07-21-2023 05:49 AM
Ciao,
starting from this document: https://www.cisco.com/c/en/us/support/docs/field-notices/724/fn72427.html I understand that integrates Microsoft InTune for posture validation via VPN, is not a long term solution:
For VPN-based endpoints, rely solely on the MAC address as the unique identifier with the MDM. This might not be possible with later versions of some operating systems which prevent access by applications to the MAC address. When this is not possible, until a holistic solution is available that replaces the use of a UDID for integration with Intune, customers might choose to use ISE posture in order to check for security compliance as an alternative to verification against Intune. Refer to the ISE Posture Prescriptive Deployment Guide for further information.
So question is: using ISE posture policy, how can I test/check that the PC is an Intune client erolled ? Any regkey ? or other
Thanks
Solved! Go to Solution.
07-21-2023 06:01 AM - edited 07-21-2023 06:03 AM
@ipagliani you don't necessarily need to use ISE posture, you can just integrate ISE and Intune, then use the MDM dictionary attributes such as DeviceCompliantStatus (compliant|noncompliant) or DeviceRegisterStatus (true|false) in an Authorisation rule.
07-21-2023 06:50 AM
@ipagliani when ISE is integrated with Intune (as per the guides below) ISE will query Intune for the endpoint to determine whether its registered, it compliance status etc.
The MDM status would be more secure and I wouldn't rely on the MAC address.
07-21-2023 06:01 AM - edited 07-21-2023 06:03 AM
@ipagliani you don't necessarily need to use ISE posture, you can just integrate ISE and Intune, then use the MDM dictionary attributes such as DeviceCompliantStatus (compliant|noncompliant) or DeviceRegisterStatus (true|false) in an Authorisation rule.
07-21-2023 06:37 AM
Ciao,
Rob Ingram thank for replay. How does ISE associate the client for DeviceCompliantStatus (compliant|noncompliant) or DeviceRegisterStatus (true|false) for this query?
Assuming MAC-address will not long support and GUID is not supported yet.
Thanks
07-21-2023 06:50 AM
@ipagliani when ISE is integrated with Intune (as per the guides below) ISE will query Intune for the endpoint to determine whether its registered, it compliance status etc.
The MDM status would be more secure and I wouldn't rely on the MAC address.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide