Thanks you @Rob Ingram,

It's for endpoint connect to LAN network.
But during upgrade we have challenged on adding MAC address manaully to client provision of cisco ISE portal. That's the quit challenge for us as administrator. Hence, could you share us your experiences. how to make it automatic that not required to make any change on Cisco ISE web portal (add mac address or AD group manually)?

@sot01 are you referring to the ISE Client Provisioning Policy and you are currently using a specific Identity Group? You could just  remove the requirement for Identity Group (change to "Any") or if you wish to target an AD group, then select "Other Conditions" and select your ExternalGroups from your AD join point.

If you want to make it automatic and not make a change on the ISE web portal then use your software management solution to deploy the upgrade (as previously suggested).

Thanks @Rob Ingram,
Yes exactly, we want automatically. But when we set Client Provisioning policy identity groups to ANY, client automatically upgrade from cisco ISE. That the reason we use identity group.
Hence may ou help to share in detail how to acheive automactically upgrade by using SCCM deployment without required to make any change on Cisco ISE web portal?
Here is our current setting on Client Provisioning Policy (In attached file).

@sot01 advice on deploying a package via SCCM is better discussed in a Microsoft forum or even better your team that supports the system.

Thanks @Rob Ingram, We don't have issue with SCCM. But we have issue and challlenge with Client provisioning part on cisco ISE portall.
May you share advise on that based on your experiences?

@sot01 i thought you did not want to make any changes on ISE for client provisioning? In which case deploy the client upgrade from SCCM.

@Rob Ingram, You are right we want to do on SCCM only. But here are the challenge:
1. When we create new client povisioning policy for new any connect secure version 5, All client automatically upgrade itself (we tested in UAT). Kindly find attached file for my configuration of new client povisioning policy for new any connect secure version 5.
May you have any suggestion or advise on this? Is there something wrong with our configuration?

why not let SCCM push down all the client software and configuration files etc, then you don't need to update the provisioning portal.

May you share your client provisioning setting look like? Due to if I don't create new client provision mapping with Cisco Secure Client version 5 on the PC but it doesn't work. May you help to advise on that?

@Rob Ingram, Based on what we worked with most of cisco TAC multiple engineer they suggest us to make change on client provisioning of cisco ISE portal and define the identity (scope of endpoint to upgrade). But from our point of view we don't believe that cisco design solution such complicated thing. So your shared solution is make sense, but we don't know in detail how it will work and configuration should look like to achieve that on cisco ISE portal.