07-20-2019 07:14 PM
I'm integrating the latest version of Cisco ISE with the latest version of Jamf. Where is the best documentation on how to do this integration?
Solved! Go to Solution.
07-21-2019 01:12 PM
The basic configurations to integration ISE with an MDM have not changed much. So, the old docs are mostly applicable:
Note that ISE 1.4 added support to allow multiple MDMs active. And, since 2.0 Patch 3 (or 1.4 Patch 8), ISE has been able to query for the MDM status of the endpoints that already registered in MDM but previously not known to ISE, by using a condition on MDM·MDMServerName. For example, given an authorization rule like below:
If MDM·MDMServerName Equals jamfDEMO AND MDM·MDMServerReachable Equals Reachable AND MDM·DeviceRegisterStatus Equals Registered AND MDM·DeviceCompliantStatus Equals Compliant |
then PermitMDMCompliantAccess |
where jamfDEMO is a MDM instance defined in ISE.
ISE will query jamfDEMO for the status of the endpoint, if this rule is processed while evaluating for the endpoint.
07-20-2019 08:23 PM
Check out these videos:
07-21-2019 11:05 AM
07-21-2019 01:12 PM
The basic configurations to integration ISE with an MDM have not changed much. So, the old docs are mostly applicable:
Note that ISE 1.4 added support to allow multiple MDMs active. And, since 2.0 Patch 3 (or 1.4 Patch 8), ISE has been able to query for the MDM status of the endpoints that already registered in MDM but previously not known to ISE, by using a condition on MDM·MDMServerName. For example, given an authorization rule like below:
If MDM·MDMServerName Equals jamfDEMO AND MDM·MDMServerReachable Equals Reachable AND MDM·DeviceRegisterStatus Equals Registered AND MDM·DeviceCompliantStatus Equals Compliant |
then PermitMDMCompliantAccess |
where jamfDEMO is a MDM instance defined in ISE.
ISE will query jamfDEMO for the status of the endpoint, if this rule is processed while evaluating for the endpoint.
07-22-2019 09:03 AM
07-22-2019 05:22 PM
What it sounds like you're saying, however, is that if you setup this authorization rule, you could potentially have each MAC Address query BOTH MDMs for compliance? If so, that would save us a LOT of custom setup.
I tried that and it did not work. Only the first occurrence of the ServerName conditions is used to trigger the queries. We need to find another attribute in the pre-condition to differentiate the endpoints. Potentially, endpoint profiles, endpoint logical profiles, endpoint groups, custom endpoint attributes, user groups, user attributes, etc.
04-29-2021 09:00 AM
In the above solution where you are building the AND conditions to include the MDM:MDMServerName field does that force the rest of them to use that particular MDM? I'm trying to figure out how to use multiple MDMs since the conditions don't let you specify which one to use.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide