Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
447
Views
0
Helpful
4
Replies

Cisco ISE and Intune Integration Providing Inaccurate Query Result

anu-fatokun
Level 1
Level 1

‎03-14-2025 08:16 PM

I recently integrated Microsoft Intune with Cisco ISE 3.4 to check for device registration status and device compliance state. I am noticing some false result between the two integration. For example, ISE showing a device registration is false where in actual sense this device is enrolled in Intune, or a case of a system not enrolled in Intune and that device is matching an authorization policy checking ONLY device registration status. The results are inconsistent and becoming not relying. This is going to be a big deal because if it profiled a device wrongly, the connection will be given the wrong policy. Has anyone faced this, or is this a well known issue?

What is your experience with Intune integration with Cisco ISE?

0 Helpful
4 Replies 4

PSM
Level 1
Level 1

‎03-15-2025 05:30 AM

Probably ISE API when sending query to Intune, not able to find the device. This issue mainly happen when you use MAC address as identifier. What is the Device Identifier you have enabled in External MDM configuration for Intune ? Recommended way is to use SAN GUID. To use SAN GUID as Device identifier you must have GUID printed in SAN field of endpoint certificates.

0 Helpful

anu-fatokun
Level 1
Level 1
In response to PSM

‎03-15-2025 05:02 PM

Thanks @PSM for the response. First of, I am not doing certificate authentication, so there is no endpoint certificates. I enabled the legacy mac address. But, if ISE API query to Intune could not find a device, shouldn't it report that the device is not registered. Why report that a device is registered because it could not find a device. Is there anything that could cause this inaccurate query result? Because, this is going to have significant on authorization profiles it assign to authentication attempts.

anufatokun_0-1742083284979.png

 

0 Helpful

anu-fatokun
Level 1
Level 1

‎03-15-2025 08:26 PM

I did further troubleshooting, and added more API permissions in the APP registration. Now I could see the mdm report showing the right status after granting more API permissions. However, despite that, the device was still granted wrong authorization policy. See the screenshots below. This device should fail the authorization condition. Could this be a case of cached or using existing session? I really want to understand what the issue is...that device should not be hitting that policy.

anufatokun_0-1742095363358.pnganufatokun_1-1742095439118.png

 

anufatokun_2-1742095496898.png

 

0 Helpful

PSM
Level 1
Level 1

‎03-16-2025 10:11 AM

@anu-fatokun Yes there is Cache in ISE. You can check endpoint attribute status in Context Visibility>Endpoints>Attributes>  Other Attributes. There you should see multiple attributes related to MDM. You can verify if endpoint has expected attribute value. If not try to delete endpoint from context visibility and test again. 

0 Helpful
Customers Also Viewed These Support Documents