Hello - Sorry for the vague question, I'm kinda out of my element here. I work for our desktop team and manage our SCCM environment. We are looking to upgrade our AnyConnect client version in the near future. The team that manages AnyConnect and ISE is a separate team. They recently went through some turnover and I'm not super confident in the current admins over there. They are saying that the AnyConnect client can't be updated from the ASA or ISE. My reading of the admin guide contradicts that. So knowing that it is possible to do it from ISE or ASA, what is the best way to handle upgrades, SCCM or ASA/ISE?
@RJI is correct - AnyConnect can be upgraded from ASA or ISE in addition to any other software deployment tools you may use.
SCCM etc. are useful for organizations that have a well-established operational model of deploying software that way.
ISE is useful if you have multiple disparate ASA installations all of which use ISE as a backend for Posture assessment, RADIUS server etc. In that case we can deploy a single image and set of profiles (associated xml files) from one place. The AnyConnect images need to match what's on the ASAs though.
ASA is useful in that it is well-understood by most ASA admins anyway) and a long-established procedure. It happens automatically at next logon without the end user having to be an admin for their PC. I'd say this is by far the most common deployment and upgrade model.
I agree with @RJI & @Marvin Rhoads . This definitely comes down to internal decisions. In my environment we work with several Anyconnect components including VPN, NAM, Posture, & SBL. When we perform upgrades we usually rely on packaging things up and deploying via SCCM. In my experience the only module that can be tricky is NAM due to the way it operates and what it is used for. However, I have found NAM to be tricky upon initial installation & not upgrades.