topic Re: ISE/JAMF MDM Attributes in Network Access Control

ISE/JAMF MDM Attributes

caroolso — Wed, 27 Mar 2019 17:56:32 GMT

Hello team,

Could anyone shed light on the expected behavior for JAMF MDM on Ethernet? My customer has been unable to get any attributes to show up for Ethernet and the MDMEnrolled shows false. Thanks!

Re: ISE/JAMF MDM Attributes

Dustin Anderson — Wed, 27 Mar 2019 18:23:04 GMT

I have not tried Ethernet, but from what we have seen on JAMF, it needs to load the enrollment web page before ISE will see it as compliant. You may need to set up a redirect to force this.

Re: ISE/JAMF MDM Attributes

Rahul Govindan — Wed, 27 Mar 2019 18:35:25 GMT

From what I have experienced, JAMF only keeps the wifi mac address of the device as an identifier. In the case of Ethernet connection, ISE would send the ethernet adapter/dongle mac address which usually does not match that identifier. I do recall that there were plans for JAMF to add more identifiers so that it ISE can match against those. Don't know if they have done that yet. Furthermore, dongles are usually hard to maintain as users could bring their own dongles to connect their laptops. Probably a endpoint group of approved dongles on ISE + the ability for users to add their own dongle mac addresses (using mydevices portal) might be a way to go.

Re: ISE/JAMF MDM Attributes

Dustin Anderson — Wed, 27 Mar 2019 18:52:06 GMT

JAMF can have 2 identifiers, but yes, the dongles are annoying as we have 1 user that bounces through 3 of them.

OP may be talking about iMacs or Mac Pro's so may not worry about wireless nic.

Re: ISE/JAMF MDM Attributes

Jason Kunst — Wed, 27 Mar 2019 18:55:33 GMT

In 2.6 we do more with anyconnect and shared dongles as well

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/release_notes/b_ise_26_RN.html#id_87508

Re: ISE/JAMF MDM Attributes

Rahul Govindan — Wed, 27 Mar 2019 19:18:57 GMT

@Jason Kunst: Great to hear. I am assuming that only the AnyConnect 4.7 ISE posture module is required for this to work. Any examples of this in action? Also, how does the an administrator get this UDID to be added to MDM beforehand?

This does not solve the Dongle use case but at least captures use cases with static docks and ethernet ports.

Re: ISE/JAMF MDM Attributes

Jason Kunst — Wed, 27 Mar 2019 19:28:56 GMT

I reached out to the SMEs to take a look

Re: ISE/JAMF MDM Attributes

caroolso — Wed, 27 Mar 2019 22:12:41 GMT

Thanks Jason, please keep us posted.

Re: ISE/JAMF MDM Attributes

Nidhi — Thu, 28 Mar 2019 17:08:56 GMT

Hello,

AC 4.7 is the minimum version needed for the UDID support. The UDID for the endpoint is sent to ISE via Anyconnect agent. you can view this in endpoint attribute list.

The MDM vendor fetches the UDID during the enrollment as its another endpoint attribute.

With the MDM flow in ISE, ISE makes an API call to MDM using this UDID to get the compliance information !

hope this helps.

Thanks,

Nidhi

Re: ISE/JAMF MDM Attributes

caroolso — Thu, 28 Mar 2019 18:02:57 GMT

Hi Nidhi,

Thanks for the information here. So is the only way for my customer to see the attributes for JAMF MDM Ethernet to use the AnyConnect 4.7 integration?

Also, could you confirm that seeing no attributes and "False" MDMEnrolled is expected behavior without the AC integration?

Thanks!

Re: ISE/JAMF MDM Attributes

Nidhi — Fri, 29 Mar 2019 15:33:42 GMT

This capability was introduced as a requirement for Cisco IT wherein a script is used to add the UDID information in AD and compliant status from MDM is added to AD attribute.

we can then create a posture condition to check for this using the UDID attribute.

As of now UDID MDM query happens only in VPN case because Anyconnect don’t send MAC address to ISE (it sends MAC as Unknown or empty string), so in that case query happens based on UDID.

In Normal Wireless/Wired MDM flow, ISE will use MAC address only to query.

Thanks,

Nidhi

Re: ISE/JAMF MDM Attributes

ruhearn — Tue, 16 Apr 2019 15:06:03 GMT

Hey @Nidhi -

I understand that 2.6 + AC 4.7 supports sending the UDID via the posture flow, but is this would only cover customers using ISE posture. In the past, Jamf would get the MAC addresses of whatever NICs (I believe up to two of them) when it registers initially or when sudo jamf recon is run.

Is there some way to get Jamf to reconfigure via an AuthZ policy/DACL so that it (with the right access to the server, of course) can update the MAC addresses for the Mac OS device? We had not planned to use posture and this customer does not have the license required as far as I know.

Re: ISE/JAMF MDM Attributes

pagosojayson — Mon, 14 Sep 2020 02:33:38 GMT

Hi Nidhi,

Do you happen to know if this is already supported for non-VPN solutions?

Regards,

Jayson