Solved: Cisco ISE JamF MDM Integration

pcno · ‎06-06-2020

Hello Professionals,

Please provide me a good document or video URL that explains all configuration to be done to integrate ISE with JAMF as an MDM server.

I want ISE to check with JAMF for device compliance before it gets access to company Wireless network.

Thanks
Priyesh

poongarg · ‎06-07-2020

Kindly check the attached PDF: JAMF integration with ISE as MDM

View solution in original post

Anurag Sharma · ‎06-06-2020

Hi @pcno ,

This has been asked before. Please refer to the following post:

https://community.cisco.com/t5/network-access-control/cisco-ise-and-jamf-integration/td-p/3894278

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

pcno · ‎06-07-2020

Hello Anurag,

I have already gone through the link you have shared and I am unable to find a single document which explains Step by step configuration of ISE with Jamf as external MDM.

URL only says about enrollment and some other troubleshooting discussion.

Please provide me a document link which explains MDM setup for ISE with Jamf

Thanks

poongarg · ‎06-07-2020

Kindly check the attached PDF: JAMF integration with ISE as MDM

pcno · ‎06-07-2020

Thank you very much Poongarg, Can you please tell me how I should configure the Authentication policy since all users are from JAMF then it cannot be validated with our active directory.

So should I put the authentication policy option as Continue x3 if Auth fails or not found for Authentication policy or is there any other way I can configure it?

Thanks
Priyesh

Greg Gibbs · ‎06-08-2020

Using the 'If user not found = Continue' option in the AuthC Policy is mainly used to allow endpoints using MAB to 'fall through' to the AuthZ Policy to leverage Profiling condition matches.

With JAMF-managed MacBooks, you would ideally be enrolling them with a user certificate and deploying an 802.1x EAP-TLS supplicant profile as part of the JAMF enrollment. Your AuthC Policy would use either a Certificate Authentication Profile or an Identity Source Sequence with or without identity checks against an external ID store like AD/LDAP (depending on your particular requirements and environment).

pcno · ‎06-09-2020

Hi Greg ,

I am using a certificate profile in Authentication policy > if the protocol is EAP-TLS then check the common name with AD but our Jamf is not integrated with AD so what will be the best policy to go with ..

I can bypass this with 2 way in preloaded cert profile I can select identity store as non but then there is no authentication check happening

I can also bypass it by putting if the user not found continue here also authentication not working.

So how can I do a authentication in a cert policy where local ad is not integrated with JAMF.

Please reply .

Greg Gibbs · ‎06-09-2020

I've used the following approach for a customer that was using a 'shared' certificate on all of their MacBooks for which the subject identity was not present in AD:

Create a new Cert Auth Profile that is configured for Identity Store of [not applicable]
Create an AuthC Policy rule that matches on the Issuer Name in the certificate

Example: