Disabling Anyconnect Secure Mobility client Update from Cisco ASA Group Profile

zobaarul · ‎07-01-2019

Hi,

We are using Cisco Anyconnect Security Mobility Clients with Cisco ASA 5585. There are two types of users here and each type having multiple Anyconnect groups. One type of users are inside organization users. These users do not have admin privilege in their laptops. Anyconnect client had been pushed to these Laptops from different team (system administration team). These users have anyconnect client version 4.5. Now in ASA config, Anyconnect package under webvpn is 2.5. So clients installed in the laptops inside organisation do not update automatically. Now we want to create some other Anyconnet groups for users outside organisation assuming they have admin privilege in their laptops/pcs. Available anyconnect client version now is 4.7. So if we change the package in ASA with version 4.7, outside user can download and install the package. But clients inside organization starts to upgrade the clients while connecting to VPN but fails because they do not have admin privilege and cannot connect to VPN ultimately. Is there any way to disable client update from specific anyconnect group profile in ASA. Like can we disable client update from group-policy or tunnel-group attributes?

Any help would be appreciated

Thanks in advance

-Zobaarul

Rob Ingram · ‎07-01-2019

Hi,
No I don't believe you can disable updates from the ASA itself. You can configure the AnyConnectLocalPolicy.XML to disable downloader updates, this would have to be pushed out via GPO or your Windows mgmt software.

FYI, updating the AnyConnect software does not required Administrator privileges, only the initial installation.

HTH