cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3122
Views
20
Helpful
7
Replies

ISE: Adding a second MDM

pmcternan
Level 1
Level 1

We currently have Airwatch as our MDM integrated into our ISE solution. We recently stood up InTune in Azure and plan to migrate over to Intune in the coming weeks/Months. I would like to integrate InTune into ISE as a secondary MDM - Is this possible? Are their any concerns I should know about in advance? Anyone have experience they can share as far as running 2 MDM solutions concurrently? Here is the user guide I plan to use to add In Tune. 

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217290-integrate-intune-mdm-with-identity-servi.html

 

ISE version 2.7.0.356

1 Accepted Solution

Accepted Solutions

pmcternan
Level 1
Level 1

Thank You Thomas! I've since added the second MDM but got a false positive "Green check Mark" as the reports are showing ISE did not successfully connect to InTune. I've since opened a TAC case as it appears to point to a the following bug:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo45411

I was initially told to build the instance again and see if this resolve the issue and unfortunately it did not. So we are moving towards generating a support bundle. I'll keep you posted via this thread. 

 

View solution in original post

7 Replies 7

thomas
Cisco Employee
Cisco Employee

Cisco Identity Services Engine Administrator Guide, Release 3.1 > Mobile Device Manager Interoperability with Cisco ISE :

You can run multiple active MDM servers on your network, from different vendors. This allows you to route different endpoints to different MDM servers based on device factors such as location or device type.

and

Configure Cisco ISE to interoperate with one or more external MDM servers. By setting up this type of third-party connection, you can use the detailed information available in the MDM database. Cisco ISE uses REST API calls to retrieve information from the external MDM server. Cisco ISE applies the appropriate access control policies to switches, access routers, wireless access points, and other network access points. The policies give you greater control of the remote devices that are accessing the Cisco ISE-enabled network.

For a list of the MDM vendors supported by Cisco ISE, see Supported Unified Endpoint Management and Mobile Device Management Servers.

Hi

 

I know this is from last year, are these APIs only in 3.1, as sure just saw a document say 2.7 Patch 7?

I'm not a programmer, so if already created bonus

 

cheers

The MDM API has been around for a long time now and has evolved from v1-v3 to enhance its capability. ISE 2.7 also supports multiple concurrent MDM integrations as stated in the Admin Guide.

The difference is that ISE 3.1 introduces the MDM API v3 which provides additional capabilities that will not be present in ISE 2.7. The MDM vendor must also support v3 to take advantage of those feature enhancements.

Hi Greg,

 

Thanks for your feedback. The problem I am currently having is I've added InTune as a secondary MDM. When I hit the test connection button it says "Connection to server is successful with current settings." If a mobile device that is registered to InTune, it is unable to connect to the "Employee" WiFi SSID. When I look a little deeper into the logs and reports I am seeing a 503:service unavailable error External MDM Server Connection Failure between ISE and InTune. I've had a TAC case open since December. So far we have added patch 4 & 6 and I've enabled debugs and downloaded support bundles on multiple occasions but haven't had much luck. I am currently on ISE 2.7.0.356 with installed patches 3,4,6.

This has never worked, Hence my original post/query. 

hi

 

Let me rephrase, always lead to believe can't support 2 MDM, for the same SSID, checking for compliance ect.  With a normal endpoint would carry on till it it a policy could authenticate with, but with policy to posture check if passes MDM it would not go any further.

Unless there was a way of specifying which MDM to use IE Mobiliron or intune, from what I gather you could create API to manually copy required details in to certain Endpoint groups. This is what I was alluding to above, this seems like can in 3.1 as has the APIs, but also indicated 2.7 p7 could do it.

 

cheers

 

cheers

pmcternan
Level 1
Level 1

Thank You Thomas! I've since added the second MDM but got a false positive "Green check Mark" as the reports are showing ISE did not successfully connect to InTune. I've since opened a TAC case as it appears to point to a the following bug:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo45411

I was initially told to build the instance again and see if this resolve the issue and unfortunately it did not. So we are moving towards generating a support bundle. I'll keep you posted via this thread. 

 

I am not seeing a recent and open TAC case attached to the bug. Please ask your TAC engineer to do that. And, as the issue is not reproduced by our dev team, please ask the TAC engineer to escalate to our BE team to ensure we gather enough info.