Solved: How to block a profiled device

ryan14 · ‎11-16-2020

I am trying to block mobile phones from a policy. The issue is that If I look at my authz policy and go to 'Identity Group-Name' EQUALS I don't see all profiled built-in groups. For example, my phone that gets profiled Apple-Device, where does that map to in ISE via policy? I do see in Endpoint Identity groups, Apple-iDevice. But if I set that to block in my authz policy, it doesn't match. Is there a way to block a Profiled group or policy that equals Apple-Device?

Is there a way to add a group of profiling policies and then apply that to a policy set? Such as group Apple-Device, Android-*, etc and apply that to the policy block?

Thanks.

Damien Miller · ‎11-16-2020

The difference is that the built in profiles are not the same as identity groups, they certainly can be mapped to identity groups if you enable "create matching ID group" within the profile, but most do not by default. What you're after here to use in the authz is "EndpointPolicy" which is the profile you see, or you can use "logicalProfile" if you have grouped any profiled in a logical group or profiles.

View solution in original post

Damien Miller · ‎11-16-2020

The difference is that the built in profiles are not the same as identity groups, they certainly can be mapped to identity groups if you enable "create matching ID group" within the profile, but most do not by default. What you're after here to use in the authz is "EndpointPolicy" which is the profile you see, or you can use "logicalProfile" if you have grouped any profiled in a logical group or profiles.