policy server.

-If you wish to eliminate the pop up you can remove the redirect in the authz profile.  However, if clients need to be fully provisioned it is typically recommended to leave as is.

Lastly, I would take a client that is having the issue of reaching ISE and generating a DART bundle.  From there check logs to help troubleshoot the issues.  Good luck & HTH!

Hello Dear All,

Was someone able to resolve this issue. I am currently facing the exact issue with ise 3.0 patch 4, anyconnect ise posture 4.10 core vpn 4.10 and compliance module 4.3. 

Everything work in webdeploy installation but when coming to predeploy through gpo the anyconnect is not able to found the psn.