05-14-2019 03:42 AM
I have AirWatch and Intune integrated to ISE and I want to check compliant and registered status, but I do not get this to work properly and I wounder if I need the redirect rule even though that devices are on-boarded in MDM via Internet/4G? Can anyone tell me how to do this, this is my rules at the moment:
Solved! Go to Solution.
05-14-2019 05:34 AM
There is no need to redirect endpoints if policies are configured in the proper way.
There are two important things which need to be added for multi-MDM scenario when there are endpoints which were registered out-of band:
1. MDM server name attribute
2. Differentiator attribute before MDM server name condition
When you create policies ISE executes attribute collection (AKA Queried PIP) in the same order as they are listed in authorization policies.
In multi MDM server scenario we can't just a MDM server name attribute since it creates an ambiguity when ISE needs to decide which MDM server to query for specific endpoint.
As a result of such ambiguity for every endpoint ISE will pick MDM server from the first policy which contains MDM server name.
Below you may see an example from my lab for two MDM serves - Meraki and SCCM.
1. Differentiator attribute - In my case it's an AD group. Presence of this attribute in the policy pushes ISE to query External AD group PIP first. As a result further policy selection is limited only to policies which contain specific AD group
In your scenario i think you can use a Certificate template attribute as a differentiator.
2. MDM server name condition - this one will trigger a query to the proper server.
3. Endpoint MDM attributes
Example contains only two 'Non-Compliant' policies but all other policies (except redirect polices) should be configured in the same way.
In case if you wish to keep redirect polices you should't use there an MDM server name since you specify the server name in authorization profile.
05-14-2019 05:34 AM
There is no need to redirect endpoints if policies are configured in the proper way.
There are two important things which need to be added for multi-MDM scenario when there are endpoints which were registered out-of band:
1. MDM server name attribute
2. Differentiator attribute before MDM server name condition
When you create policies ISE executes attribute collection (AKA Queried PIP) in the same order as they are listed in authorization policies.
In multi MDM server scenario we can't just a MDM server name attribute since it creates an ambiguity when ISE needs to decide which MDM server to query for specific endpoint.
As a result of such ambiguity for every endpoint ISE will pick MDM server from the first policy which contains MDM server name.
Below you may see an example from my lab for two MDM serves - Meraki and SCCM.
1. Differentiator attribute - In my case it's an AD group. Presence of this attribute in the policy pushes ISE to query External AD group PIP first. As a result further policy selection is limited only to policies which contain specific AD group
In your scenario i think you can use a Certificate template attribute as a differentiator.
2. MDM server name condition - this one will trigger a query to the proper server.
3. Endpoint MDM attributes
Example contains only two 'Non-Compliant' policies but all other policies (except redirect polices) should be configured in the same way.
In case if you wish to keep redirect polices you should't use there an MDM server name since you specify the server name in authorization profile.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide