cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3445
Views
0
Helpful
6
Replies

Multiple MDM Server Scopes (Microsoft Intune)

InfraISE2020
Level 1
Level 1

We have a scenario where we have multiple external MDM servers that need to be queried depending on the source device. 

 

How do we create an authorization policy that defines a particular device to a particular MDM server.

 

i.e. Device A querying MDM A and Device B querying MDM B. 

 

We have tried to create the policy below however we have been unsuccessful so far:

 

Policy 1

MDM·MDMServerName Equals "MDM A" 

 

AND

 

MDM·DeviceCompliantStatus Equals Compliant

 

Policy 2

MDM·MDMServerName Equals "MDM B" 

 

AND

 

MDM·DeviceCompliantStatus Equals Compliant

 

What appears to be happening is that ISE will only query one of the MDM servers meaning that it will only allow access to either Device A or Device depending on which MDM server was queried first. 

 

Environment

 

Cisco ISE version 2.6 Patch Update 3

 

Any help would be appreciated. 

1 Accepted Solution

Accepted Solutions

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

     This is easily achievable; you just need to find a differentiator between the devices which will be checked against MDM1 and devices which will be checked against MDM2, and use that differentiator as a condition in your authorization policies.

 

Regards,

Cristian Matei.

View solution in original post

6 Replies 6

marce1000
VIP
VIP

 

 - Whilst this may be possible , I feel it contradicts the purpose of integrated MDM. Meaning , probably working towards an 'inclusive' MDM_solution is better.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Hi @marce1000 

 

Thanks for the quick response. 

 

Unfortunately we need to stick with Microsoft Intune as the MDM provider but have the ability within ISE to service two separate companies.

 

Do you have any ideas on how i can define which MDM server to query on my authorization rules as the current setup only queries one and not the other?

 

 

 

 - Below are some threads I found on the subject  , but then again, even with ISE in between 'multiple  MDM' in my view contradicts with solid MDM :

 https://community.cisco.com/t5/network-access-control/multiple-mdm-solutions-and-a-single-ise-cluster/m-p/3060070

 https://community.cisco.com/t5/network-access-control/multi-mdm-support/td-p/3493890

 https://community.cisco.com/t5/network-access-control/multiple-mdm-support-similar-to-identity-store-sequence/td-p/3562197

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

     This is easily achievable; you just need to find a differentiator between the devices which will be checked against MDM1 and devices which will be checked against MDM2, and use that differentiator as a condition in your authorization policies.

 

Regards,

Cristian Matei.

@Cristian Matei 

 

I am fairly new to ISE so unsure as to how I can differentiate based on host names in the authorisation rule.

 

All devices in MDM1 hostname starts with GP and all devices in MDM2 start with TR, how would the rules be updated to reflect this? could you give me an example?

 

Have you achieved this before using two different MDM servers? 
Thanks in advance.

Hi,

 

    Once you've done the MDM integration, make use of the MDM Dictionary Attributes in your authorization policies. See the attached guide.

 

Regards,

Cristian Matei.

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: