cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

118
Views
0
Helpful
3
Replies
Highlighted
Participant

ISE 2.6 use the UID for JAMF MDM lookup

I am trying to authenticate devices from my VPN to ISE for MDM compliance. Baed on the ISE 2.6 configuration guide, it should be using the UID to check for compliance when coming from the VPN. But I'm seeing that this isn't true...it still seems to be attempting to authenticate based on MAC address. This doesn't work right when the user connects with a dongle vs their wireless connection. How can I force the UID? Is it an Anyconnect setting?

3 REPLIES 3
Highlighted
Cisco Employee

Re: ISE 2.6 use the UID for JAMF MDM lookup

Hi Josh,

 

ISE 2.6+ does support consuming the UDID from the VPN connection using AnyConnect 4.7+ and using that in the query sent to the MDM for compliance status. The UDID value for the endpoint would also need to be an attribute supported and known by the MDM solution, but I'm not sure what version of JAMF Pro is required for this. You would also likely need to enroll (or re-enroll) the device with JAMF after installing AnyConnect so the UDID attribute is associated with the endpoint.

I would suggest confirming that your JAMF instance supports the UDID attribute and has learned that attribute for the endpoint you're testing. You can also Expose the UDID in DART to confirm it matches that attribute in JAMF.

If the attribute is associated with the endpoint in JAMF and you're still having issues, you will likely need to open a TAC case to investigate further via debug logs.

 

Cheers,

Greg

Highlighted
Participant

Re: ISE 2.6 use the UID for JAMF MDM lookup

Thanks, what I'm wondering now is why the UDID discovered from Anyconnect doesn't match the actual UDID. For example, the actual UDID of my device is UDID: 7EE54F6A-2329-5DFE-84B8-XXXXXXXXXXX but Dart and Anyconnect report the UDID as 

UDID : 3DE068XXXXXXXXC348B081EF6630XXXXXXXXXXXXX. Not sure if this is some sort of hash or what. But obviously, this value would cause a mis-match when comparing to JAMF. When ISE does the MDM lookup, it does return the correct UDID value but it puts it in the 'PhoneID' attribute, with the 'PhoneIDType' set to 'UDID'. 
I still feel like there should be a way to tell Anyconnect how/what value to pull from the device to send to JAMF.
Highlighted
Cisco Employee

Re: ISE 2.6 use the UID for JAMF MDM lookup

UDID vs UUID vs GUID says,

UUID:
It is the acronym of Universally Unique Identifier.
A sequence of 128 bits that can guarantee uniqueness across space and time, defined by RFC 4122.

GUID:
It is the acronym of Globally Unique Identifier
It is Microsoft's implementation of the UUID specification; often used interchangeably with UUID.
In dot net framework its called as Plain GUID and in sql server its called as newid

UDID:
It is the acronym of Unique Device Identifier
It is sequence of 40 hexadecimal characters that uniquely identify an iOS device


AFAIK AnyConnect generates its own UDID so that is different from UUID from the output of "wmic csproduct get uuid".

The reason ISE uses UDID to query MDM for Apple iOS or Android devices is "AnyConnect does not have permission to access MAC addresses on iOS/Android these days (OS restrictions)," Later so on the UDID and relies on MDM profiles (see MDM Configuration of Device Identifier for AnyConnect on iOS and Android)