I do have DAP's set up, but my deny message is something totally different than this - and only shows on the deny.  The allows have just a generic 'continue' statement while I test out this new version.

TAC says it should be under AnyConnect Customization/Localization --> GUI Text and Messages, but there's nothing there, and they can't figure out yet where it's coming from either.

As I understand it, the message is presented to the user when a custom user message is included in the DAP policy.  If you remove your test "continue" message and log in as a permitted user, do you still see the security message?  If you log in as a denied user do you see the security message in addition to your custom warning?  To my knowledge there is no way to fine tune this message aside from disabling the user message in the DAP policy.

Todd

Ok, you're definitely on to something.  If I delete all my DAP, and leave just the default with continue, I don't get the message.  If i put in some criteria and make if fail, I get my fail message.  But if it passes w/ extra criteria in, then I get that canned message.  So this gives me more to play with next week.  Strange as I have identical criteria set up on my live box running 8.3(2), but my test box with 8.4(1) or 8.4(2) both have it coming up.