https://community.cisco.com/t5/network-access-control/ise-not-pulling-system-domain-information-for-mac-osx-devices/m-p/3708444#M507596 <P>Thanks for the input, Hosuk.</P> <P>&nbsp;</P> <P>So this means Anyconnect will not automatically grab this information as the customer thinks it should, correct?</P> <P>&nbsp;</P> <P>What about Windows? does Anyconnect populate this domain information for Windows workstations automatically? If not, how is that information collected in the posture report.</P> <P><BR />Thanks,</P> <P>Malavika</P> Mon, 17 Sep 2018 23:31:56 GMT mparthan 2018-09-17T23:31:56Z https://community.cisco.com/t5/network-access-control/ise-not-pulling-system-domain-information-for-mac-osx-devices/m-p/3708295#M507591 <P>Hello Team,</P> <P>&nbsp;</P> <P>Would the posture module populate system domain information for OSX by default even if the condition is not set as a requirement?</P> <P>&nbsp;</P> <P>I see the system domain information populated in the posture report for Windows , however it is blank when a posture report is sent for the mac device. Refraining from uploading screenshots since it contains user data.</P> <P>&nbsp;</P> <P>For my Windows workstation, I have a condition defined to see if the workstation is domain joined or not,but dont have a similar condition for OSX.</P> <P>&nbsp;</P> <P>How is the system domain information populated? Does the Anyconnect gather it as a base attribute or based on the conditions enforced?</P> <P>&nbsp;</P> <P>Thanks for helping with this.</P> <P>&nbsp;</P> <P>--Malavika</P> Mon, 17 Sep 2018 19:04:18 GMT https://community.cisco.com/t5/network-access-control/ise-not-pulling-system-domain-information-for-mac-osx-devices/m-p/3708295#M507591 mparthan 2018-09-17T19:04:18Z https://community.cisco.com/t5/network-access-control/ise-not-pulling-system-domain-information-for-mac-osx-devices/m-p/3708413#M507594 <P>You can gather macOS AD domain membership using the plist files. Simple way is to find out if there is plist file (EXAMPLE as the AD domain name):</P> <P class="p1"><EM><STRONG><SPAN class="s1">/Library/Preferences/OpenDirectory/DynamicData/Active\ Directory/EXAMPLE.plist</SPAN></STRONG></EM></P> <P class="p1">&nbsp;</P> <P class="p1"><SPAN class="s1">If you want to get more detailed information about the domain then you can also look into the plist file and compare the values within. Sample command here will allow you to view the content of plist file so you can craft matching ISE posture conditions:</SPAN></P> <P class="p1"><EM><STRONG><SPAN class="s1">sudo defaults read /Library/Preferences/OpenDirectory/DynamicData/Active\ Directory/EXAMPLE.plist</SPAN></STRONG></EM></P> <P class="p1">&nbsp;</P> <P class="p1"><SPAN class="s1">Note that&nbsp;it is not going to provide what is the data that is being matched, rather it will simply tell you whether your string matches with it or not. If you need to match multiple domains, you can create multiple conditions and combine them as compound conditions.</SPAN></P> Wed, 19 Sep 2018 00:53:12 GMT https://community.cisco.com/t5/network-access-control/ise-not-pulling-system-domain-information-for-mac-osx-devices/m-p/3708413#M507594 howon 2018-09-19T00:53:12Z https://community.cisco.com/t5/network-access-control/ise-not-pulling-system-domain-information-for-mac-osx-devices/m-p/3708444#M507596 <P>Thanks for the input, Hosuk.</P> <P>&nbsp;</P> <P>So this means Anyconnect will not automatically grab this information as the customer thinks it should, correct?</P> <P>&nbsp;</P> <P>What about Windows? does Anyconnect populate this domain information for Windows workstations automatically? If not, how is that information collected in the posture report.</P> <P><BR />Thanks,</P> <P>Malavika</P> Mon, 17 Sep 2018 23:31:56 GMT https://community.cisco.com/t5/network-access-control/ise-not-pulling-system-domain-information-for-mac-osx-devices/m-p/3708444#M507596 mparthan 2018-09-17T23:31:56Z https://community.cisco.com/t5/network-access-control/ise-not-pulling-system-domain-information-for-mac-osx-devices/m-p/3708445#M507597 <P>If customer wants to see what the value is, then no. However, if customer wants to&nbsp;validate whether the value is X then it is possible.</P> <P>&nbsp;</P> <P>Yes, AC Posture module does this automatically for Windows. If you want to similar result for AD joined macOS, please work with the PM team.</P> Mon, 17 Sep 2018 23:51:01 GMT https://community.cisco.com/t5/network-access-control/ise-not-pulling-system-domain-information-for-mac-osx-devices/m-p/3708445#M507597 howon 2018-09-17T23:51:01Z