In this session, we'll enable ISE client provisioning and download resources that

are needed for a client provision. Client provisioning is going to be used to

install the AnyConnect Secure Mobility Client and the ISE Posture Module, both of
which are required for posture assessment on an endpoint, and to be able to
communicate with the profile link service on ISE.
We'll begin by reviewing client provisioning settings. We can see that we're in the
Posture configuration submenu, and we'll select Settings. And from the left, we'll
select Software Updates and Client Provisioning.
We can see that with ISE 2.4 and above, that client provisioning is enabled by
default. This allows endpoints to interact with client provisioning processing and
resources on ISE, and to be able to download and have ISE deploy them. And
automatic download of provisioning resources from Cisco is disabled by default.
We'll see, later on, that there's a limited amount of resources currently installed
on ISE by default. If we enable this, it will download all available provisioning
resources from Cisco, and many of those may not be needed. Cisco recommends, until
you identify the need for the automatic download, that you disable it and do a
manual add of resources as needed.
And then we see a policy control for when provisioning policy is not available, a
provisioning policy rule has not been created, or provisioning resources are not
accessible or available per that policy. In this case, we'll follow authorization
rule processing, where we might be able to redirect that endpoint towards some
external provisioning resource, or we can simply allow network access.
OK, from here, we'll take a little tour and download resources, in a manual
fashion, that we'll be utilizing for client provisioning. In this case, we'll begin
by downloading the AnyConnect package for Windows, and save that to our Downloads
folder. We'll also download the AnyConnect Windows compliance module, and then
we'll also take advantage of a couple of XML file settings that will be applied to
AnyConnect and modify its behavior.
And we can see our new provisioning resources, files downloaded-- much as we might
do from Cisco's own website-- and making them available towards client provisioning
that we'll do later on.
OK, in this session we verified that client provisioning on ISE is enabled, that we
are not doing automatic updates from Cisco for the client provisioning resources,
that we will do a manual add of resources as needed. And then we did a download of
the resources that we will be using later to apply towards our endpoints as part of
provisioning.