MDM registration

anson-bates · ‎10-05-2018

I have integrated ISE with external MDM services (JAMF). We currently have a rule in place of ISE to check to see if the the apple MacBook Air is registered in the MDM cloud and if it is registered it will provide specific authorization.

The issue we have come across are the dongles that attach to the MacBook Airs has their own mac address and therefore not in the MDM cloud. We are trying to come up with another way of checking to see if the MacBook Airs are within the MDM cloud.

One way of checking is looking for the serial number in the MDM but the downside is we would have to build 30,000 different policies to check for the serial number.

Is there any suggestion that would provide a solution for us?

Nidhi · ‎10-07-2018

Researching !

paul · ‎10-08-2018

This is a common problem with the whole MDM checking scenario. All ISE knows really is the MAC address of the authenticating network adapter at the time of authentication. If the MAC address is not in the MDM the whole things breaks down. We have had this issue with Google phones not registering their wireless MAC address into MDMs.

For most of my installs, I just skip the MDM check and authenticate the certificate pushed by the MDM to the client device during registration. If you have your CA environment properly setup the only way a certificate should arrive on the client device is via MDM registration. So if my main goal is to say "Is this a corporate device because it is registered with the MDM?" then the presence of the certificate tells ISE that.

Now if you are checking for compliance status, then you have to do the full integration.

anson-bates · ‎10-08-2018

But checking for the certificate would that require a posture check to see if the certificate is there?

paul · ‎10-08-2018

No, the certificate should be used for doing EAP-TLS authentication when connecting to the network. JAMF should be configuring the device to do EAP-TLS wired/wireless authentication when connecting to the network.

snider_joshua@svvsd.org · ‎10-08-2018

We are experiencing similar difficulties. Can we only choose one method of client authentication? Either certificate or AD credentials? Because we currently utilize the authenticating account in order to provide the appropriate level of content filtering. Maybe there's something we can do with having multiple certificates where each cert ISE can segment the device to a particular VLAN or have a Security Group Tag and we can utilize that instead for our tiered content filtering...

paul · ‎10-08-2018

The certificate should be a user certificate containing their user's AD account that was used to authenticate the device to the MDM. ISE will extract the AD user account from the certificate and you can do any AD look-ups you want to put users into different classes of access.

anson-bates · ‎10-08-2018

Also want to mention these Mac book airs are coming straight out the box with no certificates applied to them.

They will go through mab at first to get internet access to check in with Apple for the setup and will be redirected to JAMF and will get a push down from the MDM after the push down then AD will bind to the computer and will reboot.

Once rebooted the computer can be logged into like a domain computer and if registered and the user is in a certain domain group it will get specific access.

So I don’t think certificates will be the answer for a computer straight out of the box. Apple doesn’t give this school district access to pre-load or image it’s laptops without MDM.

paul · ‎10-08-2018

Nothing is the answer straight out of the box. The whole reason you have JAMF is to control what happens once you make them "a managed Mac".

They get on the Internet with MAB, go through the JAMF process to get onboarded. During onboarding they should be entering their AD credentials to authenticate to JAMF. JAMF can then request a certificate from the internal CA on behalf of the user. That certificate and private key is then pushed down to the Mac device as part of the onboarding. JAMF also configures the device for wired/wireless authentication using that certificate. The certificate contains the AD user ID so all lookups can happen and different level of access can happen based on that certificate.

The only way the Mac can get a certificate/private key is through the JAMF process so you know the device is managed just by the fact it is presenting a certificate during wired/wireless authentication.

Network Engineering · ‎10-08-2018

We have this same issue. Currently there is no solution for it until ISE 2.5 is released. In ISE 2.5 cisco is finally moving to UUID for device identifiers. UUID is stored in JAMF so there won't be any mac address collision issues.

paul · ‎10-08-2018

How is ISE going to collect the UUID during authentication?

Network Engineering · ‎10-08-2018

ISE and AnyConnect already collect the UUID in some cases. Cisco has just never used it. It's a part of the cisco-av-pair. It's called mdm-tlv=device-uid. Cisco is going to more universally collect the UID and use it within the ISE logic. There'll be an update to ISE and anyconnect to support it in the future.

anson-bates · ‎10-08-2018

This implementation is without anyconnect.

If we use agent it will either be stealth or dissolvable

pagosojayson · ‎09-10-2020

Hi,

I see that this topic has had no movement for the past couple of years, but how did you manage to get around this?

Regards,

Jayson