Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3560
Views
0
Helpful
3
Replies

ISE 2.6 use the UID for JAMF MDM lookup

Josh Morris
Level 3
Level 3

‎03-26-2020 06:04 AM

I am trying to authenticate devices from my VPN to ISE for MDM compliance. Baed on the ISE 2.6 configuration guide, it should be using the UID to check for compliance when coming from the VPN. But I'm seeing that this isn't true...it still seems to be attempting to authenticate based on MAC address. This doesn't work right when the user connects with a dongle vs their wireless connection. How can I force the UID? Is it an Anyconnect setting?

0 Helpful
3 Replies 3

Greg Gibbs
Cisco Employee
Cisco Employee

‎03-26-2020 06:53 PM

Hi Josh,

 

ISE 2.6+ does support consuming the UDID from the VPN connection using AnyConnect 4.7+ and using that in the query sent to the MDM for compliance status. The UDID value for the endpoint would also need to be an attribute supported and known by the MDM solution, but I'm not sure what version of JAMF Pro is required for this. You would also likely need to enroll (or re-enroll) the device with JAMF after installing AnyConnect so the UDID attribute is associated with the endpoint.

I would suggest confirming that your JAMF instance supports the UDID attribute and has learned that attribute for the endpoint you're testing. You can also Expose the UDID in DART to confirm it matches that attribute in JAMF.

If the attribute is associated with the endpoint in JAMF and you're still having issues, you will likely need to open a TAC case to investigate further via debug logs.

 

Cheers,

Greg

0 Helpful

Josh Morris
Level 3
Level 3
In response to Greg Gibbs

‎03-27-2020 06:20 AM

Thanks, what I'm wondering now is why the UDID discovered from Anyconnect doesn't match the actual UDID. For example, the actual UDID of my device is UDID: 7EE54F6A-2329-5DFE-84B8-XXXXXXXXXXX but Dart and Anyconnect report the UDID as 

UDID : 3DE068XXXXXXXXC348B081EF6630XXXXXXXXXXXXX. Not sure if this is some sort of hash or what. But obviously, this value would cause a mis-match when comparing to JAMF. When ISE does the MDM lookup, it does return the correct UDID value but it puts it in the 'PhoneID' attribute, with the 'PhoneIDType' set to 'UDID'. 
I still feel like there should be a way to tell Anyconnect how/what value to pull from the device to send to JAMF.
0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to Josh Morris

‎03-28-2020 06:48 PM - edited ‎09-29-2020 04:52 PM

UDID vs UUID vs GUID says,

UUID:
It is the acronym of Universally Unique Identifier.
A sequence of 128 bits that can guarantee uniqueness across space and time, defined by RFC 4122.

GUID:
It is the acronym of Globally Unique Identifier
It is Microsoft's implementation of the UUID specification; often used interchangeably with UUID.
In dot net framework its called as Plain GUID and in sql server its called as newid

UDID:
It is the acronym of Unique Device Identifier
It is sequence of 40 hexadecimal characters that uniquely identify an iOS device

AFAIK AnyConnect generates its own UDID so that is different from UUID from the output of "wmic csproduct get uuid".

The reason ISE uses UDID to query MDM for Apple iOS or Android devices is "AnyConnect does not have permission to access MAC addresses on iOS/Android these days (OS restrictions)," Later on UDID relies on MDM profiles (see MDM Configuration of Device Identifier for AnyConnect on iOS and Android)

0 Helpful
Customers Also Viewed These Support Documents