cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1721
Views
5
Helpful
3
Replies
kaachary
Cisco Employee

ISE w/ Jamf and SCCM as MDM

I have a couple of questions on ISE and JAMF integration as MDM. 

What does ISE check with Jamf for compliant status? Does ISE query Jamf everytime when an authentication or re-auth happens or does ISE keep a local cache of compliant endpoints for a finite duration? We like to know the performance impact of these queries on Jamf. Is there any configuration document for Jamf and ISE integration?

 

Same question for SCCM. 

 

 

Thanks in advance.

3 REPLIES 3
Timothy Abbott
Cisco Employee

ISE can check macro level status such as compliant, non-compliant, registered and non-registered. ISE does have other checks such as pin lock, jailbreak status, etc. but many customers just rely on the MDM solution to check for enforcement of those items. Integrating with JAMF is similar to how ISE integrates with other vendors so we don't have a configuration guide specific to JAMF at this time. A quick google search produced the below JAMF documentation. ISE checks the compliance status of the mobile device during authentication. The same goes for SCCM.

http://docs.jamf.com/9.9/casper-suite/administrator-guide/Network_Integration.html

Regards,
Tim

Thanks Tim.

 

In this case, we only have Macbooks. I am assuming ISE will only query for the MAC address of the laptop. Does it keep a local cache of the compliant endpoints or does it query the JAMF every time a re-auth happens (for any network transition)? If there is no local cache, could there be a performance impact on the MDM solution with thousands of Macbook users? 

 

ISE will poll the MDM initially and then at the specified polling intervals. ISE does keep a cache (also configurable) of the devices compliance information. Once the timer for the client expires, ISE will poll again. Anything less than a 60 minute polling interval in a production environment will have a performance impact. Please see the ISE admin guide for more information.

Regards,
Tim
Content for Community-Ad