cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1428
Views
5
Helpful
1
Replies

MDM integration without device on-boarding with 2 different MDM vendors

lars.cederholm
Level 1
Level 1

I have AirWatch and Intune integrated to ISE and I want to check compliant and registered status, but I do not get this to work properly and I wounder if I need the redirect rule even though that devices are on-boarded in MDM via Internet/4G? Can anyone tell me how to do this, this is my rules at the moment:

 

 

1 Accepted Solution

Accepted Solutions

Serhii Kucherenko
Cisco Employee
Cisco Employee

There is no need to redirect endpoints if policies are configured in the proper way.


There are two important things which need to be added for multi-MDM scenario when there are endpoints which were registered out-of band:

 

1. MDM server name attribute
2. Differentiator attribute before MDM server name condition

 

When you create policies ISE executes attribute collection (AKA Queried PIP) in the same order as they are listed in authorization policies.

 

In multi MDM server scenario we can't just a MDM server name attribute since it creates an ambiguity when ISE needs to decide which MDM server to query for specific endpoint.

 

As a result of such ambiguity for every endpoint ISE will pick MDM server from the first policy which contains MDM server name. 

 

Below you may see an example from my lab for two MDM serves - Meraki and SCCM.

 

image003.png

 

1. Differentiator attribute - In my case it's an AD group. Presence of this attribute in the policy pushes ISE to query External AD group PIP first. As a result further policy selection is limited only to policies which contain specific AD group

 

In your scenario i think you can use a Certificate template attribute as a differentiator.

 

2. MDM server name condition - this one will trigger a query to the proper server.

 

3. Endpoint MDM attributes

 

Example contains only two 'Non-Compliant' policies but all other policies (except redirect polices) should be configured in the same way.

 

In case if you wish to keep redirect polices you should't use there an MDM server name since you specify the server name in authorization profile.

 

View solution in original post

1 Reply 1

Serhii Kucherenko
Cisco Employee
Cisco Employee

There is no need to redirect endpoints if policies are configured in the proper way.


There are two important things which need to be added for multi-MDM scenario when there are endpoints which were registered out-of band:

 

1. MDM server name attribute
2. Differentiator attribute before MDM server name condition

 

When you create policies ISE executes attribute collection (AKA Queried PIP) in the same order as they are listed in authorization policies.

 

In multi MDM server scenario we can't just a MDM server name attribute since it creates an ambiguity when ISE needs to decide which MDM server to query for specific endpoint.

 

As a result of such ambiguity for every endpoint ISE will pick MDM server from the first policy which contains MDM server name. 

 

Below you may see an example from my lab for two MDM serves - Meraki and SCCM.

 

image003.png

 

1. Differentiator attribute - In my case it's an AD group. Presence of this attribute in the policy pushes ISE to query External AD group PIP first. As a result further policy selection is limited only to policies which contain specific AD group

 

In your scenario i think you can use a Certificate template attribute as a differentiator.

 

2. MDM server name condition - this one will trigger a query to the proper server.

 

3. Endpoint MDM attributes

 

Example contains only two 'Non-Compliant' policies but all other policies (except redirect polices) should be configured in the same way.

 

In case if you wish to keep redirect polices you should't use there an MDM server name since you specify the server name in authorization profile.