In this session, we'll enable ISE client provisioning and download resources that
are needed for a client provision. Client provisioning is going to be used to
install the AnyConnect Secure Mobility Client and the ISE Posture Module, both of which are required for posture assessment on an endpoint, and to be able to communicate with the profile link service on ISE. We'll begin by reviewing client provisioning settings. We can see that we're in the Posture configuration submenu, and we'll select Settings. And from the left, we'll select Software Updates and Client Provisioning. We can see that with ISE 2.4 and above, that client provisioning is enabled by default. This allows endpoints to interact with client provisioning processing and resources on ISE, and to be able to download and have ISE deploy them. And automatic download of provisioning resources from Cisco is disabled by default. We'll see, later on, that there's a limited amount of resources currently installed on ISE by default. If we enable this, it will download all available provisioning resources from Cisco, and many of those may not be needed. Cisco recommends, until you identify the need for the automatic download, that you disable it and do a manual add of resources as needed. And then we see a policy control for when provisioning policy is not available, a provisioning policy rule has not been created, or provisioning resources are not accessible or available per that policy. In this case, we'll follow authorization rule processing, where we might be able to redirect that endpoint towards some external provisioning resource, or we can simply allow network access. OK, from here, we'll take a little tour and download resources, in a manual fashion, that we'll be utilizing for client provisioning. In this case, we'll begin by downloading the AnyConnect package for Windows, and save that to our Downloads folder. We'll also download the AnyConnect Windows compliance module, and then we'll also take advantage of a couple of XML file settings that will be applied to AnyConnect and modify its behavior. And we can see our new provisioning resources, files downloaded-- much as we might do from Cisco's own website-- and making them available towards client provisioning that we'll do later on. OK, in this session we verified that client provisioning on ISE is enabled, that we are not doing automatic updates from Cisco for the client provisioning resources, that we will do a manual add of resources as needed. And then we did a download of the resources that we will be using later to apply towards our endpoints as part of provisioning.