07-25-2017 01:58 AM
We are using ISE with MDM integration to verify compliance of Apple iPhones and iPads when they connect to a VPN.
Anyconnect client collect device information, notably Unique Device IDentifier (UDID) that are sent to the VPN headend and forwarded to the ISE as RADIUS AV pair. ISE will then use the UDID to query the MDM server to retrieve the compliance attributes.
Problem: recent iOS version don't expose UDID to applications anymore, therefore the Anyconnect client is using a different type of Unique ID. This makes the MDM request to fail matching the device record, because the MDM database has the actual UDID in its database.
How is this problem usually solved?
Note that the problem doesn't exist with 802.1X authentication over Wireless.
We know that a way exists to have the MDM server assign a UID to a devices at enrollment time and it seems a good way forward, but can you share how this is done on supported MDM servers, especially MobileIron?
Thanks in advance
Solved! Go to Solution.
07-28-2017 08:54 AM
Since TAC already engaged, please work with TAC. We may update this thread if it results in a bug filing.
07-27-2017 08:27 PM
Any particular MobileIron release? Any TAC case and/or bug id?
07-28-2017 08:30 AM
I am getting the MobileIron version details.
Tac case 682630154 was opened for this. Most troubleshooting was done onsite as this is a military environment and exporting logs in not always an option.
Best regards,
Christophe
07-28-2017 08:54 AM
Since TAC already engaged, please work with TAC. We may update this thread if it results in a bug filing.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide