We deploy Cisco AnyConnect from our internal network directly to the workstations of all users who need this software.  Therefore, we do not want anyone logging into the web interface and being prompted to download the software. What are the options to allow users to use the AnyConnect client we deploy to their workstations or provide to them via other methods, but not download and install from the ASA? The version on the ASA isn't kept up to date and it is being used by some users to get the software installed on unauthorized computers. I read that removing the AnyConnect software from the ASA prevents users from connecting to VPN even if they already have the client installed on their PC. If it can't be removed from the ASA, can the download link and automatic prompting to download the software be suppressed/blocked? If we only put the Linux version of AnyConnect as suggested in the link below, would that prevent Windows and Mac users from downloading, but still allow them to connect and use the AnyConnect software already installed on their system?   https://community.cisco.com/t5/vpn-and-anyconnect/disable-anyconnect-client-download-url-login-disable/m-p/2692631/highlight/true#M102217       ... View more

I noticed that the last VPN user name is not displayed when the user logs into Windows and then launches AnyConnect, but the last user name is displayed if AnyConnect is launched pre-login using SBL. We would want either opposite so that nobody can see the user name before logging into Windows, but the user name is displayed after a user with Windows credentials logs in or else we would want it suppressed in both places. Having a laptop thief be able to see the last user name via SBL, but at the same time requiring an authorized user who fully logs into Windows to manually type in this information makes no sense. How can we fix this? ... View more

We are upgrading Cisco AnyConnect Secure Mobility Client and Start Before Login from older versions for 4.x to 4.3.05017. Some of our systems will not upgrade because the previous versions will not uninstall.  These systems are now in an unstable state where the old versions will not even uninstall from Programs and Features in the Control Panel.   Normal uninstall msiexec /x string commands also will not work. What commands can we use to manually remove both of these products and get the systems in a state that will allow us to install 4.3.05017 versions without the systems having fatal errors complaining that the previous versions must be removed first before we can install the new versions? ... View more

We need to upgrade Cisco AnyConnect Secure Mobility Client and Cisco Start Before Logon silently via command line so we can deploy it to systems System Center Configuation Manager. The laptops are already using version 4.3, but we are just  updating these systems to the latest patch level. However, Start Before Login installer seems too reboot-happy because it wants to reboot to uninstall and also reboot again to install and 2 restarts makes upgrades via SCCM too difficult and it's also too disruptive to users. Can we uninstall the older versions of SBL, and uninstall AnyConnect suppressing any restarts, then install the new versions of AnyConnect and SBL and just do one single reboot at the end? I tried installing over the top without first uninstalling the old versions and I couldn't get it to work.  If there is a procedure to upgrade AnyConnect and SBL without having to uninstall the older patch level first, then that could be another option. If so, what commands do we use to accomplish an upgrade without needing 2 restarts? ... View more

We have different PIN requirement depending on whether the user is using a hardware or software token.  I think software tokens only work with numeric PINs and hardware tokens require alphanumeric.  I'm not sure if this is a fixed RSA requirement of if that's configurable in policies. Is there any way for the AnyConnect client to detect which kind of token the user has assigned to their account and automatically display the appropriate PIN requirement instructions when their PIN is reset or new? Where do we update the text that displays in the AnyConnect client that explains PIN requirements and also update the text in the legal banner that pops up from the AnyConnect client when the user successfully connects ? ... View more

I want to export the existing certificate before applying the new certificate so I can restore it if there is any problem with the new certificate. The help instructions say: Step 1 Navigate to the Network > Certificates page. Step 2 Click Export Certificate. Step 3 Select the certificate you want to export. Step 4 Enter the file name for the certificate. Step 5 Enter a password for the certificate file. Step 6 Click Export. Step 7 Save the file to a local or network machine. Step 8 You can export additional certificates or click Cancel to return to the Network > Certificates page. I tried that, but step 4 does not include an important detail. What file extension does the exported file need to have to be usable? It defaults to nothing (or the domain TLD if you named the file that way) and that doesn't work.  I tried ".crt" and it says that's invalid if I try to open the file after using that extension. What is the correct file extension?  This should be included in the help documentation. ... View more

We need to upgrade systems with older versions of AnyConnect Secure Mobility Client 4.3 and SBL to the latest version 4.3.04027 for both. How can I do that via a silent command line? Isn't there an uninstall command that uninstalls AnyConnect SMB and all modules all at once rather than having to separately uninstall the SBL module, restart and then uninstall SMC with a separate command? Can this entire upgrade process be done with a single restart instead of 2 restarts? I'd like to uninstall all the older components, install the new components and then restart instead of having to do another restart between uninstallation of old and installation of new. ... View more