Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2741
Views
5
Helpful
5
Replies

Disable Auto Update of AnyConnect Client - Cisco ISE

sreng
Level 1
Level 1

‎06-14-2022 01:10 AM

Hi team,

I would like to ask if anyone here has experienced disabling the auto-update of AnyConnect on Cisco ISE.
The idea here is that I would want my clients - some of them run the 4.9 and some to run 4.10 parallelly.

 

I would be really appreciated it if you could provide some insight into how we could do and configure it this way.

Thanks,
Sreng

0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎06-14-2022 02:10 AM

you can disable by editing client config profile  -

 

Cisco AnyConnect Secure Mobility Client/Profile/  (XML File)

 

check release notes

 

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/release/notes/release-notes-anyconnect-4-9.html#ID-1454-000004f6

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

sreng
Level 1
Level 1
In response to balaji.bandi

‎06-14-2022 02:40 AM

Hi balaji,

 

Thanks for your solution on this.

Also, clients in my environment are running 4.9 and I want to upgrade them to 4.10 phase by phase (by the helpdesk team) through SCCM without the hassle of specifying AD group or sth like that.

The ultimate goal here is to have 2 CPP policies running parallelly, one with the result of AC 4.9 resource and another with 4.10 resource. So that, the Helpdesk can push 4.10 to any available group of clients whenever they could without involving ISE admin.

By doing so, the auto-update must be disabled otherwise all the 4.9 clients will update to 4.10.

Looking through your document provided, it seems like we have to manually modify the xml file on the client side.

Alternatively, is there any way we could achieve this on the ISE side?

Thanks,
Sreng

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to sreng

‎06-14-2022 03:01 AM

Is this all the clients connect to same ASA ? May be thinking you can do central push group wise using SCCM. (only certain clients by selecting).

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

sreng
Level 1
Level 1
In response to balaji.bandi

‎06-14-2022 08:14 PM

Hi balaji,


All clients are connecting to the ISE cluster. We will push the 4.10 to clients via SCCM but the problem is with our ISE Client Provisioning policy.

There will be 2 CPP policies (ANY in the identity group condition, Windows, no other condition) each with 4.9 and another 4.10 as result.

 

Without disabling the auto-update, 4.9 clients will be updated automatically and we do not want that.

It would be really great if we could achieve this from ISE side without having to modify the xml file on the clients.

Thanks,
Sreng

0 Helpful

Oron Yaniv
Level 1
Level 1

‎09-06-2022 10:49 PM

Hi, have you found a solution?

i also want to disable ISE updates to clients.

 

0 Helpful
Customers Also Viewed These Support Documents