- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-18-2021 01:14 AM
Folks,
Is there is anyway to verify minimum OS version in ISE policy set , e.g. allowing only
- Windows10 1903 (build 18362) or higher
- Mac OS - 10.14 or higher
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
-
VPN
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-18-2021 03:55 AM
Hi @VipulAgr ,
at Policy > Profiling > Profiling Policies, create the following Profiler Policy (for ex.)
Name: Build18362
Parent Policy: Windows10-Workstation
Condition: ACIDEX_device-platform-version CONTAINS 10.0.18362
At Logical Profiles, create the following Logical Profile (for ex.)
Name: Windows10-Builds
Assigned Policies: Build18362
At Policy > Policy Set you are able to create an Authorization Policy like this:
Hope this helps !!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-18-2021 01:58 AM
is this BYOD or pre-deployed equiment ?
ISE with Posture check do this for you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-18-2021 03:55 AM
Hi @VipulAgr ,
at Policy > Profiling > Profiling Policies, create the following Profiler Policy (for ex.)
Name: Build18362
Parent Policy: Windows10-Workstation
Condition: ACIDEX_device-platform-version CONTAINS 10.0.18362
At Logical Profiles, create the following Logical Profile (for ex.)
Name: Windows10-Builds
Assigned Policies: Build18362
At Policy > Policy Set you are able to create an Authorization Policy like this:
Hope this helps !!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-18-2021 05:14 AM
Thanks Marcelo, That's really helpful. I was hoping to have a straight forward profile which allows OS versions higher than specific, but looks like I need to create multiple logical profiles for each version which I need to allow. But that works.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-19-2021 12:18 PM - edited 05-20-2021 04:58 AM
Surprisingly, this cannot be enforced in a posture policy .
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-20-2021 01:00 AM
Yeah True, very surprising when Posture policies are so feature rich but doesn't support this basic requirement.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-20-2021 04:25 AM
Hi @Peter Koltl and @VipulAgr ,
to "enforce" in a Posture Policy, try this:
In Work Centers > Posture > Policy Elements > Conditions > Registry:
Regitry Root Key: HKLM
Sub Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Value Name: ProductName
Value Data: 10
Regitry Root Key: HKLM
Sub Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Value Name: CurrentBuild
Value Data: 18362
In Work Centers > Posture > Policy Elements > Requirements, create the following:
Name: Req-Check-WindowsOSVersion
Operating System: Windows All
Compliance Module: 4.x or later
Posture: AnyConnect | Check-WindowsOSVersion | Message Text Only
Name: Req-Check-WindowsOS_Build
Operating System: Windows All
Compliance Module: 4.x or later
Posture: AnyConnect | Check-WindowsOS_Build | Message Text Only
In Work Centers > Posture > Posture Policy:
Rule Name: SO-Mandatory
Identity Groups: Any
Operating Systems: Windows All
Compliance Module: 4.x or later
Posture Type: Any Connect
Other Conditions: <choose your condition>
Requirements: Mandatory - Check-WindowsOSVersion and Mandatory - Check-WindowsOS_Build
Hope this helps !!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-21-2021 01:03 AM
Thanks much again Marcelo,
But I guess it would work only with Windows machine, not for any other OS e.g. MAC and generally enterprise will have various Client OSs to look at.
