Okay that´s not new to me.

But we want to use the UEM integration for Intune followed by Software deployment policy. 
So I want a solution for that.

The two solutions above needs to be updated everytime we decide to use a new endpoint agent version.

It might help us to understand if you can explain the expected workflow in more detail.
As far as I know, unless it's added to the MSI file, adding a VPN site requires a push operation.
If it's just updating an existing site, then that should occur the next time the user connects to the VPN

For sure.

W

We use autopilot-managed devices via MS Intune (EntraID-registered), which are sent to employees. After their first login (via EntraID authentication), applications are deployed through MS Intune.

To deploy the Harmony client in MS Intune, we use the UEM integration provided by Check Point (see the screenshot in my first post). Once the initial client is installed, the deployment policy takes over, though there is currently no option to automatically configure a VPN site.

Using the MSI deployment (suggested by Leasly) isn't feasible, as we would need to update the package every time a new agent version is released. Since an external service provider manages this service, our Security department requires the flexibility to quickly choose which version is deployed. This is why we prefer using the deployment policy.

Everything else is too maintenance-intensive

Possible this is an RFE.
Adding @BarYassure 

Please tell me not there is no other solution for that.
This is such an obvious use case 🙄

What's not clear in what you've said so far is why a Push operation isn't an acceptable alternative.
The Push Operation can potentially be automated via an API call: https://app.swaggerhub.com/apis/Check-Point/web-mgmt-external-api-production/1.9.221#/AddVpnSitePara... 

I'll admit, I'm not an Endpoint expert, so it's possible there is another way to do this.