Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
994
Views
0
Helpful
6
Replies

Dual MDM issues.

Go to solution
Dustin Anderson
VIP
VIP

‎06-06-2017 03:25 PM

So, get an odd issue with 2 MDM's.

We have MobileIron for android etc, and JAMF for iPhone/Mac etc. Now, JAMF is new, so rignt now iPhones are in MobileIron, and JAMF.

I do rules based off Logical profiles to decide what MDM to check with.

The issue I have is since an iPhone is in 2 logical groups, it should check with both MDM's, but seems to lock onto one MDM and not check the second.

So, 1 phone is removed from MobileIron and enrolled in JAMF. when it connects, it checks MobilIron, fails, and goes to the deny. It never checks JAMF. If I delete the endpoint, it will probably then stat hitting JAMF, but usually within a day, will lock onto MobileIron and start denying again.

Any idea as to what I may be doing wrong? or does ISE just not like 2 MDM's?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Dustin Anderson

‎06-08-2017 05:54 AM

imran.bashir1 I forwarded to our SME as well. Not sure if this is possible, i think its either one or the other identified with concrete rules

View solution in original post

0 Helpful
6 Replies 6

Go to solution
vibobrov
Cisco Employee
Cisco Employee

‎06-06-2017 06:34 PM

Try to add MDM:MDMServerName condition to the rules to specify the MDM you're trying to query.

0 Helpful

Go to solution
Dustin Anderson
VIP
VIP
In response to vibobrov

‎06-07-2017 03:27 PM

I actually use that call, but the issue is iPhones could be in one, or the other, so it should check the second MDM after the first one fails, but once the first one fails, it never checks the second one.

Capture1.JPG

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Dustin Anderson

‎06-08-2017 05:54 AM

imran.bashir1 I forwarded to our SME as well. Not sure if this is possible, i think its either one or the other identified with concrete rules

0 Helpful

Go to solution
Dustin Anderson
VIP
VIP
In response to Jason Kunst

‎06-08-2017 01:51 PM

that's what I was afraid of. I have them separated by logical profiles, but with iphones in 2 profiles, it really hates it.

0 Helpful

Go to solution
gbekmezi-DD
Level 5
Level 5
In response to Dustin Anderson

‎06-09-2017 12:47 PM

How about doing it in three different rules? One rule checks one mdm, the next rule the other mdm (this rule would only be reached if the first mdm wasn't successful) the third rule would then redirect them to the preferred mdm (maybe?). Would that work?

Warning: I either dictated this to my device, or typed it with my thumbs. Erroneous words are a feature, not a typo.

0 Helpful

Go to solution
Dustin Anderson
VIP
VIP
In response to gbekmezi-DD

‎06-09-2017 01:07 PM

That's basically what I have.

Rule 1. Logical profile X and MDM name 1 and compliant.

Rule 2. Logical profile Y and MDM name 2 and compliant.

Rule 3. Logical profile Y and MDM name 2 and unknown -> redirect.


non-compliant rules also. JAMF requires the redirect to first check a device.

So, iPhone is in logical profile x and y. It checks rule 1 and it is unknown. It skips rule 2 and 3 and goes strait to the final deny rule. Phone is in the 2nd MDM and compliant, so should hit rule 2.

Think it's just a good reason for them to hurry up and get phones moved over to JAMF as they are about the only thing in both profiles. Once they do that, it should be fine. Still not sure why we have JAMF since it doesn't do android.

0 Helpful
Customers Also Viewed These Support Documents