cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

538
Views
1
Helpful
12
Replies
Highlighted
Beginner

Cisco ISE MDM Integration Android For Work

Hello all,

We are using MDM integration with Cisco ISE through API calls.

Everything was working well during the PoV but since a Change from Google Android the MAC address of Smartphones is not given anymore to MDM (Android working profile context since Android 7.x) and as ISE is using MAC address as identifier of Android Smartphones for MDM API Call we are facing an issue.

Could you please tell me (maybe after seeing with Cisco developers) if MDM API calls for Android Smartphones can be performed using a different attribute than MAC address (for example UDID for iphones)?


Thanks a lot for your help.

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Cisco ISE MDM Integration Android For Work

I will reach out to our SME if there is an action plan around this but don’t think there is going to be a quick fix for this.

Suggest the following

Open tac case and get associated defect

1. Rely on client onboarding with the MDM provider on guest or separate onboarding SSID before connecting to your internal secure network.

2. Once they are MDM onboarded (preferably with a certificate for EAP-TLS) then allow connectivity to secure network if only using EAP-TLS with valid cert.

Wait for fix to later tie-in compliance to the connectivity

If EAPTLS and MDM complaint full access

Otherwise limited access

View solution in original post

12 REPLIES 12
Cisco Employee

Re: Cisco ISE MDM Integration Android For Work

I will reach out to our SME if there is an action plan around this but don’t think there is going to be a quick fix for this.

Suggest the following

Open tac case and get associated defect

1. Rely on client onboarding with the MDM provider on guest or separate onboarding SSID before connecting to your internal secure network.

2. Once they are MDM onboarded (preferably with a certificate for EAP-TLS) then allow connectivity to secure network if only using EAP-TLS with valid cert.

Wait for fix to later tie-in compliance to the connectivity

If EAPTLS and MDM complaint full access

Otherwise limited access

View solution in original post

Beginner

Re: Cisco ISE MDM Integration Android For Work

Hello,

Thanks for your answer.

In addition to BYOD network access, we are also using an architecture with Cisco Anyconnect VPN for Smartphones based on MDM checks via ISE.

So in order to enhance Security before allowing VPN connections, we need to check a piece of information given by the MDM API call.

Cisco Employee

Re: Cisco ISE MDM Integration Android For Work

Ok there might be a way around this using anyconnect ACIDEX? Can you open another case separately with the MDM issue under that community as well and see if any answers from there?

All of the associated communities are listed here: https://communities.cisco.com/community/technology/security/pa

Advocate

Re: Cisco ISE MDM Integration Android For Work

Yes, in absence of MAC address, we will perform the query based on AC UDID or Carrier ID (assuming AC VPN client and ASA VPN gateway)

Beginner

Re: Cisco ISE MDM Integration Android For Work

Hello,

Thanks for your answer.

How can we modify the query from based on MAC address to based on AC UDID or Carrier ID on Cisco ISE ?

Advocate

Re: Cisco ISE MDM Integration Android For Work

As noted, it is automatic if MAC address is not received in ACIDEX.

Beginner

Re: Cisco ISE MDM Integration Android For Work

The problem is that we are receiving the MAC address of the Smartphone on Cisco ISE so it is trying to perform a query based on MAC address. The issue is that the MAC address is hidden on MDM.

Advocate

Re: Cisco ISE MDM Integration Android For Work

Ok. This represents a relatively new scenario where we have acquired MAC address but MDM agent is not able to collect due OS blocking access. We have seen this with typical apps, but most OSes have still allowed MDM vendors access to this information.  In this case, it appears not so not sure if this is limitation of specific vendor MDM implementation, or across the board.

In any case, I would suggest opening a TAC case and filing a defect.  It may also be used as a placeholder against the partner MDM if they are unable to acquire the MAC where other vendors can (not sure if that is the case yet), but defect can also be used to track the need for enhanced logic whereby we automatically (or based on config option) perform lookup using alternate endpoint ID even when MAC address known.  I will also copy PM team internally on this one so aware of issue.  If able to file defect, please copy to post.

Craig

Cisco Employee

Re: Cisco ISE MDM Integration Android For Work

Hi Craig,

It's a new implementation from Google android 7  they now hide the MAC address, please have a look at this post :

 

https://stackoverflow.com/questions/43338359/get-device-mac-adress-in-android-nougat-and-o-programmatically

 

DevicePolicyManager.getWifiMacAddress() is already used by AirWatch to retrieve WIFI MAC Address. But this function will only returned a valid MAC address if the device is work managed/Device owner It doesn’t work when using Work Profile (managing only a container).

 

From ISE side the only solution would be to permit configuration of the attribute we are using in the API for the query the MDM (not necessary the MAC address)

 

Cisco Employee

Re: Cisco ISE MDM Integration Android For Work

Would recommend get a tac case open and defect attached

Cisco Employee

Re: Cisco ISE MDM Integration Android For Work

Make sure a tac case is attached and matched to a defect, will forward to PM team

Cisco Employee

Re: Cisco ISE MDM Integration Android For Work

Hi team,

I'm looking for a BU contact to discuss with Google, With the Customer we are in contact with Google and VMware and the best way to find a solution et to organize a common Webex. please give me the contact and I will organize the Webex.

regards

Christophe