Solved: Re: Multiple MDM Server Scopes (Microsoft Intune)

InfraISE2020 · ‎02-26-2020

We have a scenario where we have multiple external MDM servers that need to be queried depending on the source device.

How do we create an authorization policy that defines a particular device to a particular MDM server.

i.e. Device A querying MDM A and Device B querying MDM B.

We have tried to create the policy below however we have been unsuccessful so far:

Policy 1

MDM·MDMServerName Equals "MDM A"

AND

MDM·DeviceCompliantStatus Equals Compliant

Policy 2

MDM·MDMServerName Equals "MDM B"

AND

MDM·DeviceCompliantStatus Equals Compliant

What appears to be happening is that ISE will only query one of the MDM servers meaning that it will only allow access to either Device A or Device depending on which MDM server was queried first.

Environment

Cisco ISE version 2.6 Patch Update 3

Any help would be appreciated.

Cristian Matei · ‎02-26-2020

Hi,

This is easily achievable; you just need to find a differentiator between the devices which will be checked against MDM1 and devices which will be checked against MDM2, and use that differentiator as a condition in your authorization policies.

Regards,

Cristian Matei.

View solution in original post

Mark Elsen · ‎02-26-2020

- Whilst this may be possible , I feel it contradicts the purpose of integrated MDM. Meaning , probably working towards an 'inclusive' MDM_solution is better.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

InfraISE2020 · ‎02-26-2020

Hi @Mark Elsen

Thanks for the quick response.

Unfortunately we need to stick with Microsoft Intune as the MDM provider but have the ability within ISE to service two separate companies.

Do you have any ideas on how i can define which MDM server to query on my authorization rules as the current setup only queries one and not the other?

Mark Elsen · ‎02-26-2020

- Below are some threads I found on the subject , but then again, even with ISE in between 'multiple MDM' in my view contradicts with solid MDM :

https://community.cisco.com/t5/network-access-control/multiple-mdm-solutions-and-a-single-ise-cluster/m-p/3060070

https://community.cisco.com/t5/network-access-control/multi-mdm-support/td-p/3493890

https://community.cisco.com/t5/network-access-control/multiple-mdm-support-similar-to-identity-store-sequence/td-p/3562197

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Cristian Matei · ‎02-26-2020

Hi,

This is easily achievable; you just need to find a differentiator between the devices which will be checked against MDM1 and devices which will be checked against MDM2, and use that differentiator as a condition in your authorization policies.

Regards,

Cristian Matei.

InfraISE2020 · ‎02-26-2020

@Cristian Matei

I am fairly new to ISE so unsure as to how I can differentiate based on host names in the authorisation rule.

All devices in MDM1 hostname starts with GP and all devices in MDM2 start with TR, how would the rules be updated to reflect this? could you give me an example?

Have you achieved this before using two different MDM servers?
Thanks in advance.

Cristian Matei · ‎03-05-2020

Hi,

Once you've done the MDM integration, make use of the MDM Dictionary Attributes in your authorization policies. See the attached guide.

Regards,

Cristian Matei.