cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3773
Views
0
Helpful
12
Replies

ISE/JAMF MDM Attributes

caroolso
Cisco Employee
Cisco Employee

Hello team,

 

Could anyone shed light on the expected behavior for JAMF MDM on Ethernet? My customer has been unable to get any attributes to show up for Ethernet and the MDMEnrolled shows false. Thanks!

12 Replies 12

I have not tried Ethernet, but from what we have seen on JAMF, it needs to load the enrollment web page before ISE will see it as compliant. You may need to set up a redirect to force this.

Rahul Govindan
VIP Alumni
VIP Alumni

From what I have experienced, JAMF only keeps the wifi mac address of the device as an identifier. In the case of Ethernet connection, ISE would send the ethernet adapter/dongle mac address which usually does not match that identifier. I do recall that there were plans for JAMF to add more identifiers so that it ISE can match against those. Don't know if they have done that yet. Furthermore, dongles are usually hard to maintain as users could bring their own dongles to connect their laptops. Probably a endpoint group of approved dongles on ISE + the ability for users to add their own dongle mac addresses (using mydevices portal) might be a way to go. 

@Jason Kunst: Great to hear. I am assuming that only the AnyConnect 4.7 ISE posture module is required for this to work. Any examples of this in action? Also, how does the an administrator get this UDID to be added to MDM beforehand? 

This does not solve the Dongle use case but at least captures use cases with static docks and ethernet ports. 

I reached out to the SMEs to take a look

Thanks Jason, please keep us posted.

Hello, 

AC 4.7 is the minimum version needed for the UDID support. The UDID for the endpoint is sent to ISE via Anyconnect agent. you can view this in endpoint attribute list. 

The MDM vendor fetches the UDID during the enrollment as its another endpoint attribute.

With the MDM flow in ISE, ISE makes an API call to MDM using this UDID to get the compliance information !

hope this helps.

 

Thanks,

Nidhi

 

Hi Nidhi,

Thanks for the information here. So is the only way for my customer to see the attributes for JAMF MDM Ethernet to use the AnyConnect 4.7 integration?

Also, could you confirm that seeing no attributes and "False" MDMEnrolled is expected behavior without the AC integration?

Thanks!

This capability was introduced as a requirement for Cisco IT wherein a script is used to add the UDID information in AD and compliant status from MDM is added to AD attribute. 

we can then create a posture condition to check for this using the UDID attribute. 

As of now UDID MDM query happens only in VPN case because Anyconnect don’t send MAC address to ISE (it sends MAC as Unknown or empty string), so in that case query happens based on UDID.

In Normal Wireless/Wired MDM flow, ISE will use MAC address only to query.

 

Thanks,

Nidhi 

ruhearn
Cisco Employee
Cisco Employee

Hey @Nidhi  - 

 

I understand that 2.6 + AC 4.7 supports sending the UDID via the posture flow, but is this would only cover customers using ISE posture. In the past, Jamf would get the MAC addresses of whatever NICs (I believe up to two of them) when it registers initially or when sudo jamf recon is run. 

 

Is there some way to get Jamf to reconfigure via an AuthZ policy/DACL so that it (with the right access to the server, of course) can update the MAC addresses for the Mac OS device? We had not planned to use posture and this customer does not have the license required as far as I know. 

Hi Nidhi,

 

Do you happen to know if this is already supported for non-VPN solutions?

 

Regards,

Jayson

JAMF can have 2 identifiers, but yes, the dongles are annoying as we have 1 user that bounces through 3 of them.

 

OP may be talking about iMacs or Mac Pro's so may not worry about wireless nic.