Solved: Re: ISE external MDM Intune integration returns old\wrong API version - Page 2

rogergh · ‎08-25-2022

Hi, we are trying to integrate our Microsoft Endpoint Manager (previously Intune) into Cisco ISE 3.1 Patch 3 as external MDM-server, but it always returns API version 2 instead of version 3 when testing connection. The documentation says version 3 is supported when using Microsoft Endpoint Manager. Enabling debug on the MDM-component reveals the following lines which seem to be relevant to the detection process:

2022-08-24 15:01:05,195 DEBUG  [admin-http-pool55][] cisco.cpm.mdm.authtoken.MdmAzureActiveDirectoryClient -::::- Access token has acquired  succesfully from Microsoft Azure.
2022-08-24 15:01:05,195 DEBUG  [admin-http-pool55][] cisco.cpm.mdm.api.MdmServerInfoApi -::::- inside the method : callMdmServerInfoApiOnMdmServer()
2022-08-24 15:01:05,195 DEBUG  [admin-http-pool55][] cisco.cpm.mdm.apiimpl.MDMVerifyServer -::::- apiVersionSb : 3, mdmApiVersionSb : , tryWithV3 : false
2022-08-24 15:01:05,195 DEBUG  [admin-http-pool55][] cisco.cpm.mdm.apiimpl.MDMVerifyServer -::::- MDM Rest API Server Query String -> /ciscoise/mdminfo/?ise_api_version=3 
2022-08-24 15:01:05,195 DEBUG  [admin-http-pool55][] cisco.cpm.mdm.apiimpl.MDMVerifyServer -::::- MDM Rest API Server Query PATH String -> /ciscoise/mdminfo/?ise_api_version=3 
2022-08-24 15:01:05,195 DEBUG  [admin-http-pool55][] cisco.cpm.mdm.apiimpl.MDMVerifyServer -::::- 1. Connecting to the MDM server host fef.msub05.manage.microsoft.com using apiVersion 3
2022-08-24 15:01:05,195 DEBUG  [admin-http-pool55][] cisco.cpm.mdm.util.MdmRESTClient -::::- sendGETRequestDom: start  HTTP request - connectionsUsed: 2, connectionsAvailable: 198
2022-08-24 15:01:05,195 DEBUG  [admin-http-pool55][] cisco.cpm.mdm.util.MdmRESTClient -::::- sendGETRequestDomNonComp: start  HTTP request - connectionsUsed: 0, connectionsAvailable: 200
2022-08-24 15:01:05,195 DEBUG  [admin-http-pool55][] cisco.cpm.mdm.util.MdmRESTClient -::::- ===mdmFlowInfo===null,=====serverType=====MobileDeviceManager,===serverAuthType===OAuth - Client Credentials
2022-08-24 15:01:05,195 INFO   [admin-http-pool55][] cisco.cpm.mdm.util.MdmRESTClient -::::- GET: MDM Server URL: https://fef.msub05.manage.microsoft.com/StatelessNACService/ciscoise/mdminfo/?ise_api_version=3
2022-08-24 15:01:05,322 INFO   [admin-http-pool55][] cisco.cpm.mdm.util.MdmRESTClient -::::- MDM Server Response Code: 200
2022-08-24 15:01:05,326 DEBUG  [admin-http-pool55][] cisco.cpm.mdm.util.MdmRESTClient -::::- sendGETRequestDom: end  HTTP request - connectionsUsed: 2, connectionsAvailable: 198
2022-08-24 15:01:05,326 DEBUG  [admin-http-pool55][] cisco.cpm.mdm.util.MdmRESTClient -::::- sendGETRequestDomNonComp: end  HTTP request - connectionsUsed: 0, connectionsAvailable: 200
2022-08-24 15:01:05,326 DEBUG  [admin-http-pool55][] cisco.cpm.mdm.api.MdmServerInfoApi -::::- returning from the method : callMdmServerInfoApiOnMdmServer() -> com.cisco.cpm.mdm.api.MdmServerInfoData Object {
  apiPath: /StatelessNacService/ciscodeviceinfo/mdm/api
  redirectUrl: https://portal.manage.microsoft.com/networkaccesscontrol/index
  queryMaxSize: 100
  apiVersion: 2
  vendor: Microsoft
  productName: Microsoft Intune
  productVersion: 5.0
  COMMA: , 
  errorMsg: null
  errorOccurred: false
} 
2022-08-24 15:01:05,893 ERROR  [admin-http-pool55][] pap.api.handler.impl.HandlerInfoImpl -::::- Unable to load the handler impl class 'com.cisco.cpm.psqmgr.notification.PxGridNotificationHandler' com.cisco.cpm.psqmgr.notification.PxGridNotificationHandler
2022-08-24 15:01:05,893 ERROR  [admin-http-pool55][] pap.api.handler.impl.HandlerInfoImpl -::::- Unable to get handler with name  PxGridNotificationHandler
2022-08-24 15:01:05,893 WARN   [admin-http-pool55][] pap.api.handler.impl.HandlerInfoImpl -::::- Handler with name 'PxGridNotificationHandler' is not loaded with impl class 'com.cisco.cpm.psqmgr.notification.PxGridNotificationHandler'
2022-08-24 15:01:05,894 ERROR  [admin-http-pool55][] pap.api.handler.impl.HandlerInfoImpl -::::- Unable to load the handler impl class 'com.cisco.cpm.eps.config.ConfigChangeHandler' com.cisco.cpm.eps.config.ConfigChangeHandler
2022-08-24 15:01:05,895 ERROR  [admin-http-pool55][] pap.api.handler.impl.HandlerInfoImpl -::::- Unable to get handler with name  EPSConfigChangeHandler
2022-08-24 15:01:05,895 WARN   [admin-http-pool55][] pap.api.handler.impl.HandlerInfoImpl -::::- Handler with name 'EPSConfigChangeHandler' is not loaded with impl class 'com.cisco.cpm.eps.config.ConfigChangeHandler'
2022-08-24 15:01:05,911 DEBUG  [admin-http-pool55][] cisco.cpm.mdm.pip.MdmSettingsNotificationHandler -::::- add / update mdm server to the local MDM servers cache MSEndpMgmt
2022-08-24 15:01:05,912 INFO   [admin-http-pool55][] cisco.cpm.mdm.util.MdmServersCache -::::- MDM server - Status : InActive, mdm server id : REMOVEDFROMLOG and mdm server name : MSEndpMgmt

Anyone else made this work with API version 3?

rogergh · ‎01-13-2023

Very nice find, @bart.t !

This has solved the problem for us. Here is the steps I used to get it to work:

I first tried adding manual server, by using "fef.manage.microsoft.com" as server (which in my case resolved to "fef.msub06.manage.microsoft.com", but that did not work (401 Unauthorized error).

Then I completed the "Add new MDM server" with auto-discover and APIv2 just to check which server it retrieved, and it retrieved "fef.msub05.manage.microsoft.com" and a different "Instance name" than what is listed in the bug entry.

I then opened the entry and changed auto-discover to "No", then changed the "Instance name" manually to what was listed in the bug entry, and then it worked! "APIv3 supported"

bart.t · ‎01-13-2023

@rogergh thanks for getting back so quickly!

Thanks for describing the steps taken.

Basically you just edited a working APIv2 Instance and made it manual and only changed the Instance name (Default: StatelessNACService) to TrafficGateway/TrafficRoutingService/ResourceAccess/ComplianceRetrievalService? So that whole pretty long string/path?

And maybe change the port to 443, although I suppose it defaults to 443.

I'll inform the customer and schedule a session to test those settings as well.

Thanks for the cooperation on this one!

rogergh · ‎01-13-2023

Yes, correct. Changing the "Instance name" manually from a working auto-discover was the only real thing I needed to do, as port is 443 by default, and then click "Test connection". Then it would report APIv3 support and I was able to turn on SAN GUID-support. Specifying host name manually did not work for me, as the "fef.manage.microsoft.com" resolved to a subserver that returned 401 unauthorized error for me.

laposilaszlo · ‎05-23-2024

Hi bart.t

I might be having the same problem, but i just don't understand where this workaround needs to be done, in ISE or in Intune?

Would you mind sending me some explanation?

Thanks,

Laszlo

bart.t · ‎05-23-2024

Hi Laszlo, it's done on the MDM instance on the External MDM page in ISE (under Administration > Network resources).

laposilaszlo · ‎05-23-2024

Thanks Bart,

I found it in the mean time but doesn't seems to be working for me...maybe i am not even hitting this bug.

It was working until last week, nothing has changed on our side and then it stopped working.

This is how our working config looked like:

And this is how i am trying according to workaround but doesn't help:

Is this how its working for you?

Thanks

Laszlo

bart.t · ‎05-23-2024

If it did work using auto discovery that this would not be the issue.

Also the bug tells that it is fixed in 3.1 patch 7, 3.2 patch 2 and 3.3 vanilla.

It could be certificate chain changes from the MS/Azure/Intune side. I've seen that a couple of time. Make sure you check that, see also Integrate Intune MDM with Identity Services Engine - Cisco

Otherwise it's a good idea to contact TAC.

And don't forget to post your solution when you're issue is solved.

Greg Gibbs · ‎05-23-2024

Adding a reply to an old thread that was marked as resolved can result in either no one looking at the post or getting the wrong information (as is the case here). In future, you should start a new conversation and reference older posts that *might* be relevant.

All of this information is based on old and outdated content from both Cisco and Microsoft. The current details for requirements to integrate ISE with Intune are found here:
Integrate MDM and UEM Servers with Cisco ISE

The major and patch versions required of ISE required for the new MS Compliance Retrieval API are also listed there as are the links to download the Digicert and MS TLS certificates.

The current MS certificates required in the ISE Trust Store for the integration are the following: