topic Re: Multiple MDM Server Scopes (Microsoft Intune) in Network Access Control

Multiple MDM Server Scopes (Microsoft Intune)

InfraISE2020 — Wed, 26 Feb 2020 13:12:39 GMT

We have a scenario where we have multiple external MDM servers that need to be queried depending on the source device.

How do we create an authorization policy that defines a particular device to a particular MDM server.

i.e. Device A querying MDM A and Device B querying MDM B.

We have tried to create the policy below however we have been unsuccessful so far:

Policy 1

MDM·MDMServerName Equals "MDM A"

AND

MDM·DeviceCompliantStatus Equals Compliant

Policy 2

MDM·MDMServerName Equals "MDM B"

AND

MDM·DeviceCompliantStatus Equals Compliant

What appears to be happening is that ISE will only query one of the MDM servers meaning that it will only allow access to either Device A or Device depending on which MDM server was queried first.

Environment

Cisco ISE version 2.6 Patch Update 3

Any help would be appreciated.

Re: Multiple MDM Server Scopes (Microsoft Intune)

Mark Elsen — Wed, 26 Feb 2020 14:03:36 GMT

- Whilst this may be possible , I feel it contradicts the purpose of integrated MDM. Meaning , probably working towards an 'inclusive' MDM_solution is better.

Re: Multiple MDM Server Scopes (Microsoft Intune)

InfraISE2020 — Wed, 26 Feb 2020 14:15:45 GMT

Hi @Mark Elsen

Thanks for the quick response.

Unfortunately we need to stick with Microsoft Intune as the MDM provider but have the ability within ISE to service two separate companies.

Do you have any ideas on how i can define which MDM server to query on my authorization rules as the current setup only queries one and not the other?

Re: Multiple MDM Server Scopes (Microsoft Intune)

Mark Elsen — Wed, 26 Feb 2020 14:22:13 GMT

- Below are some threads I found on the subject , but then again, even with ISE in between 'multiple MDM' in my view contradicts with solid MDM :

https://community.cisco.com/t5/network-access-control/multiple-mdm-solutions-and-a-single-ise-cluster/m-p/3060070

https://community.cisco.com/t5/network-access-control/multi-mdm-support/td-p/3493890

https://community.cisco.com/t5/network-access-control/multiple-mdm-support-similar-to-identity-store-sequence/td-p/3562197

Re: Multiple MDM Server Scopes (Microsoft Intune)

Cristian Matei — Wed, 26 Feb 2020 20:25:38 GMT

Hi,

This is easily achievable; you just need to find a differentiator between the devices which will be checked against MDM1 and devices which will be checked against MDM2, and use that differentiator as a condition in your authorization policies.

Regards,

Cristian Matei.

Re: Multiple MDM Server Scopes (Microsoft Intune)

InfraISE2020 — Wed, 26 Feb 2020 22:24:05 GMT

@Cristian Matei

I am fairly new to ISE so unsure as to how I can differentiate based on host names in the authorisation rule.

All devices in MDM1 hostname starts with GP and all devices in MDM2 start with TR, how would the rules be updated to reflect this? could you give me an example?

Have you achieved this before using two different MDM servers?
Thanks in advance.

Re: Multiple MDM Server Scopes (Microsoft Intune)

Cristian Matei — Thu, 05 Mar 2020 19:36:10 GMT

Hi,

Once you've done the MDM integration, make use of the MDM Dictionary Attributes in your authorization policies. See the attached guide.

Regards,

Cristian Matei.