topic Re: Cisco ISE and Jamf Integration in Network Access Control

Cisco ISE and Jamf Integration

chris.schasse — Sun, 21 Jul 2019 02:14:16 GMT

I'm integrating the latest version of Cisco ISE with the latest version of Jamf. Where is the best documentation on how to do this integration?

Re: Cisco ISE and Jamf Integration

hslai — Sun, 21 Jul 2019 03:23:23 GMT

Check out these videos:

Re: Cisco ISE and Jamf Integration

chris.schasse — Sun, 21 Jul 2019 18:05:45 GMT

In the first video you sent the presenter never actually setup integration with ISE and Jamf, he built his own custom solution using the two APIs

The second video you sent explains how the integration works, in theory, but certainly isn't a walkthrough of how to set it up.

Is there any general documentation on how to integrate ISE with an MDM?

Re: Cisco ISE and Jamf Integration

hslai — Sun, 21 Jul 2019 20:12:48 GMT

The basic configurations to integration ISE with an MDM have not changed much. So, the old docs are mostly applicable:

Note that ISE 1.4 added support to allow multiple MDMs active. And, since 2.0 Patch 3 (or 1.4 Patch 8), ISE has been able to query for the MDM status of the endpoints that already registered in MDM but previously not known to ISE, by using a condition on MDM·MDMServerName. For example, given an authorization rule like below:

If MDM·MDMServerName Equals jamfDEMO AND
MDM·MDMServerReachable Equals Reachable AND
MDM·DeviceRegisterStatus Equals Registered AND
MDM·DeviceCompliantStatus Equals Compliant

then PermitMDMCompliantAccess

where jamfDEMO is a MDM instance defined in ISE.

ISE will query jamfDEMO for the status of the endpoint, if this rule is processed while evaluating for the endpoint.

Re: Cisco ISE and Jamf Integration

chris.schasse — Mon, 22 Jul 2019 16:03:47 GMT

I think I'm good on the instructions front, it looks pretty simple on ISE's side.

However, what you said below brings up another question. We are trying to create a custom solution because we have multiple MDMs (InTune and Jamf). I know ISE supports multiple MDMs, but the issue we're running into is that the profiling engine in ISE isn't great at differentiating between types of Apple devices. All the iPhones should go to InTune, all the computers should go to Jamf.

What it sounds like you're saying, however, is that if you setup this authorization rule, you could potentially have each MAC Address query BOTH MDMs for compliance? If so, that would save us a LOT of custom setup.

Re: Cisco ISE and Jamf Integration

hslai — Tue, 23 Jul 2019 00:22:29 GMT

What it sounds like you're saying, however, is that if you setup this authorization rule, you could potentially have each MAC Address query BOTH MDMs for compliance? If so, that would save us a LOT of custom setup.

I tried that and it did not work. Only the first occurrence of the ServerName conditions is used to trigger the queries. We need to find another attribute in the pre-condition to differentiate the endpoints. Potentially, endpoint profiles, endpoint logical profiles, endpoint groups, custom endpoint attributes, user groups, user attributes, etc.

Re: Cisco ISE and Jamf Integration

Steve Talbert — Thu, 29 Apr 2021 16:00:55 GMT

In the above solution where you are building the AND conditions to include the MDM:MDMServerName field does that force the rest of them to use that particular MDM? I'm trying to figure out how to use multiple MDMs since the conditions don't let you specify which one to use.