Have some tunnel-groups configured, tunnel-group-list enabled under webvpn, but I need users to have always a particular one as default every time they connect, and all the other ones as options in Anyconnect client version 3.1.x, ASA 9.5. I don't want necessary to mingle with DfltGrpPolicy (I prefer them to show)
In scenarios like these it's easy to configure a specific URL for the tunnel-group (under webvpn-attributes) and let the users connect to this specific URL. It can be even more convenient when you configure an AnyConnect profile four your user-group where you specify this URL and your users only have to pick the entry from the AC dropdown list.
The problem with this method is that users need to open a browser. For client-less vpns, it may be OK, the URL method will probably keep the upper most group active. If I am not mistaken, it would need to activate clientless vpn, which we don't need. We just very occasionally have external users, and for them we prefer other solution.
We pre-install our laptops with Anyconnect and the initial profile, force updating it when needed. This is rather a convenient feature we need to avoid users panic attacks when they are in a hurry. It is quick, it is in the tray already when the PC boots up and eats very little memory.
Most users will not need this also, only "expert" users. We can drill them, and add a message when connected to not "default" top-most profile, but still, that should be a simple thing. "Don't choose last group" should be called somewhere, if you ask me, it should be even the standard, and be something that can be tweaked.
In the profile we have "remember last used vpn" for example. see?