11-16-2020 01:34 PM - edited 11-16-2020 01:36 PM
I am trying to block mobile phones from a policy. The issue is that If I look at my authz policy and go to 'Identity Group-Name' EQUALS I don't see all profiled built-in groups. For example, my phone that gets profiled Apple-Device, where does that map to in ISE via policy? I do see in Endpoint Identity groups, Apple-iDevice. But if I set that to block in my authz policy, it doesn't match. Is there a way to block a Profiled group or policy that equals Apple-Device?
Is there a way to add a group of profiling policies and then apply that to a policy set? Such as group Apple-Device, Android-*, etc and apply that to the policy block?
Thanks.
Solved! Go to Solution.
11-16-2020 08:12 PM
The difference is that the built in profiles are not the same as identity groups, they certainly can be mapped to identity groups if you enable "create matching ID group" within the profile, but most do not by default. What you're after here to use in the authz is "EndpointPolicy" which is the profile you see, or you can use "logicalProfile" if you have grouped any profiled in a logical group or profiles.
11-16-2020 08:12 PM
The difference is that the built in profiles are not the same as identity groups, they certainly can be mapped to identity groups if you enable "create matching ID group" within the profile, but most do not by default. What you're after here to use in the authz is "EndpointPolicy" which is the profile you see, or you can use "logicalProfile" if you have grouped any profiled in a logical group or profiles.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide