Update Cisco AnyConnect Secure Mobility Client from 4.9 to 4.10 Intune

saad.farooq23 · ‎09-13-2021

Hi

We have a cisco AnyConnect mobility client v4.9 deployed at end user devices now have plan to upgrade/update to latest 4.10 version via Intune. So the issue is when we try to upgrade to latest one end user face disconnectivity that is quite not feasible so all we need to upgrade to latest version silently or even upgrade automatically without any disconnection so any xml/script or guideline anyone can provide.

Milos_Jovanovic · ‎09-14-2021

Hi @saad.farooq23,

If I understood you correctly, you are looking into updating AnyConnect via Intune while users are on VPN? This won't work this way. If you want to update it via Intune (which is always an approach I would prefer), people must not be on VPN, so they either need to be in the offices, or you need to push update via Internet.

If you want to perform an update while on VPN, best approach is to push software from your headend device - ASA or FTD. This way, upon connection, AnyConnect version is check, and if needed, it gets updated automatically, so it happens right before user connects (or while connecting). However, you must approach this carefully, as it is a global ASA setting that will affect all users. Also, it could require local admin rights (depending of the deployment), so one more reason to be cautious.

BR,

Milos

saad.farooq23 · ‎09-15-2021

Hi Milos

Thanks for response and share workaround but since as you suggest that approach is quite risky based in production environment since if any unforeseen issue prompt then it will take affect overall organization. However i will discuss this with team if suitable, Also since cisco client deployed via Intune as an Win32 App based its quite strange that cisco did not offer auto update like other vpn's do without user disconnection. So if we just try superseding approach like remove previous version and install new one. Did end user will still face disconnection? Also if there any other workaround you can purpose additionally it will be great support.

Milos_Jovanovic · ‎09-15-2021

Hi @saad.farooq23,

I wouldn't dare to comment which approach Cisco took with installer and wether it could be done better, as I never dealt with understanding how installer works. Of course, anything can be done better, and eventually it get done better.

Current installer, while upgrading, actually uninstalls existing version, and then installs a new one. During that process, it also removes logical interface, which affects user connectivity. If pushing via headend, when user passes authentication, client PC realizes there is a new version that needs to be installed, PC downloads installation, and then it starts with the upgrade process. As installer is already downloaded, old version gets uninstalled, new one gets installed and session is resumed, without prompting user to reauthenticate. This is the smoothest experience that can currently be achieved with ASA/FTD.

Alternativelly, I know there is option to push software to PCs while they are on the Internet (not on VPN and not in the office), but, as far as I know, this comes with some price, either in bandwidth or in traffic that must be payed (could be that this is not related to Intune, but with some SCCM distribution point on the Internet). You should check this with your Intune team.

BR,

Milos

saad.farooq23 · ‎09-16-2021

Hi Milo,

Thanks for sharing your valuable suggestion. I will discuss it with my team hope so we get a workaround.