cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

456
Views
0
Helpful
2
Replies
Highlighted
Beginner

Cisco ISE Posture and OS Selections

Hi, We are in the process of deploying Posture Assessment across the business but would like to target only a particular flavor of Windows 10 Operating System, i.e., Enterprise, instead of ALL Win 10 versions.   This granular selection of the OS is required because we have hundreds of thin clients running Windows 10 Embedded so we'd prefer they do not participate in posture assessment.   Cisco ISE Version 2.6.0.156, Patch 3.

 

Question: Can the Client Provisioning Policy rules around Operating Systems be modified to include more granular versions of an OS type, i.e., Windows 10 Professional, Windows 10 Enterprise, etc.  These options are available when created a Posture Policy just not when creating a Client Provisioning Policy.  Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Engager

AFAIK for the CPP rules you cannot include more granular OS under the 'If' column. However, you have the ability to rely on 'other conditions' to ensure that you only steer the clients you wish to be subject to ISE posturing. Some examples include: rely on different AD security groups; tunnel group name identifiers from VPN profiles; along with many others. You can create conditions as well. My suggestion would be to identify which specific conditions you can utilize to keep Win10 Enterprise separate from the rest of the bunch. Good luck & HTH!

View solution in original post

2 REPLIES 2
Highlighted
VIP Engager

AFAIK for the CPP rules you cannot include more granular OS under the 'If' column. However, you have the ability to rely on 'other conditions' to ensure that you only steer the clients you wish to be subject to ISE posturing. Some examples include: rely on different AD security groups; tunnel group name identifiers from VPN profiles; along with many others. You can create conditions as well. My suggestion would be to identify which specific conditions you can utilize to keep Win10 Enterprise separate from the rest of the bunch. Good luck & HTH!

View solution in original post

Highlighted

Thanks for the quick response.  Was hoping to avoid using AD security group but it may be the only option available. Thanks again.