05-18-2021 01:14 AM
Folks,
Is there is anyway to verify minimum OS version in ISE policy set , e.g. allowing only
Solved! Go to Solution.
05-18-2021 03:55 AM
Hi @VipulAgr ,
at Policy > Profiling > Profiling Policies, create the following Profiler Policy (for ex.)
Name: Build18362
Parent Policy: Windows10-Workstation
Condition: ACIDEX_device-platform-version CONTAINS 10.0.18362
At Logical Profiles, create the following Logical Profile (for ex.)
Name: Windows10-Builds
Assigned Policies: Build18362
At Policy > Policy Set you are able to create an Authorization Policy like this:
Hope this helps !!!
05-18-2021 01:58 AM
is this BYOD or pre-deployed equiment ?
ISE with Posture check do this for you.
05-18-2021 03:55 AM
Hi @VipulAgr ,
at Policy > Profiling > Profiling Policies, create the following Profiler Policy (for ex.)
Name: Build18362
Parent Policy: Windows10-Workstation
Condition: ACIDEX_device-platform-version CONTAINS 10.0.18362
At Logical Profiles, create the following Logical Profile (for ex.)
Name: Windows10-Builds
Assigned Policies: Build18362
At Policy > Policy Set you are able to create an Authorization Policy like this:
Hope this helps !!!
05-18-2021 05:14 AM
Thanks Marcelo, That's really helpful. I was hoping to have a straight forward profile which allows OS versions higher than specific, but looks like I need to create multiple logical profiles for each version which I need to allow. But that works.
05-19-2021 12:18 PM - edited 05-20-2021 04:58 AM
Surprisingly, this cannot be enforced in a posture policy .
05-20-2021 01:00 AM
Yeah True, very surprising when Posture policies are so feature rich but doesn't support this basic requirement.
05-20-2021 04:25 AM
Hi @Peter Koltl and @VipulAgr ,
to "enforce" in a Posture Policy, try this:
In Work Centers > Posture > Policy Elements > Conditions > Registry:
Regitry Root Key: HKLM
Sub Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Value Name: ProductName
Value Data: 10
Regitry Root Key: HKLM
Sub Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Value Name: CurrentBuild
Value Data: 18362
In Work Centers > Posture > Policy Elements > Requirements, create the following:
Name: Req-Check-WindowsOSVersion
Operating System: Windows All
Compliance Module: 4.x or later
Posture: AnyConnect | Check-WindowsOSVersion | Message Text Only
Name: Req-Check-WindowsOS_Build
Operating System: Windows All
Compliance Module: 4.x or later
Posture: AnyConnect | Check-WindowsOS_Build | Message Text Only
In Work Centers > Posture > Posture Policy:
Rule Name: SO-Mandatory
Identity Groups: Any
Operating Systems: Windows All
Compliance Module: 4.x or later
Posture Type: Any Connect
Other Conditions: <choose your condition>
Requirements: Mandatory - Check-WindowsOSVersion and Mandatory - Check-WindowsOS_Build
Hope this helps !!!
05-21-2021 01:03 AM
Thanks much again Marcelo,
But I guess it would work only with Windows machine, not for any other OS e.g. MAC and generally enterprise will have various Client OSs to look at.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide