12-13-2017 08:16 AM
Hello all,
We are using MDM integration with Cisco ISE through API calls.
Everything was working well during the PoV but since a Change from Google Android the MAC address of Smartphones is not given anymore to MDM (Android working profile context since Android 7.x) and as ISE is using MAC address as identifier of Android Smartphones for MDM API Call we are facing an issue.
Could you please tell me (maybe after seeing with Cisco developers) if MDM API calls for Android Smartphones can be performed using a different attribute than MAC address (for example UDID for iphones)?
Thanks a lot for your help.
Solved! Go to Solution.
12-13-2017 08:21 AM
I will reach out to our SME if there is an action plan around this but don’t think there is going to be a quick fix for this.
Suggest the following
Open tac case and get associated defect
1. Rely on client onboarding with the MDM provider on guest or separate onboarding SSID before connecting to your internal secure network.
2. Once they are MDM onboarded (preferably with a certificate for EAP-TLS) then allow connectivity to secure network if only using EAP-TLS with valid cert.
Wait for fix to later tie-in compliance to the connectivity
If EAPTLS and MDM complaint full access
Otherwise limited access
12-13-2017 08:21 AM
I will reach out to our SME if there is an action plan around this but don’t think there is going to be a quick fix for this.
Suggest the following
Open tac case and get associated defect
1. Rely on client onboarding with the MDM provider on guest or separate onboarding SSID before connecting to your internal secure network.
2. Once they are MDM onboarded (preferably with a certificate for EAP-TLS) then allow connectivity to secure network if only using EAP-TLS with valid cert.
Wait for fix to later tie-in compliance to the connectivity
If EAPTLS and MDM complaint full access
Otherwise limited access
12-13-2017 08:27 AM
Hello,
Thanks for your answer.
In addition to BYOD network access, we are also using an architecture with Cisco Anyconnect VPN for Smartphones based on MDM checks via ISE.
So in order to enhance Security before allowing VPN connections, we need to check a piece of information given by the MDM API call.
12-13-2017 08:51 AM
Ok there might be a way around this using anyconnect ACIDEX? Can you open another case separately with the MDM issue under that community as well and see if any answers from there?
All of the associated communities are listed here: https://communities.cisco.com/community/technology/security/pa
12-14-2017 09:31 AM
Yes, in absence of MAC address, we will perform the query based on AC UDID or Carrier ID (assuming AC VPN client and ASA VPN gateway)
12-15-2017 01:35 AM
Hello,
Thanks for your answer.
How can we modify the query from based on MAC address to based on AC UDID or Carrier ID on Cisco ISE ?
12-15-2017 02:01 AM
As noted, it is automatic if MAC address is not received in ACIDEX.
12-15-2017 02:20 AM
The problem is that we are receiving the MAC address of the Smartphone on Cisco ISE so it is trying to perform a query based on MAC address. The issue is that the MAC address is hidden on MDM.
12-15-2017 05:23 AM
Ok. This represents a relatively new scenario where we have acquired MAC address but MDM agent is not able to collect due OS blocking access. We have seen this with typical apps, but most OSes have still allowed MDM vendors access to this information. In this case, it appears not so not sure if this is limitation of specific vendor MDM implementation, or across the board.
In any case, I would suggest opening a TAC case and filing a defect. It may also be used as a placeholder against the partner MDM if they are unable to acquire the MAC where other vendors can (not sure if that is the case yet), but defect can also be used to track the need for enhanced logic whereby we automatically (or based on config option) perform lookup using alternate endpoint ID even when MAC address known. I will also copy PM team internally on this one so aware of issue. If able to file defect, please copy to post.
Craig
12-18-2017 09:28 AM
Hi Craig,
It's a new implementation from Google android 7 they now hide the MAC address, please have a look at this post :
DevicePolicyManager.getWifiMacAddress() is already used by AirWatch to retrieve WIFI MAC Address. But this function will only returned a valid MAC address if the device is work managed/Device owner It doesn’t work when using Work Profile (managing only a container).
From ISE side the only solution would be to permit configuration of the attribute we are using in the API for the query the MDM (not necessary the MAC address)
12-18-2017 10:15 AM
Would recommend get a tac case open and defect attached
12-19-2017 01:06 PM
Make sure a tac case is attached and matched to a defect, will forward to PM team
12-20-2017 05:14 AM
Hi team,
I'm looking for a BU contact to discuss with Google, With the Customer we are in contact with Google and VMware and the best way to find a solution et to organize a common Webex. please give me the contact and I will organize the Webex.
regards
Christophe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: