Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1948
Views
0
Helpful
3
Replies

ISE not pulling system domain information for MAC OSX devices during posture

Go to solution
mparthan
Cisco Employee
Cisco Employee

‎09-17-2018 12:04 PM

Hello Team,

 

Would the posture module populate system domain information for OSX by default even if the condition is not set as a requirement?

 

I see the system domain information populated in the posture report for Windows , however it is blank when a posture report is sent for the mac device. Refraining from uploading screenshots since it contains user data.

 

For my Windows workstation, I have a condition defined to see if the workstation is domain joined or not,but dont have a similar condition for OSX.

 

How is the system domain information populated? Does the Anyconnect gather it as a base attribute or based on the conditions enforced?

 

Thanks for helping with this.

 

--Malavika

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎09-17-2018 02:39 PM - edited ‎09-18-2018 05:53 PM

You can gather macOS AD domain membership using the plist files. Simple way is to find out if there is plist file (EXAMPLE as the AD domain name):

/Library/Preferences/OpenDirectory/DynamicData/Active\ Directory/EXAMPLE.plist

 

If you want to get more detailed information about the domain then you can also look into the plist file and compare the values within. Sample command here will allow you to view the content of plist file so you can craft matching ISE posture conditions:

sudo defaults read /Library/Preferences/OpenDirectory/DynamicData/Active\ Directory/EXAMPLE.plist

 

Note that it is not going to provide what is the data that is being matched, rather it will simply tell you whether your string matches with it or not. If you need to match multiple domains, you can create multiple conditions and combine them as compound conditions.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
howon
Cisco Employee
Cisco Employee

‎09-17-2018 02:39 PM - edited ‎09-18-2018 05:53 PM

You can gather macOS AD domain membership using the plist files. Simple way is to find out if there is plist file (EXAMPLE as the AD domain name):

/Library/Preferences/OpenDirectory/DynamicData/Active\ Directory/EXAMPLE.plist

 

If you want to get more detailed information about the domain then you can also look into the plist file and compare the values within. Sample command here will allow you to view the content of plist file so you can craft matching ISE posture conditions:

sudo defaults read /Library/Preferences/OpenDirectory/DynamicData/Active\ Directory/EXAMPLE.plist

 

Note that it is not going to provide what is the data that is being matched, rather it will simply tell you whether your string matches with it or not. If you need to match multiple domains, you can create multiple conditions and combine them as compound conditions.

0 Helpful

Go to solution
mparthan
Cisco Employee
Cisco Employee
In response to howon

‎09-17-2018 04:31 PM

Thanks for the input, Hosuk.

 

So this means Anyconnect will not automatically grab this information as the customer thinks it should, correct?

 

What about Windows? does Anyconnect populate this domain information for Windows workstations automatically? If not, how is that information collected in the posture report.


Thanks,

Malavika

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee
In response to mparthan

‎09-17-2018 04:51 PM

If customer wants to see what the value is, then no. However, if customer wants to validate whether the value is X then it is possible.

 

Yes, AC Posture module does this automatically for Windows. If you want to similar result for AD joined macOS, please work with the PM team.

0 Helpful
Customers Also Viewed These Support Documents