Thanks Jason. I've seen that PPT deck, but it's still pretty vague about the WMI comms between ISE and SCCM.

I was hoping we would have something with a bit more detail on what identity ISE uses in the WMI call (similar to MDM API call using MAC Address) so I could be sure that an SCCM registration check will work on a User Auth session.

I've setup SCCM in my home lab so I'll do some testing when I have a chance and update this post with my results.

i asked our SME @Nidhito take a look

Thanks @Nidhi and @Jason Kunst.

If you can also include information on what constitutes a 'MDM.DeviceRegisterStatus=true' response from SCCM, that would be helpful.

In my home lab, I've performed a manual device discovery in SCCM for my test PC which includes the MAC Address but I still appear to be getting a 'MDM.DeviceRegisterStatus=false' response from SCCM. I don't currently have the SCCM Client deployed to the PC, but I'm not sure if that's required.

I would like to get some of this sorted out prior to trying to setup a PoC in my customer's environment.

Just to close the loop on this, I was able to get this working in my lab with the following caveats/observations.

1. SCCM does not consider the endpoint registered until the CM Client is installed and Active (PC calls home to SCCM). Manually registering an endpoint in SCCM (and adding the MAC address) does not work as SCCM returns a 'MDM.DeviceRegisterStatus=false' response.
2. The SCCM registration check works for both 802.1x computer and user sessions (user or computer auth setting in Windows)
3. The SCCM registration check works for both Wired and Wireless sessions. I would have to assume that the CM Client communicates all available MAC Addresses to SCCM (unlike other MDM vendors like JAMF, AirWatch, etc).

Glad it worked ! 

Thanks 

HI Greg, 

tks for your information. Could you please help with my doubt?

The SCCM/MDM I check the rules before or after the Anyconnect posture?  For example: 

If registered and Compliance with MDM/SCCM and Posture NOT_EQUALS=Compliance redirect for install the client and remediation portal.  

If registered and Compliance with MDM/SCCM and Posture EQUALS=Compliace permit the access. Is this the correct configuration? 

ISE gets the MDM/DDM and ISE Posture information from two different sources. The MDM/DDM check is a real-time check against that system when the session hits that AuthZ rule. The ISE Posture check happens with the same logic (unless you the Posture lease enabled).

That said, I don't believe the combination of both MDM/DDM and ISE Posture has been tested, so I don't know if you will run into any order-of-operations or race condition issues with the MDM/DDM check and URL redirection.

IMHO, the MDM/DDM Compliance would likely provide similar if not more granular and centrally managed functionality than the ISE Posture Compliance checks, so I'm not sure what the value in using both would be.

If you decide to use both, I would highly suggest extensive testing in a non-Production followed by a Production Pilot environment prior to rolling it out to the wider Prod environment.

Tks Greg.