Hello @tmolleck, 

 

If you are going to block users that use anyconnect, this will work. You can implement a policy to block anyconnect services. You can also give those users a different role. Below is a KB on how to configure the certain process based policy for host checker. 

 

If a realm or role is configured with host check for the mcafee.exe process, every time a client connects to PCS/PPS, the end user computer's memory is inspected for the mcafee.exe process. Host Check will pass, only if this process is running. You can also deny if ther process is running. 

 

https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB22348

 

Let us know if you have any more questions. 

 

Thank you!

I believe it's called OpenConnect client which can be used to connect to Pulse Secure server from a Linux machine not Cisco's AnyConnect! Is that correct?

One setting (I know), which does this type of blocking is the browser (user agent) based restrictions enforced on the user realm.

Take for example, you can configure the user agent string as *Pulse-Secure*

Under, Users --- User realms --- Authentication policy --- Browser --- enter the pulse secure client string --- Allow. Which causes all the clients except pulse client including web browsers and OpenConnect client from connecting to VPN.

Note: If we can pass custom user agent as Pulse-Secure using OpenConnect client initiated connections, which is like potentially masquerading the connections as they're coming from the Pulse Secure client, then the realm level restrictions will not work. Keep that in mind.