09-21-2012 01:33 PM - edited 02-21-2020 06:21 PM
Hello - we would like to utilize our ASA VPN appliance to push the latest release of AnyConnect to our end user base. Previously, due to the requirement that the user have admin rights to install, we could not do this and had to revert to SCCM to push the AnyConnect client upgrades. We now have software that will allow the client to load as an admin even though the user is not an admin on the system. Viewfinity is the software name.
My question is around controlling the rate. I do not want to configure the VPN to push the new AnyConnect, and then every user that logs in gets the install. We would rather control, based on Group if possible, who gets the new client. This limits the risk if there is an issue to a subset of VPN users, and not any and all who connect and try to download. I cannot find a config or a config guide that indicates this is possible. Does anyone out there know if it is, or is not, an option? If not, we would have to assume a lot of risk to rollout 1100 new clients in one day, a typical number we have connected on any given workday. Please advise.
Thank you very much for your help.
Jeff
Solved! Go to Solution.
09-21-2012 01:43 PM
Hi Jeff,
There is no option to allow the auto-update per connecton profile.
What you can do though, is to disable this feature on the XML profile, since the XML profile can be defined per group-policy, you just need to deploy the profile either by having the users connect to the specific tunnel-group where the group-policy with the no auto update XML profile or deploying the XML profile manually to each user's machine.
Please check this out:
AutoUpdate | true | (Default) Installs new packages automatically. |
false | Does not install new pacakges. |
In the XML profile (to disable it):
Where to find the profile?
Let me know.
Thanks.
Portu.
Please rate any posts that you find helpful.
Message was edited by: Javier Portuguez
09-21-2012 01:43 PM
Hi Jeff,
There is no option to allow the auto-update per connecton profile.
What you can do though, is to disable this feature on the XML profile, since the XML profile can be defined per group-policy, you just need to deploy the profile either by having the users connect to the specific tunnel-group where the group-policy with the no auto update XML profile or deploying the XML profile manually to each user's machine.
Please check this out:
AutoUpdate | true | (Default) Installs new packages automatically. |
false | Does not install new pacakges. |
In the XML profile (to disable it):
Where to find the profile?
Let me know.
Thanks.
Portu.
Please rate any posts that you find helpful.
Message was edited by: Javier Portuguez
09-24-2012 06:36 AM
That is awesome. Thank you for your answer. That is what we will proceed with as a solution. Again, thank you Javier!
09-24-2012 06:50 AM
Great news to hear
I hope you have an amazing day.
06-04-2018 02:27 AM
Hi, just to double check. what if the user who logs in the laptop doesn't have privileges to install an application, does the auto update of anyconnect will still push through?
thanks
06-04-2018 07:20 AM
Initial AnyConnect installation will fail if the user does not have sufficient privileges.
AnyConnect application upgrades pushed from the ASA (or ISE) do not require administrative privileges and should succeed (unless the computer is really locked down hard - i.e. preventing modification of program files altogether with something like application whitelisting).
06-06-2018 04:42 AM
Thanks Marvin :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide