AD group exception: short answer, no (see long answer below) two mirrored realms: short answer, no (see long answer below) Long answer: There are a few options available for achieving the end-goal of having a subset of users _always_ having access to login, despite the security posture. Some of the off-the-cuff options are: custom expressions that map based on the Host Checker result dual realms - one that has Host Checker required and enforced and one that either has no requirements _or_ set to evaluate only (making sure that the more restrictive is at the top of the list on the URL) dual roles - one that has Host Checker enforced and one that does not if you have further questions, please let us know; alternately, you can always open a case with support in the event it is not working the way you want ... View more

I believe it's called OpenConnect client which can be used to connect to Pulse Secure server from a Linux machine not Cisco's AnyConnect! Is that correct? One setting (I know), which does this type of blocking is the browser (user agent) based restrictions enforced on the user realm. Take for example, you can configure the user agent string as *Pulse-Secure* Under, Users --- User realms --- Authentication policy --- Browser --- enter the pulse secure client string --- Allow. Which causes all the clients except pulse client including web browsers and OpenConnect client from connecting to VPN. Note: If we can pass custom user agent as Pulse-Secure using OpenConnect client initiated connections, which is like potentially masquerading the connections as they're coming from the Pulse Secure client, then the realm level restrictions will not work. Keep that in mind. ... View more