cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10366
Views
15
Helpful
6
Replies

Cisco ISE and Jamf Integration

chris.schasse
Level 1
Level 1

I'm integrating the latest version of Cisco ISE with the latest version of Jamf. Where is the best documentation on how to do this integration? 

1 Accepted Solution

Accepted Solutions

The basic configurations to integration ISE with an MDM have not changed much. So, the old docs are mostly applicable:

Note that ISE 1.4 added support to allow multiple MDMs active. And, since 2.0 Patch 3 (or 1.4 Patch 8), ISE has been able to query for the MDM status of the endpoints that already registered in MDM but previously not known to ISE, by using a condition on MDM·MDMServerName. For example, given an authorization rule like below: 

  If MDM·MDMServerName Equals jamfDEMO AND
 MDM·MDMServerReachable Equals Reachable AND
 MDM·DeviceRegisterStatus Equals Registered AND
 MDM·DeviceCompliantStatus Equals Compliant
then PermitMDMCompliantAccess

where jamfDEMO is a MDM instance defined in ISE.

ISE will query jamfDEMO for the status of the endpoint, if this rule is processed while evaluating for the endpoint.

 

View solution in original post

6 Replies 6

In the first video you sent the presenter never actually setup integration with ISE and Jamf, he built his own custom solution using the two APIs

The second video you sent explains how the integration works, in theory, but certainly isn't a walkthrough of how to set it up.

Is there any general documentation on how to integrate ISE with an MDM?

The basic configurations to integration ISE with an MDM have not changed much. So, the old docs are mostly applicable:

Note that ISE 1.4 added support to allow multiple MDMs active. And, since 2.0 Patch 3 (or 1.4 Patch 8), ISE has been able to query for the MDM status of the endpoints that already registered in MDM but previously not known to ISE, by using a condition on MDM·MDMServerName. For example, given an authorization rule like below: 

  If MDM·MDMServerName Equals jamfDEMO AND
 MDM·MDMServerReachable Equals Reachable AND
 MDM·DeviceRegisterStatus Equals Registered AND
 MDM·DeviceCompliantStatus Equals Compliant
then PermitMDMCompliantAccess

where jamfDEMO is a MDM instance defined in ISE.

ISE will query jamfDEMO for the status of the endpoint, if this rule is processed while evaluating for the endpoint.

 

I think I'm good on the instructions front, it looks pretty simple on ISE's side.

However, what you said below brings up another question. We are trying to create a custom solution because we have multiple MDMs (InTune and Jamf). I know ISE supports multiple MDMs, but the issue we're running into is that the profiling engine in ISE isn't great at differentiating between types of Apple devices. All the iPhones should go to InTune, all the computers should go to Jamf.

What it sounds like you're saying, however, is that if you setup this authorization rule, you could potentially have each MAC Address query BOTH MDMs for compliance? If so, that would save us a LOT of custom setup.

What it sounds like you're saying, however, is that if you setup this authorization rule, you could potentially have each MAC Address query BOTH MDMs for compliance? If so, that would save us a LOT of custom setup.

I tried that and it did not work. Only the first occurrence of the ServerName conditions is used to trigger the queries. We need to find another attribute in the pre-condition to differentiate the endpoints. Potentially, endpoint profiles, endpoint logical profiles, endpoint groups, custom endpoint attributes, user groups, user attributes, etc.

In the above solution where you are building the AND conditions to include the MDM:MDMServerName field does that force the rest of them to use that particular MDM?  I'm trying to figure out how to use multiple MDMs since the conditions don't let you specify which one to use.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: