https://community.cisco.com/t5/network-access-control/identify-corporate-macos-from-vpn-wired-wireless-using-ise-as/m-p/3948035#M456587 <BLOCKQUOTE><HR /><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/833210">@Mike.Cifelli</a>&nbsp;wrote:<BR />A couple of options to accomplish your goal:<BR />-You could deploy specific VPN profiles with unique tunnel group names and do a match in your client provisioning policy utilizing Cisco-VPN3000:CVPN3000/ASA/PIX7x-Tunnel-Group-Name EQUALS &lt;your tunnel group name&gt;.<BR />-Determine a piece of corporate software that you could setup a posture check on to determine that the host is truly a corporate machine<BR />-Utilize other conditions in client provisioning policy that do a check against your identity source to determine if truly a corporate asset<BR />I would recommend thinking about how your corporate machines are unique and how you can determine that they are unique &amp; truly your asset. Good luck &amp; HTH!<HR /></BLOCKQUOTE> <P>Right unlike windows this information is not available as a machine auth or user auth. Perhaps you can deploy JAMF? or EAP-TLS only for corporate machines to use certificate auth? and not corporate only allowed to use user/password?</P> Fri, 25 Oct 2019 10:38:29 GMT Jason Kunst 2019-10-25T10:38:29Z https://community.cisco.com/t5/network-access-control/identify-corporate-macos-from-vpn-wired-wireless-using-ise-as/m-p/3937646#M456584 <P>Hi All,</P><P>&nbsp;</P><P>Is there a way to identify corporate MacOS vs non-corporate MacOS machine? We are using ISE as radius server for our VPN, Wired and Wireless connection with login using username. We wanted to limit the clients to only use MacOS provided by the company and not allow connection for non-corporate MacOS.</P> Fri, 21 Feb 2020 19:10:43 GMT https://community.cisco.com/t5/network-access-control/identify-corporate-macos-from-vpn-wired-wireless-using-ise-as/m-p/3937646#M456584 misinsuan2229 2020-02-21T19:10:43Z https://community.cisco.com/t5/network-access-control/identify-corporate-macos-from-vpn-wired-wireless-using-ise-as/m-p/3937868#M456585 A couple of options to accomplish your goal:<BR />-You could deploy specific VPN profiles with unique tunnel group names and do a match in your client provisioning policy utilizing Cisco-VPN3000:CVPN3000/ASA/PIX7x-Tunnel-Group-Name EQUALS &lt;your tunnel group name&gt;.<BR />-Determine a piece of corporate software that you could setup a posture check on to determine that the host is truly a corporate machine<BR />-Utilize other conditions in client provisioning policy that do a check against your identity source to determine if truly a corporate asset<BR />I would recommend thinking about how your corporate machines are unique and how you can determine that they are unique &amp; truly your asset. Good luck &amp; HTH! Wed, 09 Oct 2019 12:39:35 GMT https://community.cisco.com/t5/network-access-control/identify-corporate-macos-from-vpn-wired-wireless-using-ise-as/m-p/3937868#M456585 Mike.Cifelli 2019-10-09T12:39:35Z https://community.cisco.com/t5/network-access-control/identify-corporate-macos-from-vpn-wired-wireless-using-ise-as/m-p/3948035#M456587 <BLOCKQUOTE><HR /><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/833210">@Mike.Cifelli</a>&nbsp;wrote:<BR />A couple of options to accomplish your goal:<BR />-You could deploy specific VPN profiles with unique tunnel group names and do a match in your client provisioning policy utilizing Cisco-VPN3000:CVPN3000/ASA/PIX7x-Tunnel-Group-Name EQUALS &lt;your tunnel group name&gt;.<BR />-Determine a piece of corporate software that you could setup a posture check on to determine that the host is truly a corporate machine<BR />-Utilize other conditions in client provisioning policy that do a check against your identity source to determine if truly a corporate asset<BR />I would recommend thinking about how your corporate machines are unique and how you can determine that they are unique &amp; truly your asset. Good luck &amp; HTH!<HR /></BLOCKQUOTE> <P>Right unlike windows this information is not available as a machine auth or user auth. Perhaps you can deploy JAMF? or EAP-TLS only for corporate machines to use certificate auth? and not corporate only allowed to use user/password?</P> Fri, 25 Oct 2019 10:38:29 GMT https://community.cisco.com/t5/network-access-control/identify-corporate-macos-from-vpn-wired-wireless-using-ise-as/m-p/3948035#M456587 Jason Kunst 2019-10-25T10:38:29Z