Hi,
We have the following setup
- AnyConnect NAM (4.9.6037) with ISE Posture (4.9.6037) & Compliance Modules (4.3.2099)
We would like to upgrade to ISE Compliance Module 4.3.4065.8192 on a few TEST machines without having to change the AnyConnect profile file for all machines and without having to create new policies to target the machines. When we do a standalone upgrade on some desktops, they get downloaded once they connect to the network and get provisioned by ISE.
Is there a setting that can tell ISE to ignore endpoints running a newer version of the compliance module? Would the below settings help in anyway?
| Deferred Update | ||
| Allowed for AnyConnect Software |
|
If set to 'Yes', the end user can defer the update as long as they already meet the minimum version in the setting below, for all required AnyConnect modules. |
| Minimum Version Required for AnyConnect Software | Format is 'n.n.n'. '0.0.0' means no minimum version is required. '3' means minimum version is 3.0.0, '3.2' means minimum is 3.2.0. | |
| Allowed for Compliance Module |
|
If set to 'Yes', the end user can defer the update as long as they already meet the minimum version in the setting below. |
| Minimum Version Required for Compliance Module | Format is 'n.n.n.n'. '0.0.0.0' means no minimum version is required. '3' means minimum version is 3.0.0.0, '3.6' means minimum is 3.6.0.0, and so on. | |
| Prompt Auto Dismiss Timeout | The number of seconds that the deferred update prompt is displayed before being dismissed automatically. 'None' means the prompt can only be dismissed by the user. A '0' value and a 'defer' value for the response setting below will force a deferral of the software update. | |
| Prompt Auto Dismiss Default Response |
|
The action taken when the prompt is automatically dismissed. |
NB: Next step will be to upgrade to CSC/AC 5.x once the compliance module is stable.
