I'm looking at deploying an AC upgrade to our clients, and already have it set up on the ASA using webdeploy, but I'm concerned I wont hit clients that dont use VPN regularly, but who are on the enterprise network.
We use Umbrella and I was considering enabling the Cloud Update feature for AnyConnect from the Umbrella console, but I would like to understand the actual upgrade behavior better so that we can communicate this change to our users effectively. If we turn this on, what will a client experience? What will they see? Would it be similar to the dialogs that appear during a webdeploy upgrade of AC?
I understand that the upgrade wont take place while the user is connected to VPN, and that's fine, but what happens while they're on the corp network? Is a reboot required? Does the upgrade start seconds after I enable this in Umbrella?
Lots of questions, but I have not been able to find adequate documentation on this, and from what I can tell, there is no easy way to test this in a limited scope. Its all or nothing!!
The AnyConnect client will regularly communicate with Umbrella cloud to determine if there is an update. If enabled, then the client will download the upgrade, from memory there is a pop up, so you know the client is being upgraded, but a reboot is not required.
Yes, this is configured globally, so all or nothing. Some organisation rely on their internal management solutions, such as SCCM to push out upgrade packages, which would allow you to control the rollout.
That's a good question, the Umbrella notes are unclear.
My previous anyconnect upgrades via Umbrella cloud did not have the SBL module installed and no reboot was required. I've just run a test, manually upgrading a client with SBL module already installed, this always seems to prompt for a reboot. I can only assume if Umbrella initiated the upgrade it would require a reboot.
Perhaps this is a question you could ask from Umbrella support to clarify. I no longer have an account so I cannot easily confirm this for you.