ISE - Mobile Iron MDM integration for Cisco Secure Client IOS VPN

murat001 · ‎07-12-2024

hi all.

we try to integrate ivanti mobile iron and cisco ISE. But we couldnt send the deviceuniqueidentifier key with GUID variable on cisco secure client apple ios therefore Cisco ISe can not send to a query to the ivanti mdm during cisco secure client vpn connection.

we are adding with custom data on the anyconnect profile with ivanti MDM as follows.

add custom data > key = DeviceUniqueIdentifer > Value = $DEVICE_UDID$

is this variable correct ? Should we see this attribute named "DeviceUniqueIdentifier" on the ISE live log or in Cisco-AV-Pair attributes like mdm-tlv.

is there anyone make this integration ISE and Ivanti during sslvpn. we need this integration for mobile device jailbreak status control during sslvpn connection .

We are using , Cisco ISE 3.3 Patch2, Cisco Firepower 7.4.1 and Cisco Secure Client 5.3 and Ivanti MDM.

Thanks.

Greg Gibbs · ‎07-14-2024

UDID-based lookups are an older method used prior to the ISE MDM APIv3 introducing GUID-based lookups. You should be using the newer GUID-based lookup mechanism as described here:
https://www.cisco.com/c/en/us/td/docs/security/ise/UEM-MDM-Server-Integration/b_MDM_UEM_Servers_CiscoISE/m_integrate-ivanti-uem.html

This is example is for certificate-based authentication (EAP-TLS). For the VPN use case, Ivanti would need a way to deploy a VPN profile for Secure Client on the device that has the GUID included. That info would be sent to ISE in the AnyConnect Identity Extensions so that ISE could use that GUID to perform the lookup.

You would need to confirm with Ivanti if they support something like this.

murat001 · ‎07-16-2024

Hi Greg thanks for your interest.

in any case , shouldn't we need to send GUID as well with this key named "deviceuniqueidenfier" for IOS device. you can find follow link. if we use GUID string in this key, IOS Secure Client can send as GUID. if we use UDID , IOS CSC will send as UDID. am i right ? or which key should i use ?

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215064-mdm-configuration-of-device-identifier-f.html

by the way i saw some mdm query request on the ISE.psc debug log with udid but returning defult MDM attribute. as i know udid and guid number appears as same on the Cisco ISE mdm-tlv attributes.

as you can see below log, ISE able to send the lookup query to the MDM with UDID but i guess, MDM server reject or can not return compliance check API and GET Device list API.

Thanks

Greg Gibbs · ‎07-16-2024

That is an old document that was relevant to earlier version of the UDID-based MDM API and pre-dates the migration to the GUID-based MDM APIv3.

I have no experience with Ivanti, but I suspect (based on the MDM/UEM document shared earlier) that their current API would be expecting a lookup based on either a GUID (which would need to be provided to ISE by the client) or possibly the MAC address.
You would likely need to confirm with Ivanti what their current API supports and see if they have any documentation on how this is done on the MDM side.