Solved: ISE 2.2-SCCM with large SCCM infrastructure

clandrai · ‎10-26-2017

Dear community,

Seeking to implement a simplified posture check with SCCM, with a multi-level SCCM infrastructure, I would like to hear any experience with similar context:

* Multi-level SCCM, ISE interfacing with CAS (root SCCM server)

* Multiple configuration Baselines policies - but only seeking to achieve compliance for a limited set of criteria (i.e. antivirus sig update and OS patch updates)

Initial tests are showing concerns with:

1. issues to setup SCCM policies that give proper compliance result to ISE: other baselines not considered for compliance are leading to non-compliance

2. issues with endpoint data propagation delay from dedicated SCCM server to the CAS: ISE may get deprecated values from the CAS.

3. To address point 2 we considered to interface ISE with multiple SCCM nodes instead of just the CAS, hoping to be able to query attributes from specific SCCM server (based on endpoint location or group for instance) - but it seems like there is no way to select a specific external MDM server in authorization rules.

I would be interested in:

Any other projects with similar challenges - can you share?

Any guidelines regarding how SCCM must be configured for successful integration with ISE?

How does ISE work with multiple external MDM servers - either multiple SCCM, or mixed-vendor MDM environment?

Thanks in advance.

BR

Christophe

Craig Hyps · ‎10-27-2017

Need to clarify if configuring SCCM as Patch Management server under Posture or as a DM (under MDM).

For Posture integration, see Cisco ISE and SCCM integration Reference Guide

For DM integration, the connection uses WMI calls to SCCM to determine registration and compliance, but there is no agent-guided remediation as you would have with AC/ISE Posture. Each unique SCCM host defined in ISE will be treated as a separate DM and need to be able to assign hosts to specific DMs. This will get a bit tricky if need to reference multiple DMs in ISE authZ policy. Not sure if able to use LB to have any SCCM behind single IP. We have one customer with multiple SCCM servers but their cluster service treats as one entity so ISE points to single IP.

With multiple DMs/MDMs configured, you need ability to segregate clients by some other attribute, say "All Mac OS clients go to JAMF while all Windows go to SCCM and all mobile clients go to MDM vendor X".

/Craig

View solution in original post

Craig Hyps · ‎10-27-2017

Need to clarify if configuring SCCM as Patch Management server under Posture or as a DM (under MDM).

For Posture integration, see Cisco ISE and SCCM integration Reference Guide

For DM integration, the connection uses WMI calls to SCCM to determine registration and compliance, but there is no agent-guided remediation as you would have with AC/ISE Posture. Each unique SCCM host defined in ISE will be treated as a separate DM and need to be able to assign hosts to specific DMs. This will get a bit tricky if need to reference multiple DMs in ISE authZ policy. Not sure if able to use LB to have any SCCM behind single IP. We have one customer with multiple SCCM servers but their cluster service treats as one entity so ISE points to single IP.

With multiple DMs/MDMs configured, you need ability to segregate clients by some other attribute, say "All Mac OS clients go to JAMF while all Windows go to SCCM and all mobile clients go to MDM vendor X".

/Craig

clandrai · ‎10-30-2017

Hi Craig,

It is the DM integration indeed.When we tested the configuration of two SCCM servers (part of the same SCCM infrastructure), we only still get a single namespace "MDM:<attrName>" in the authorization rules editor, while I was expecting to get something like "SCCM1:<attrName>" or "SCCM2:<attrName>" in order to decide what server is queried.

This was on ISE 2.2 patch 3. Without a way to point to a specific server we are stuck.

Any pointer to troubleshoot this is welcome - we have a lab in which we can try different things.

Our first approach was also to point to a single IP (of the SCCM root server) but there is a concern with delays to propagate informations from leaf SCCM servers to the root - apparently it can take a while.

Thanks for your support.

-Chris

Craig Hyps · ‎10-30-2017

If need to reference different SCCM servers, then need to define as unique DMs. This is to my point that doing so requires a way to segregate machines to specific servers as they will be affiliated to only one.