12-07-2017 07:17 AM
This is a customer scenario which is as under
We would like to be able to simplify the current on boarding processes onto MobileIron and Cisco ISE if possible without compromising on our current security.
The process for corporate devices would be as follows:
1. Join unsecured Corporate On boarding SSID (only available in IT Building) with access to MobilIron Core On Premise and Apple services.
2. iOS device checks in with Apple DEP and if applicable is redirected to our on premise MobileIron Core.
3. User is prompted to sign into MobileIron with domain credentials.
4. Device is automatically on boarded to MobileIron.
5. MobileIron deploys in any house apps and internal certs etc.
6. MobileIron adds Embrace (Trust Wifi) with required certs for ISE on boarding and is postured as Corporate device.
The process for BYOD would be as follows:
1. Join unsecured BYOD SSID with access to MobilIron Core on Premise, MobileIron BYOD Portal in the cloud and Apple services.
2. If device does not have MobileIron installed redirect user to https://XXX.byodportal.com
3. User logs to BYOD portal with domain credentials.
4. Device is on boarded to MobileIron.
5. MobileIron deploys in any house apps and internal certs etc.
6. MobileIron adds Embrace (Trust Wifi) with required certs for ISE on boarding and is postured as BYOD device.
I believe not using ISE for on-boarding will create holes in terms of not having visibility of the devices that the MDM platform will ONLY have the visibility of? Since ISE is the central policy engine, ideally all of the endpoints should be known to ISE and ISE should control the access to the MDM platform. Is that fair to say?
Any other obvious points that needs to be highlighted?
Thanks,
Abhi
Solved! Go to Solution.
12-07-2017 03:31 PM
I never use ISE in MDM onboarding. MDMs like MobileIron have been onboarding mobile devices for years and don't need any help from ISE. I usually tell customers to onboard your mobile devices over the Internet, which could be available via the Guest wireless network or over the cellular data network.
As long as MobileIron pushes the correct corporate WLAN profile and associated certs the mobile device can be authenticated by devices just fine. In fact if your customers know MobileIron well they can deploy two different cert types to mobile devices based on company owned or employee owned.
For example, when an company owned device it can get pushed an identity certificate that contains OU=Company Owned. When a BYOD device is registered a cert with OU=Employee Owned can be pushed. Then ISE can have rules that match the subject in the cert to identity company owned vs. BYOD and allow company owned mobile to access internal network while employee owned can only access the Internet.
IMO adding ISE into the onboarding mix only complicates what is a pretty simple process.
12-07-2017 03:31 PM
I never use ISE in MDM onboarding. MDMs like MobileIron have been onboarding mobile devices for years and don't need any help from ISE. I usually tell customers to onboard your mobile devices over the Internet, which could be available via the Guest wireless network or over the cellular data network.
As long as MobileIron pushes the correct corporate WLAN profile and associated certs the mobile device can be authenticated by devices just fine. In fact if your customers know MobileIron well they can deploy two different cert types to mobile devices based on company owned or employee owned.
For example, when an company owned device it can get pushed an identity certificate that contains OU=Company Owned. When a BYOD device is registered a cert with OU=Employee Owned can be pushed. Then ISE can have rules that match the subject in the cert to identity company owned vs. BYOD and allow company owned mobile to access internal network while employee owned can only access the Internet.
IMO adding ISE into the onboarding mix only complicates what is a pretty simple process.
12-07-2017 03:37 PM
Very nice information Paul. I agree with your analysis. What about enforcement if a device falls out of compliance. Do you redirect them to a portal telling them they need to fix their mobile device?
12-08-2017 05:47 AM
Jason,
It depends on what the customer wants. Many times the customer just wants to make sure the mobile devices are registered with the MDM. If that is the case, I often don’t even do an MDM integration. If the customer’s CA cert issuance is secure and controlled I can reasonably assume that the only way a cert would be present on the mobile device is if it is registered with the MDM.
If the customer wants compliance checking then I will deny internal network access and redirect to a portal depending on what the customer wants to do in that situation.
12-08-2017 05:51 AM
Makes perfect sense! If you’re requiring cert auth on the internal network then that’s the only way they can get connected
Customer will need to do all controls through mdm, won’t be able to have user revoke through my devices or our admin portal as well
12-08-2017 05:56 AM
One of the things I always challenge customers on when talking about mobile devices is “Why are you letting them connect to your internal network in the first place?”. The nature of them being mobile typically means that all the apps they need to get to a presented securely over the Internet. Most times they just want to get on wireless to avoid using cellular data. If we get the mobile devices on the Internet they usually are good to go.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide