Solved: Cisco ISE and Jamf Integration

chris.schasse · ‎07-20-2019

I'm integrating the latest version of Cisco ISE with the latest version of Jamf. Where is the best documentation on how to do this integration?

hslai · ‎07-21-2019

The basic configurations to integration ISE with an MDM have not changed much. So, the old docs are mostly applicable:

Note that ISE 1.4 added support to allow multiple MDMs active. And, since 2.0 Patch 3 (or 1.4 Patch 8), ISE has been able to query for the MDM status of the endpoints that already registered in MDM but previously not known to ISE, by using a condition on MDM·MDMServerName. For example, given an authorization rule like below:

If MDM·MDMServerName Equals jamfDEMO AND
MDM·MDMServerReachable Equals Reachable AND
MDM·DeviceRegisterStatus Equals Registered AND
MDM·DeviceCompliantStatus Equals Compliant

then PermitMDMCompliantAccess

where jamfDEMO is a MDM instance defined in ISE.

ISE will query jamfDEMO for the status of the endpoint, if this rule is processed while evaluating for the endpoint.

View solution in original post

hslai · ‎07-20-2019

Check out these videos:

chris.schasse · ‎07-21-2019

In the first video you sent the presenter never actually setup integration with ISE and Jamf, he built his own custom solution using the two APIs

The second video you sent explains how the integration works, in theory, but certainly isn't a walkthrough of how to set it up.

Is there any general documentation on how to integrate ISE with an MDM?

hslai · ‎07-21-2019

The basic configurations to integration ISE with an MDM have not changed much. So, the old docs are mostly applicable:

Note that ISE 1.4 added support to allow multiple MDMs active. And, since 2.0 Patch 3 (or 1.4 Patch 8), ISE has been able to query for the MDM status of the endpoints that already registered in MDM but previously not known to ISE, by using a condition on MDM·MDMServerName. For example, given an authorization rule like below:

If MDM·MDMServerName Equals jamfDEMO AND
MDM·MDMServerReachable Equals Reachable AND
MDM·DeviceRegisterStatus Equals Registered AND
MDM·DeviceCompliantStatus Equals Compliant

then PermitMDMCompliantAccess

where jamfDEMO is a MDM instance defined in ISE.

ISE will query jamfDEMO for the status of the endpoint, if this rule is processed while evaluating for the endpoint.

chris.schasse · ‎07-22-2019

I think I'm good on the instructions front, it looks pretty simple on ISE's side.

However, what you said below brings up another question. We are trying to create a custom solution because we have multiple MDMs (InTune and Jamf). I know ISE supports multiple MDMs, but the issue we're running into is that the profiling engine in ISE isn't great at differentiating between types of Apple devices. All the iPhones should go to InTune, all the computers should go to Jamf.

What it sounds like you're saying, however, is that if you setup this authorization rule, you could potentially have each MAC Address query BOTH MDMs for compliance? If so, that would save us a LOT of custom setup.

hslai · ‎07-22-2019

What it sounds like you're saying, however, is that if you setup this authorization rule, you could potentially have each MAC Address query BOTH MDMs for compliance? If so, that would save us a LOT of custom setup.

I tried that and it did not work. Only the first occurrence of the ServerName conditions is used to trigger the queries. We need to find another attribute in the pre-condition to differentiate the endpoints. Potentially, endpoint profiles, endpoint logical profiles, endpoint groups, custom endpoint attributes, user groups, user attributes, etc.

Steve Talbert · ‎04-29-2021

In the above solution where you are building the AND conditions to include the MDM:MDMServerName field does that force the rest of them to use that particular MDM? I'm trying to figure out how to use multiple MDMs since the conditions don't let you specify which one to use.