Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
294
Views
0
Helpful
3
Replies

ISE Integration with Intune MDM pooling problem

lukszzb
Level 1
Level 1

‎02-24-2025 12:44 PM

HI, We are testing ISE(ver3.2) and Intune integration but facing some issues with Intune compliance status synchronization. Can you help with below questions:

1) How often Cisco ISE is checking compliance status for workstations ? Is this related only to pooling interval (under MDM settings) parameter ?

2) How API query for the compliance state refresh looks like ? is this mass query or workstation specific ? In the MS NAC integration guide's there are some limitation that mass query should be not more than 1 query for 4 hours. Is this is the reason that default pooling interval is set to 240 minutes ? What if we set less ?

3) We are facing issues with the compliance state synchronization. Our MDM pooling interval is set for 15 minutes (test purposes) and only 1 station is under MDM Policy set. When station move from Compliance to non Compliance on Intune, the status is not changed on the ISE even after several hours. There are random situation (maybe 1 or 2) per day that the state on the Cisco ISE but this looks very random. Any idea about the issue ?

4) We have enrolled GUID parameter in the workstation certificate - what about VPN setup terminated on ASA - how GUID parametr can be used in this setup ? Are there some restrictions ?

Thanks for help

0 Helpful
3 Replies 3

Greg Gibbs
Cisco Employee
Cisco Employee

‎02-24-2025 03:08 PM

See the information on the Polling Interval in the Admin Guide here - https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/admin_guide/b_ise_admin_3_3/b_ISE_admin_33_secure_wired_access.html#ID584

If you find that the system is operating differently than documented, you would be best opening a TAC case to investigate in more detail.

Regarding the VPN use case, Intune only supports inserting the GUID in the VPN Profile for Android and iPhone/iPad devices as per the Integrate MDM and UEM Servers with Cisco ISE guide.

For other device types, you would be limited to MDM lookups by MAC Address for the VPN use case as ISE has no way to learn the GUID.

0 Helpful

lukszzb
Level 1
Level 1

‎02-25-2025 11:54 AM

@Greg Gibbs thanks for the comment.

We have TAC opened but no answer yet. I'm investigating further but do you know maybe some guides about MDM Integration with ISE cluster deployment ? 

What I can see is that MDM test connection from PAN is successful but in the PSN node ise-psc logs I can see some MDM server authorization problem and connection error (401). Should we upload PSN node certificate into the Intune ?

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to lukszzb

‎02-25-2025 01:18 PM

The best reference document for the Intune integration is here, but it does not specifically call out an example with a multi-node distributed cluster. You might consider submitting feedback directly in the document.
Integrate MDM and UEM Servers with Cisco ISE 

The API calls are made directly from the PSN that owns the session so, if the PAN and PSN nodes are using unique Admin certificates, they would all need to be added to your App Registration in Entra ID.

0 Helpful
Customers Also Viewed These Support Documents