cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

158
Views
0
Helpful
5
Replies
Highlighted
Beginner

Cisco ISE and Jamf Integration

I'm integrating the latest version of Cisco ISE with the latest version of Jamf. Where is the best documentation on how to do this integration? 

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Cisco ISE and Jamf Integration

The basic configurations to integration ISE with an MDM have not changed much. So, the old docs are mostly applicable:

Note that ISE 1.4 added support to allow multiple MDMs active. And, since 2.0 Patch 3 (or 1.4 Patch 8), ISE has been able to query for the MDM status of the endpoints that already registered in MDM but previously not known to ISE, by using a condition on MDM·MDMServerName. For example, given an authorization rule like below: 

  If MDM·MDMServerName Equals jamfDEMO AND
 MDM·MDMServerReachable Equals Reachable AND
 MDM·DeviceRegisterStatus Equals Registered AND
 MDM·DeviceCompliantStatus Equals Compliant
then PermitMDMCompliantAccess

where jamfDEMO is a MDM instance defined in ISE.

ISE will query jamfDEMO for the status of the endpoint, if this rule is processed while evaluating for the endpoint.

 

5 REPLIES 5
Cisco Employee

Re: Cisco ISE and Jamf Integration

Beginner

Re: Cisco ISE and Jamf Integration

In the first video you sent the presenter never actually setup integration with ISE and Jamf, he built his own custom solution using the two APIs

The second video you sent explains how the integration works, in theory, but certainly isn't a walkthrough of how to set it up.

Is there any general documentation on how to integrate ISE with an MDM?
Cisco Employee

Re: Cisco ISE and Jamf Integration

The basic configurations to integration ISE with an MDM have not changed much. So, the old docs are mostly applicable:

Note that ISE 1.4 added support to allow multiple MDMs active. And, since 2.0 Patch 3 (or 1.4 Patch 8), ISE has been able to query for the MDM status of the endpoints that already registered in MDM but previously not known to ISE, by using a condition on MDM·MDMServerName. For example, given an authorization rule like below: 

  If MDM·MDMServerName Equals jamfDEMO AND
 MDM·MDMServerReachable Equals Reachable AND
 MDM·DeviceRegisterStatus Equals Registered AND
 MDM·DeviceCompliantStatus Equals Compliant
then PermitMDMCompliantAccess

where jamfDEMO is a MDM instance defined in ISE.

ISE will query jamfDEMO for the status of the endpoint, if this rule is processed while evaluating for the endpoint.

 

Beginner

Re: Cisco ISE and Jamf Integration

I think I'm good on the instructions front, it looks pretty simple on ISE's side.

However, what you said below brings up another question. We are trying to create a custom solution because we have multiple MDMs (InTune and Jamf). I know ISE supports multiple MDMs, but the issue we're running into is that the profiling engine in ISE isn't great at differentiating between types of Apple devices. All the iPhones should go to InTune, all the computers should go to Jamf.

What it sounds like you're saying, however, is that if you setup this authorization rule, you could potentially have each MAC Address query BOTH MDMs for compliance? If so, that would save us a LOT of custom setup.
Cisco Employee

Re: Cisco ISE and Jamf Integration

What it sounds like you're saying, however, is that if you setup this authorization rule, you could potentially have each MAC Address query BOTH MDMs for compliance? If so, that would save us a LOT of custom setup.

I tried that and it did not work. Only the first occurrence of the ServerName conditions is used to trigger the queries. We need to find another attribute in the pre-condition to differentiate the endpoints. Potentially, endpoint profiles, endpoint logical profiles, endpoint groups, custom endpoint attributes, user groups, user attributes, etc.