topic Re: Cisco ISE JamF MDM Integration in Network Access Control

Cisco ISE JamF MDM Integration

pcno — Sat, 06 Jun 2020 14:55:38 GMT

Hello Professionals,

Please provide me a good document or video URL that explains all configuration to be done to integrate ISE with JAMF as an MDM server.

I want ISE to check with JAMF for device compliance before it gets access to company Wireless network.

Thanks
Priyesh

Re: Cisco ISE JamF MDM Integration

Anurag Sharma — Sat, 06 Jun 2020 15:43:05 GMT

Hi @pcno ,

This has been asked before. Please refer to the following post:

https://community.cisco.com/t5/network-access-control/cisco-ise-and-jamf-integration/td-p/3894278

Re: Cisco ISE JamF MDM Integration

pcno — Sun, 07 Jun 2020 07:43:18 GMT

Hello Anurag,

I have already gone through the link you have shared and I am unable to find a single document which explains Step by step configuration of ISE with Jamf as external MDM.

URL only says about enrollment and some other troubleshooting discussion.

Please provide me a document link which explains MDM setup for ISE with Jamf

Thanks

Re: Cisco ISE JamF MDM Integration

poongarg — Sun, 07 Jun 2020 11:21:09 GMT

Kindly check the attached PDF: JAMF integration with ISE as MDM

Re: Cisco ISE JamF MDM Integration

pcno — Sun, 07 Jun 2020 16:57:25 GMT

Thank you very much Poongarg, Can you please tell me how I should configure the Authentication policy since all users are from JAMF then it cannot be validated with our active directory.

So should I put the authentication policy option as Continue x3 if Auth fails or not found for Authentication policy or is there any other way I can configure it?

Thanks
Priyesh

Re: Cisco ISE JamF MDM Integration

Greg Gibbs — Mon, 08 Jun 2020 23:49:44 GMT

Using the 'If user not found = Continue' option in the AuthC Policy is mainly used to allow endpoints using MAB to 'fall through' to the AuthZ Policy to leverage Profiling condition matches.

With JAMF-managed MacBooks, you would ideally be enrolling them with a user certificate and deploying an 802.1x EAP-TLS supplicant profile as part of the JAMF enrollment. Your AuthC Policy would use either a Certificate Authentication Profile or an Identity Source Sequence with or without identity checks against an external ID store like AD/LDAP (depending on your particular requirements and environment).

Re: Cisco ISE JamF MDM Integration

pcno — Wed, 10 Jun 2020 05:49:32 GMT

Hi Greg ,

I am using a certificate profile in Authentication policy > if the protocol is EAP-TLS then check the common name with AD but our Jamf is not integrated with AD so what will be the best policy to go with ..

I can bypass this with 2 way in preloaded cert profile I can select identity store as non but then there is no authentication check happening

I can also bypass it by putting if the user not found continue here also authentication not working.

So how can I do a authentication in a cert policy where local ad is not integrated with JAMF.

Please reply .

Re: Cisco ISE JamF MDM Integration

Greg Gibbs — Wed, 10 Jun 2020 06:08:49 GMT

I've used the following approach for a customer that was using a 'shared' certificate on all of their MacBooks for which the subject identity was not present in AD:

Create a new Cert Auth Profile that is configured for Identity Store of [not applicable]
Create an AuthC Policy rule that matches on the Issuer Name in the certificate

Example: