https://community.cisco.com/t5/network-security/cisco-ise-filtering-mobile-devices/m-p/3211535#M905427 <P>Thank you, Marvin, for your reply.&nbsp;</P> <P>&nbsp;</P> <P>What would be the best solution devices that are not owned by a company, and are a BYOD?</P> <P>This would be my main goal is how can I filter BYOD devices vs&nbsp; CORP. In a way where users are able to give some sort of "data", "MAC" or some kind of unique identifier for mobile devices, That I can filter on?</P> <P>&nbsp;</P> <P>Thank you.&nbsp;</P> Mon, 06 Nov 2017 12:37:25 GMT Jordan Taylor 2017-11-06T12:37:25Z https://community.cisco.com/t5/network-security/cisco-ise-filtering-mobile-devices/m-p/3210774#M905421 <P>Hello to one and all.&nbsp;</P> <P>&nbsp;</P> <P>Working on a project, need to restricted access to a network. end users that our domain joined, as well as mobile users, can access the network.&nbsp; i.e "users that have the Cisco any connect app" using AD credentials.&nbsp;</P> <P>What would be best practice for restricting access for the mobile users?</P> <P>&nbsp;</P> <UL> <LI>MDM Server&nbsp;</LI> <LI>CA Certs&nbsp;</LI> <LI>GPO&nbsp;</LI> </UL> <P>These are some methods I have come across.&nbsp;</P> <P>&nbsp;</P> <P>Any input in the would be greatly appreciated.</P> Fri, 21 Feb 2020 14:38:33 GMT https://community.cisco.com/t5/network-security/cisco-ise-filtering-mobile-devices/m-p/3210774#M905421 Jordan Taylor 2020-02-21T14:38:33Z https://community.cisco.com/t5/network-security/cisco-ise-filtering-mobile-devices/m-p/3210807#M905424 <P>If you have an MDM that's the best option for restricting mobile device access. It does require ISE Apex licensing to integrate with your MDM (via API).</P> <P>&nbsp;</P> <P>Mobile users on BYOD or remote corporate laptops won't normally be covered by your MDM (though I believe Meraki Systems Manager might do this).</P> <P>&nbsp;</P> <P>GPOs of course only apply to domain machines. That said, it's pretty simple to check for domain membership in ISE.</P> <P>&nbsp;</P> <P>Certificates for end users and machines work OK but if you don't have a CA it may be more than you want to take on to establish the whole PKI infrastructure internally.</P> Sat, 04 Nov 2017 02:46:17 GMT https://community.cisco.com/t5/network-security/cisco-ise-filtering-mobile-devices/m-p/3210807#M905424 Marvin Rhoads 2017-11-04T02:46:17Z https://community.cisco.com/t5/network-security/cisco-ise-filtering-mobile-devices/m-p/3211535#M905427 <P>Thank you, Marvin, for your reply.&nbsp;</P> <P>&nbsp;</P> <P>What would be the best solution devices that are not owned by a company, and are a BYOD?</P> <P>This would be my main goal is how can I filter BYOD devices vs&nbsp; CORP. In a way where users are able to give some sort of "data", "MAC" or some kind of unique identifier for mobile devices, That I can filter on?</P> <P>&nbsp;</P> <P>Thank you.&nbsp;</P> Mon, 06 Nov 2017 12:37:25 GMT https://community.cisco.com/t5/network-security/cisco-ise-filtering-mobile-devices/m-p/3211535#M905427 Jordan Taylor 2017-11-06T12:37:25Z https://community.cisco.com/t5/network-security/cisco-ise-filtering-mobile-devices/m-p/3211939#M905429 <P>Well you start with looking for domain membership (remote laptops corporate-owned). They get one AuthZ policy result.</P> <P>&nbsp;</P> <P>Then, if you have an MDM and Apex license, check for corporate mobile devices. They get another AuthZ result (or maybe the same one depending on your policy).</P> <P>&nbsp;</P> <P>Anything that doesn't match one of the above gets a more restrictive AuthZ.</P> Tue, 07 Nov 2017 03:23:26 GMT https://community.cisco.com/t5/network-security/cisco-ise-filtering-mobile-devices/m-p/3211939#M905429 Marvin Rhoads 2017-11-07T03:23:26Z