03-27-2019 10:56 AM
Hello team,
Could anyone shed light on the expected behavior for JAMF MDM on Ethernet? My customer has been unable to get any attributes to show up for Ethernet and the MDMEnrolled shows false. Thanks!
03-27-2019 11:23 AM
I have not tried Ethernet, but from what we have seen on JAMF, it needs to load the enrollment web page before ISE will see it as compliant. You may need to set up a redirect to force this.
03-27-2019 11:35 AM
From what I have experienced, JAMF only keeps the wifi mac address of the device as an identifier. In the case of Ethernet connection, ISE would send the ethernet adapter/dongle mac address which usually does not match that identifier. I do recall that there were plans for JAMF to add more identifiers so that it ISE can match against those. Don't know if they have done that yet. Furthermore, dongles are usually hard to maintain as users could bring their own dongles to connect their laptops. Probably a endpoint group of approved dongles on ISE + the ability for users to add their own dongle mac addresses (using mydevices portal) might be a way to go.
03-27-2019 11:55 AM
03-27-2019 12:18 PM
@Jason Kunst: Great to hear. I am assuming that only the AnyConnect 4.7 ISE posture module is required for this to work. Any examples of this in action? Also, how does the an administrator get this UDID to be added to MDM beforehand?
This does not solve the Dongle use case but at least captures use cases with static docks and ethernet ports.
03-27-2019 12:28 PM
I reached out to the SMEs to take a look
03-27-2019 03:12 PM
Thanks Jason, please keep us posted.
03-28-2019 10:08 AM
Hello,
AC 4.7 is the minimum version needed for the UDID support. The UDID for the endpoint is sent to ISE via Anyconnect agent. you can view this in endpoint attribute list.
The MDM vendor fetches the UDID during the enrollment as its another endpoint attribute.
With the MDM flow in ISE, ISE makes an API call to MDM using this UDID to get the compliance information !
hope this helps.
Thanks,
Nidhi
03-28-2019 11:02 AM
03-29-2019 08:33 AM
This capability was introduced as a requirement for Cisco IT wherein a script is used to add the UDID information in AD and compliant status from MDM is added to AD attribute.
we can then create a posture condition to check for this using the UDID attribute.
As of now UDID MDM query happens only in VPN case because Anyconnect don’t send MAC address to ISE (it sends MAC as Unknown or empty string), so in that case query happens based on UDID.
In Normal Wireless/Wired MDM flow, ISE will use MAC address only to query.
Thanks,
Nidhi
04-16-2019 08:06 AM
Hey @Nidhi -
I understand that 2.6 + AC 4.7 supports sending the UDID via the posture flow, but is this would only cover customers using ISE posture. In the past, Jamf would get the MAC addresses of whatever NICs (I believe up to two of them) when it registers initially or when sudo jamf recon is run.
Is there some way to get Jamf to reconfigure via an AuthZ policy/DACL so that it (with the right access to the server, of course) can update the MAC addresses for the Mac OS device? We had not planned to use posture and this customer does not have the license required as far as I know.
09-13-2020 07:33 PM
Hi Nidhi,
Do you happen to know if this is already supported for non-VPN solutions?
Regards,
Jayson
03-27-2019 11:52 AM
JAMF can have 2 identifiers, but yes, the dongles are annoying as we have 1 user that bounces through 3 of them.
OP may be talking about iMacs or Mac Pro's so may not worry about wireless nic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide