Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1063
Views
0
Helpful
4
Replies

ISE 2.2 SCCM remediation

Go to solution
Attila Horvath
Level 1
Level 1

‎11-30-2017 01:11 AM

Hi,

We have implemented ISE 2.2 with latest patch.

We would like to use client based (not MDM) SCCM posture with remediation.

At our customer the Windows patch installation process is the following:

When the patch arrive form MS, the IT assign this patch to computers (T day) in SCCM.

The users have 2 days to install these patches (now they can see its on workstation's software center),

and only after 2 days will force SCCM the installation.

So if we want to check, and remediate SCCM - we have 2 days when users allowed to exist without patches.

But in posture rules there is no any setting to allow grace period. So if patch assigned to machine,

the user will be non-compliant immediately.

So what is the proposal for this issue at ISE 2.2?

Attila

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Attila Horvath

‎11-30-2017 07:02 AM

This is a public forum please do not talk about future features in this forum in case they are not committed to the release for some unforeseen reason

Unless there is a setting under SCCM  to allow a grace period on their side I don’t think this will work

Since we just check at the macro level with the external provider then it would have to send back to compliant for the specific condition

I have asked our posture SME imbashir To take a look at this thread to make sure I’m not missing anything

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎11-30-2017 05:54 AM

Confused how this is issue? ISE simply checks if the client is compliant with sccm policies correct? It’s a all or nothing value right? At a macro level? If sccm Policy allows grace period then wouldn’t it be compliant until that grace period is up?

You are not using specific compliance check for the micro level values directly from AnyConnect so don’t see how this would be an issue ?

0 Helpful

Go to solution
Attila Horvath
Level 1
Level 1
In response to Jason Kunst

‎11-30-2017 06:56 AM

Hi,

The issue to me is how to allow login for 3 days if the customer's policy allows 3 days to install patches. The SCCM query with Anyconnect (via SCCM API) shows user as Noncompliant, but I must allow login for a limited time (according corporate policy.)

I know we can force the remediation immediately, but this customer is not a Campus like, and force 800 user to install the whole Patch Tuesday in the morning, - and we cannot allow to work until installed -   is not a case.



0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Attila Horvath

‎11-30-2017 07:02 AM

This is a public forum please do not talk about future features in this forum in case they are not committed to the release for some unforeseen reason

Unless there is a setting under SCCM  to allow a grace period on their side I don’t think this will work

Since we just check at the macro level with the external provider then it would have to send back to compliant for the specific condition

I have asked our posture SME imbashir To take a look at this thread to make sure I’m not missing anything

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎12-01-2017 01:01 PM

I just spoke to imbashir and he confirmed and gave some info as well.

From ISE we cannot set a grace period. This is a future request (we don't talk about futures in public forums).  Perhaps you can do a check that doesn't specifically call out a specific patch? Does SCCM offer a grace period if you are checking for GENERAL COMPLIANCE across all patches?

Besides that would ask a Microsoft SCCM expert.

0 Helpful
Customers Also Viewed These Support Documents