Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
264
Views
4
Helpful
5
Replies

ISE 3.2 using Intune as external MDM

Jonathan-Vellturo
Level 1
Level 1

‎05-23-2025 08:30 AM

Hi,

We recently migrated from 2.6 to 3.2 and running patch 7.  We are using Intune as an external MDM server and have reconfigured ISE using GUID    My understanding is that Intune stopped supporting UDID based queries.  Our Windows machines are showing "true" under MDM registration status although we don't have a cert with a GUID.  Our MacBook's are also showing "True" when Private Wi-Fi address is set to none.  We don't get any MDM stats when set to fixed or randomized which is causing the MacBook's to fail.  My 1st question is why is this working if I don't have GUID in the SAN field on my machine cert and my second question is why the macbooks are failing when set to fixed or randomized 

0 Helpful
5 Replies 5

Greg Gibbs
Cisco Employee
Cisco Employee

‎05-26-2025 11:14 PM

There was a short time when Microsoft removed support for MAC Address based lookups, but the current Compliance Retrieval API does support it.
https://learn.microsoft.com/en-us/intune/intune-service/protect/network-access-control-integrate#data-shared-with-nac-partners

If you have no GUID being presented to ISE for the lookups, you would have to be performing those using the MAC address. Lookups using MAC address would be impacted by randomised MAC addresses and docks/dongles.

Jonathan-Vellturo
Level 1
Level 1
In response to Greg Gibbs

‎05-27-2025 09:47 AM

Thanks!  I have the SAN field URI set for ID:Microsoft Endpoint Manager:GUID {{DeviceID}}.  I still cannot connect when set to Randomize.  When I'm set to off it works.  How can I verify that ISE is using the GUID and not the mac address?

0 Helpful

arane0001
Level 1
Level 1
In response to Jonathan-Vellturo

‎05-27-2025 11:00 AM

when you say SAN field URI ..this part you mentioned is on the Intune , correct ? Let me check I can find this out for you.

I recently did the Intune and had lot of issues with it. But to tell you ISE does check for MAC address in Intune for it to be verified

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to Jonathan-Vellturo

‎05-27-2025 05:48 PM

First, you should ensure that your Intune and ISE environment is configured as per the documentation here:
https://cs.co/ise-mdm

If setup correctly, you should see the following in your ISE External MDM configuration indicating the use of APIv3.

Screenshot 2025-05-28 at 10.38.36 am.png

Also in the MDM configuration, ensure that you have the SAN URI option enabled and set as the first priority.

Screenshot 2025-05-28 at 10.40.10 am.png

The only way to confirm which identity is used for the MDM lookup would be to use the Debug Wizard (Operations > Troubleshoot > Debug Wizard) to set the necessary debugs to Debug or Trace level.

You can see an example of the debug logs in the Webinar I delivered here:
https://www.youtube.com/watch?v=iAKyIHFqbgE
53:39 Troubleshooting with ISE `external-mdm` Log

ISE Integration with Intune MDM
ISE Integration with Intune MDM
youtube.com/watch?v=iAKyIHFqbgE
Speaker: Greg Gibbs, Cisco Security Architect 00:00 Intro 02:23 Traditional Active Directory vs Azure Active Directory 05:06 Azure AD Join Types: Registered, Joined, Hybrid Joined 07:00 Intune MDM Enrollment Options 09:08 Windows Autopilot 10:04 Windows Self-Service Out-of-Box Experience (OOBE) ...
Customers Also Viewed These Support Documents