XDR Client Management Profile Upload Issue with VPNDisable ServiceProfile XML

Available Languages

Download Options

  • PDF     (13.1 KB)
    View with Adobe Reader on a variety of devices
Updated:May 12, 2026
Document ID:225892

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Contents

Issue

When attempting to upload a custom VPNDisable_ServiceProfile.xml file containing the <ServiceDisable>true</ServiceDisable> setting through XDR Client Management > Profiles, the XDR system overwrites the custom XML configuration with a full AnyConnectProfile configuration, removing the ServiceDisable setting. This prevents the deployment of Cisco Secure Client without VPN functionality on endpoints.

Environment

  • Product Family: Secure Access (SECACCS)

  • Technology: Cisco Secure Client (formerly AnyConnect)

  • XDR Client Management Portal

  • Custom VPNDisable_ServiceProfile.xml configuration

  • Deployment scenario requiring Cisco Secure Client without VPN functionality

Resolution

Custom XML upload is not supported in the XDR portal. The system automatically overwrites uploaded custom XML files with full AnyConnectProfile configurations.

However, several deployment alternatives are available to achieve the desired VPN-disabled configuration:

Alternative Deployment Methods

Method 1: Install Package Integration

For vendor-managed machines (machines not under direct management), the custom VPNDisable XML must be added as part of the install package during the initial Cisco Secure Client deployment.

Method 2: Enterprise Management Tools

For Active Directory-joined machines, deploy the VPNDisable XML file using enterprise management tools such as:

  • Microsoft Intune

  • System Center Configuration Manager (SCCM)

  • Other enterprise deployment solutions

Validated Workaround

The following workaround was successfully tested and validated:

Step 1: Remove VPN Profile from XDR

Remove the VPN profile from the XDR-managed profile set to prevent automatic overwriting.

Step 2: Manual XML Deployment

Manually copy the custom VPNDisable_ServiceProfile.xml file containing the <ServiceDisable>true</ServiceDisable> setting to the target endpoints.

Step 3: System Reboot

Reboot the target endpoints to ensure the configuration takes effect.

Step 4: Validation

After reboot, verify that:

  • The XML file is not overwritten by XDR

  • The Cisco Secure Client no longer displays the AnyConnect VPN module

  • The VPN functionality is successfully disabled

This workaround was successfully validated, with confirmation that the Cisco Secure Client on tested endpoints no longer showed the AnyConnect VPN module after implementation.

Cause

XDR Client Management Portal does not support custom XML file uploads. The system is designed to automatically generate and manage full AnyConnectProfile configurations, which overwrites any custom XML content uploaded through the portal interface. The ServiceDisable element is not preserved during this automatic profile generation process.

Related Content

Revision History

Revision Publish Date Comments
1.0
12-May-2026
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Jaikishan Yadav

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products