how to install unless on a specific VLAN

VLAN ID is going to be rather hard I would think. At least I don't see it easy using Get-NetAdapterAdvancedProperty in Powershell

BUT:

Get-NetAdapter in Powershell tells me this:

I'm going to assume that your old VPN client and the new VPN client both create some form of Tunneling adapter (or VPN adapter, whatever you wanna call it).

Get-WMIObject win32_networkadapter | select name,netconnectionstatus gives me this :

*Note I piped to Out-GridView here for readability

Here are what the different status codes mean:

It's a little confusing what Get-NetAdapter and what WMI are telling you, but go with WMI I would imagine. 

You could feasibly grab the adapter name IF it is disconnected, save it to a file, on the next step, only do the install if the file exits. Cleanup step after you are done to remove the file you created. 

I'm assuming you're trying to prevent uninstalling the old VPN client if they're currently connected to VPN because that would leave them stranded and unable to connect, yes?

You can probably do this by targeting your deployment at an Inventory collection that does a version comparison on "Computer > IP Address"

I would also add a value filter to only include computers that have been recently scanned so that you hopefully don't get machines that weren't on VPN when they were scanned but have since connected to VPN, like so:

You could also push a command to that collection prior to pushing the Deploy package that force-quits the VPN client. That way if they were on VPN then they won't be able to receive the VPN upgrade package (they'll also have to manually reconnect to VPN) and if they weren't then you've ruled out the possibility of accidentally bricking any off-premise users.

Thank you.  That worked perfectly.