https://community.cisco.com/t5/network-access-control/mdm-integration-without-device-on-boarding-with-2-different-mdm/m-p/3855789#M473110 <P>I have AirWatch and Intune integrated to ISE and I want to check compliant and registered status, but I do not get this to work properly and I wounder if I need the redirect rule even though that devices are on-boarded in MDM via Internet/4G? Can anyone tell me how to do this, this is my rules at the moment:</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 14 May 2019 10:42:04 GMT lars.cederholm 2019-05-14T10:42:04Z https://community.cisco.com/t5/network-access-control/mdm-integration-without-device-on-boarding-with-2-different-mdm/m-p/3855789#M473110 <P>I have AirWatch and Intune integrated to ISE and I want to check compliant and registered status, but I do not get this to work properly and I wounder if I need the redirect rule even though that devices are on-boarded in MDM via Internet/4G? Can anyone tell me how to do this, this is my rules at the moment:</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 14 May 2019 10:42:04 GMT https://community.cisco.com/t5/network-access-control/mdm-integration-without-device-on-boarding-with-2-different-mdm/m-p/3855789#M473110 lars.cederholm 2019-05-14T10:42:04Z https://community.cisco.com/t5/network-access-control/mdm-integration-without-device-on-boarding-with-2-different-mdm/m-p/3855889#M473111 <P>There is no need to redirect endpoints if policies are configured in the proper way.</P> <P><BR />There are two important things which need to be added for multi-MDM scenario when there are endpoints which were registered out-of band:</P> <P>&nbsp;</P> <P>1. MDM server name attribute<BR />2. Differentiator attribute before MDM server name condition</P> <P>&nbsp;</P> <P>When you create policies ISE executes attribute collection (AKA Queried PIP) in the same order as they are listed in authorization policies.</P> <P>&nbsp;</P> <P>In multi MDM server scenario we can't just a MDM server name attribute since it creates an ambiguity when ISE needs to decide which MDM server to query for specific endpoint.</P> <P>&nbsp;</P> <P>As a result of such ambiguity for every endpoint ISE will pick MDM server from the first policy which contains MDM server name.&nbsp;</P> <P>&nbsp;</P> <P>Below you may see an example from my lab for two MDM serves - Meraki and SCCM.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image003.png" style="width: 810px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/36674i744C939470FBBEA6/image-size/large?v=v2&amp;px=999" role="button" title="image003.png" alt="image003.png" /></span></P> <P>&nbsp;</P> <P>1. Differentiator attribute - In my case it's an AD group. Presence of this attribute in the policy pushes ISE to query External AD group PIP first. As a result further policy selection is limited only to policies which contain specific AD group</P> <P>&nbsp;</P> <P>In your scenario i think you can use a Certificate template attribute as a differentiator.</P> <P>&nbsp;</P> <P>2. MDM server name condition - this one will trigger a query to the proper server.</P> <P>&nbsp;</P> <P>3. Endpoint MDM attributes</P> <P>&nbsp;</P> <P>Example contains only two 'Non-Compliant' policies but all other policies (except redirect polices) should be configured in the same way.</P> <P>&nbsp;</P> <P>In case if you wish to keep redirect polices you should't use there an MDM server name since you specify the server name in authorization profile.</P> <P>&nbsp;</P> Tue, 14 May 2019 12:34:40 GMT https://community.cisco.com/t5/network-access-control/mdm-integration-without-device-on-boarding-with-2-different-mdm/m-p/3855889#M473111 Serhii Kucherenko 2019-05-14T12:34:40Z