The goal is this:
Most users will be locked to a specific group which does not allow AnyConnect. Certain users will be allowed to use either the portal-only or anyconnect group. However, the anyconnect group must not allow use on machines which are not joined to our domain. Setting up Secure Desktop to limit this works, but the select users who should have the choice between groups always end up in the dynamic access policy which requires the endpoint attribute for our domain. This happens even though the RADIUS attribute sent by their Active Directory group is matched in either dynamic access policy. How can these select users be given the option to use the portal-only profile simply by group choice on the login page?