cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1423
Views
5
Helpful
1
Replies

How to block a profiled device

ryan14
Beginner
Beginner

I am trying to block mobile phones from a policy. The issue is that If I look at my authz policy and go to 'Identity Group-Name' EQUALS I don't see all profiled built-in groups. For example, my phone that gets profiled Apple-Device, where does that map to in ISE via policy? I do see in Endpoint Identity groups, Apple-iDevice. But if I set that to block in my authz policy, it doesn't match. Is there a way to block a Profiled group or policy that equals Apple-Device?

 

Is there a way to add a group of profiling policies and then apply that to a policy set? Such as group Apple-Device, Android-*, etc and apply that to the policy block?

 

Thanks.

1 Accepted Solution

Accepted Solutions

Damien Miller
VIP Alumni
VIP Alumni

The difference is that the built in profiles are not the same as identity groups, they certainly can be mapped to identity groups if you enable "create matching ID group" within the profile, but most do not by default. What you're after here to use in the authz is "EndpointPolicy" which is the profile you see, or you can use "logicalProfile" if you have grouped any profiled in a logical group or profiles. 

profile.JPG 

View solution in original post

1 Reply 1

Damien Miller
VIP Alumni
VIP Alumni

The difference is that the built in profiles are not the same as identity groups, they certainly can be mapped to identity groups if you enable "create matching ID group" within the profile, but most do not by default. What you're after here to use in the authz is "EndpointPolicy" which is the profile you see, or you can use "logicalProfile" if you have grouped any profiled in a logical group or profiles. 

profile.JPG 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: