Wonderful, thank you Greg, it works!

The same question was posted on the ISE Bar Webex space, so copying the responses here for the benefit of others.

In your Intune MDM configuration, do you see the text stating that it supports APIv3? If not, then your App may not be configured correctly in Azure.

If the App and ISE are configured correction, you should also see the GUID in the Live Logs for the session. Are you seeing this?

Thanks for the reply. Yes, ISE version is 3.2. And ISE is connected by API Version 3. And the Device Identifiers are configurable for all 3 options.
I also checked the logging, but I don't see the GUID in the live logging.

Correction, I am seeing the GUID now. This is different from last week when the GUID was not in the logging.
So I will take a look at this and post the outcome.

Oke, the result is still the same -> From the debug logs: The value for the DeviceIdentifier Source 'CERT_SANURI_GUID' is 'NULL', etc.
In the live logging I see the GUID -> ID:Microsoft Endpoint Manager:GUID:xxx etc.
But access is denied, because I think ISE is not connecting to the MDM environment because of the DeviceIdentifier Source 'CERT_SANURI_GUID' is 'NULL'
Changed back to MAC -> and this is working.
This is really annoying, can't get this to work as expected.

Hi, 

I have same issue as you. 

My CN is ok but SANURI is null whole time.

23-04-27 13:45:58,002 DEBUG [Thread-76][] cisco.cpm.mdm.pip.MdmPartnerPIPHandler -::::- SESSION IS NOT NULL & CERTIFICATE.CN Field value is - '401bbf6f-4a38-4e31-8e20-cae12be3e003' and CERTIFICATE.SAN DNS Field value is - 'null' and CERTIFICATE.CERT_SANURI_KEY Field value is -'null'
2023-04-27 13:45:58,002 DEBUG [Thread-76][] cisco.cpm.mdm.pip.MdmPartnerPIPHandler -::::- Actual check of CERTIFICATE.CN Field value is - '401bbf6f-4a38-4e31-8e20-cae12be3e003' and CERTIFICATE.SAN DNS Field value is - 'null' and CERTIFICATE.CERT_SANURI_KEY Field value is -'null'
2023-04-27 13:45:58,002 DEBUG [Thread-76][] cisco.cpm.mdm.pip.MdmPartnerPIPHandler -::::- ise db/cache Configured device Identifier source order values are : CERT_SANURI_GUID
2023-04-27 13:45:58,002 DEBUG [Thread-76][] cisco.cpm.mdm.pip.MdmPartnerPIPHandler -::::- Checking the current deviceIdentifier value : CERT_SANURI_GUID
2023-04-27 13:45:58,002 DEBUG [Thread-76][] cisco.cpm.mdm.pip.MdmPartnerPIPHandler -::::- The value for the DeviceIdentifier Source 'CERT_SANURI_GUID' is 'NULL', hence checking the next Device Identifier source..!
2023-04-27 13:45:58,002 INFO [Thread-76][] cisco.cpm.mdm.pip.MdmPartnerPIPHandler -::::- The value for the deviceIdentifier type of 'null' is - 'null'

The only bug I'm aware of related to the MDM APIv3 with Intune GUID is the following:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwe38610

I've done testing recently with ISE 3.2p1 and am not able to replicate any issues with the Intune MDM compliance checks. If you have ensured you are using the capital case for 'ID' in your SAN URI string, you will likely need to open a TAC case to investigate further.

Some relevant debug/trace logs from my lab:

2023-04-28 11:02:09,899 TRACE [Thread-388][[]] cisco.cpm.mdm.pip.MdmPartnerPIPHandler -::::- Session Info attributes: Attrs: {TUI_AzureAD_ROPC.ExternalGroups=[xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx], MdmType=External, Network Access.WasMachineAuthenticated=[false], SavedUserNames=[tuiuser10@domain.onmicrosoft.com], CERTIFICATE.Issuer - Common Name=TUI-CA, Network Access.AuthenticationMethod=[5], Radius.NAS-Port-Type=15, CERTIFICATE.Subject Alternative Name - URI=[ID:Microsoft Endpoint Manager:GUID:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx], Normalised Radius.RadiusFlowType=0, Network Access.EapAuthentication=[2], CERTIFICATE.Subject - Common Name=[tuiuser10@domain.onmicrosoft.com], CERTIFICATE.Subject - Organization Unit=[], __IntIdGrps__=[Ljava.lang.String;@23e29bb7}
IndexValues: {}

2023-04-28 11:02:09,899 DEBUG [Thread-388][[]] cisco.cpm.mdm.pip.MdmPartnerPIPHandler -::::- SESSION IS NOT NULL & CERTIFICATE.CN Field value is - 'tuiuser10@domain.onmicrosoft.com' and CERTIFICATE.SAN DNS Field value is - 'null' and CERTIFICATE.CERT_SANURI_KEY Field value is -'ID:Microsoft Endpoint Manager:GUID:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx'
2023-04-28 11:02:09,899 DEBUG [Thread-388][[]] cisco.cpm.mdm.pip.MdmPartnerPIPHandler -::::- Actual check of CERTIFICATE.CN Field value is - 'tuiuser10@domain.onmicrosoft.com' and CERTIFICATE.SAN DNS Field value is - 'null' and CERTIFICATE.CERT_SANURI_KEY Field value is -'ID:Microsoft Endpoint Manager:GUID:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx'
2023-04-28 11:02:09,899 DEBUG [Thread-388][[]] cisco.cpm.mdm.pip.MdmPartnerPIPHandler -::::- ise db/cache Configured device Identifier source order values are : CERT_SANURI_GUID
2023-04-28 11:02:09,899 DEBUG [Thread-388][[]] cisco.cpm.mdm.pip.MdmPartnerPIPHandler -::::- Checking the current deviceIdentifier value : CERT_SANURI_GUID
2023-04-28 11:02:09,899 INFO [Thread-388][[]] cisco.cpm.mdm.pip.MdmPartnerPIPHandler -::::- The value for the deviceIdentifier type of 'SAN_URI' is - 'ID:Microsoft Endpoint Manager:GUID:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx'

Hi,

I've manage to resolve problem.

Problem was in URI configuration on SCEP profile in Intune.

BTW

How is 3.2 patch 1 showing. Did you try it in production or only lab env?

We have intention to upgrade from 3.1 to 3.2 and use AZURE AD integration for EAP-TEAP configuration.

As ISE 3.1 is still the recommended version, I have not had any customers deploy it in Production yet.

If you intend to use Azure AD with ISE, I would suggest reviewing the following document I wrote to understand what can and cannot be done with Azure AD.

https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-azure-ad-and-intune/ta-p/4763635

Do you mind sharing what you did to fix the issue? Facing the same problem using an Intune pushed SCEP cert profile to mobile devices.