Solved: Enforcing OS version using ISE

VipulAgr · ‎05-18-2021

Folks,

Is there is anyway to verify minimum OS version in ISE policy set , e.g. allowing only

Windows10 1903 (build 18362) or higher
Mac OS - 10.14 or higher

Marcelo Morais · ‎05-18-2021

at Policy > Profiling > Profiling Policies, create the following Profiler Policy (for ex.)

Name: Build18362
Parent Policy: Windows10-Workstation
Condition: ACIDEX_device-platform-version CONTAINS 10.0.18362

At Logical Profiles, create the following Logical Profile (for ex.)

Name: Windows10-Builds
Assigned Policies: Build18362

At Policy > Policy Set you are able to create an Authorization Policy like this:

Hope this helps !!!

View solution in original post

balaji.bandi · ‎05-18-2021

is this BYOD or pre-deployed equiment ?

ISE with Posture check do this for you.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marcelo Morais · ‎05-18-2021

Hi @VipulAgr ,

at Policy > Profiling > Profiling Policies, create the following Profiler Policy (for ex.)

Name: Build18362
Parent Policy: Windows10-Workstation
Condition: ACIDEX_device-platform-version CONTAINS 10.0.18362

At Logical Profiles, create the following Logical Profile (for ex.)

Name: Windows10-Builds
Assigned Policies: Build18362

At Policy > Policy Set you are able to create an Authorization Policy like this:

Hope this helps !!!

VipulAgr · ‎05-18-2021

Thanks Marcelo, That's really helpful. I was hoping to have a straight forward profile which allows OS versions higher than specific, but looks like I need to create multiple logical profiles for each version which I need to allow. But that works.

Peter Koltl · ‎05-19-2021

~~Surprisingly, this cannot be enforced in a posture policy .~~

VipulAgr · ‎05-20-2021

Yeah True, very surprising when Posture policies are so feature rich but doesn't support this basic requirement.

Marcelo Morais · ‎05-20-2021

Hi @Peter Koltl and @VipulAgr ,

to "enforce" in a Posture Policy, try this:

In Work Centers > Posture > Policy Elements > Conditions > Registry:

Regitry Root Key: HKLM
Sub Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Value Name: ProductName
Value Data: 10

Regitry Root Key: HKLM
Sub Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Value Name: CurrentBuild
Value Data: 18362

In Work Centers > Posture > Policy Elements > Requirements, create the following:

Name: Req-Check-WindowsOSVersion
Operating System: Windows All
Compliance Module: 4.x or later
Posture: AnyConnect | Check-WindowsOSVersion | Message Text Only

Name: Req-Check-WindowsOS_Build
Operating System: Windows All
Compliance Module: 4.x or later
Posture: AnyConnect | Check-WindowsOS_Build | Message Text Only

In Work Centers > Posture > Posture Policy:

Rule Name: SO-Mandatory
Identity Groups: Any
Operating Systems: Windows All
Compliance Module: 4.x or later
Posture Type: Any Connect
Other Conditions: <choose your condition>
Requirements: Mandatory - Check-WindowsOSVersion and Mandatory - Check-WindowsOS_Build

Hope this helps !!!

VipulAgr · ‎05-21-2021

Thanks much again Marcelo,

But I guess it would work only with Windows machine, not for any other OS e.g. MAC and generally enterprise will have various Client OSs to look at.