cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11868
Views
15
Helpful
6
Replies

Using VPN to push AnyConnect client upgrade

jthullen
Level 1
Level 1

Hello - we would like to utilize our ASA VPN appliance to push the latest release of AnyConnect to our end user base. Previously, due to the requirement that the user have admin rights to install, we could not do this and had to revert to SCCM to push the AnyConnect client upgrades. We now have software that will allow the client to load as an admin even though the user is not an admin on the system. Viewfinity is the software name.

My question is around controlling the rate. I do not want to configure the VPN to push the new AnyConnect, and then every user that logs in gets the install. We would rather control, based on Group if possible, who gets the new client. This limits the risk if there is an issue to a subset of VPN users, and not any and all who connect and try to download. I cannot find a config or a config guide that indicates this is possible. Does anyone out there know if it is, or is not, an option? If not, we would have to  assume a lot of risk to rollout 1100 new clients in one day, a typical number we have connected on any given workday. Please advise.

Thank you very much for your help.

Jeff                 

1 Accepted Solution

Accepted Solutions

Hi Jeff,

There is no option to allow the auto-update per connecton profile.

What you can do though, is to disable this feature on the XML profile, since the XML profile can be defined per group-policy, you just need to deploy the profile either by having the users connect to the specific tunnel-group where the group-policy with the no auto update  XML profile or deploying the XML profile manually to each user's machine.

Please check this out:

AutoUpdate

true

(Default) Installs new packages automatically.

false

Does not install new pacakges.

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac13vpnxmlref.html#wp1220030

In the XML profile (to disable it):

false

Where to find the profile?

OS

Directory Path

Windows 7 and Vista

C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\

Windows XP

C:\Document and Settings\All Users\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

MAC OS X and Linux

/opt/cisco/anyconnect/profile/

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac02asaconfig.html#wp1409000

Let me know.

Thanks.

Portu.

Please rate any posts that you find helpful.

Message was edited by: Javier Portuguez

View solution in original post

6 Replies 6

Hi Jeff,

There is no option to allow the auto-update per connecton profile.

What you can do though, is to disable this feature on the XML profile, since the XML profile can be defined per group-policy, you just need to deploy the profile either by having the users connect to the specific tunnel-group where the group-policy with the no auto update  XML profile or deploying the XML profile manually to each user's machine.

Please check this out:

AutoUpdate

true

(Default) Installs new packages automatically.

false

Does not install new pacakges.

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac13vpnxmlref.html#wp1220030

In the XML profile (to disable it):

false

Where to find the profile?

OS

Directory Path

Windows 7 and Vista

C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\

Windows XP

C:\Document and Settings\All Users\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

MAC OS X and Linux

/opt/cisco/anyconnect/profile/

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac02asaconfig.html#wp1409000

Let me know.

Thanks.

Portu.

Please rate any posts that you find helpful.

Message was edited by: Javier Portuguez

That is awesome. Thank you for your answer. That is what we will proceed with as a solution. Again, thank you Javier!

Great news to hear

I hope you have an amazing day.

Hi, just to double check. what if the user who logs in the laptop doesn't have privileges to install an application, does the auto update of anyconnect will still push through?

thanks

Initial AnyConnect installation will fail if the user does not have sufficient privileges.

 

AnyConnect application upgrades pushed from the ASA (or ISE) do not require administrative privileges and should succeed (unless the computer is really locked down hard - i.e. preventing modification of program files altogether with something like application whitelisting).

Thanks Marvin :)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: