cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2774
Views
0
Helpful
6
Replies
InfraISE2020
Beginner

Multiple MDM Server Scopes (Microsoft Intune)

We have a scenario where we have multiple external MDM servers that need to be queried depending on the source device. 

 

How do we create an authorization policy that defines a particular device to a particular MDM server.

 

i.e. Device A querying MDM A and Device B querying MDM B. 

 

We have tried to create the policy below however we have been unsuccessful so far:

 

Policy 1

MDM·MDMServerName Equals "MDM A" 

 

AND

 

MDM·DeviceCompliantStatus Equals Compliant

 

Policy 2

MDM·MDMServerName Equals "MDM B" 

 

AND

 

MDM·DeviceCompliantStatus Equals Compliant

 

What appears to be happening is that ISE will only query one of the MDM servers meaning that it will only allow access to either Device A or Device depending on which MDM server was queried first. 

 

Environment

 

Cisco ISE version 2.6 Patch Update 3

 

Any help would be appreciated. 

1 ACCEPTED SOLUTION

Accepted Solutions
Cristian Matei
Collaborator

Hi,

 

     This is easily achievable; you just need to find a differentiator between the devices which will be checked against MDM1 and devices which will be checked against MDM2, and use that differentiator as a condition in your authorization policies.

 

Regards,

Cristian Matei.

View solution in original post

6 REPLIES 6
marce1000
VIP Mentor

 

 - Whilst this may be possible , I feel it contradicts the purpose of integrated MDM. Meaning , probably working towards an 'inclusive' MDM_solution is better.

 M.

Hi @marce1000 

 

Thanks for the quick response. 

 

Unfortunately we need to stick with Microsoft Intune as the MDM provider but have the ability within ISE to service two separate companies.

 

Do you have any ideas on how i can define which MDM server to query on my authorization rules as the current setup only queries one and not the other?

 

 

Cristian Matei
Collaborator

Hi,

 

     This is easily achievable; you just need to find a differentiator between the devices which will be checked against MDM1 and devices which will be checked against MDM2, and use that differentiator as a condition in your authorization policies.

 

Regards,

Cristian Matei.

@Cristian Matei 

 

I am fairly new to ISE so unsure as to how I can differentiate based on host names in the authorisation rule.

 

All devices in MDM1 hostname starts with GP and all devices in MDM2 start with TR, how would the rules be updated to reflect this? could you give me an example?

 

Have you achieved this before using two different MDM servers? 
Thanks in advance.

Hi,

 

    Once you've done the MDM integration, make use of the MDM Dictionary Attributes in your authorization policies. See the attached guide.

 

Regards,

Cristian Matei.

 

 

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube