cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2514
Views
5
Helpful
8
Replies
Highlighted
Cisco Employee

Multiple MDM Support - similar to Identity Store Sequence

Curious if Cisco has the capability roadmapped to support multiple MDM providers similar multiple authentication sources via an Identity Store Sequence.  Customer is migrating from one MDM to another, and it is challenging to create specific MDM rules based upon location (WLC) or device type.  Customer has roaming users and desires support for the multiple MDM feature much like the identity store sequence capability.  Please let me know if there are additional details I can provide...  Thanks...         

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

I understood you correctly, cool.

Yes what you are asking for was something we asked for when first supporting multi-MDM w/ ISE.  Its a roadmap item, but it's not committed to a single release yet.

We just re-emphasized the user-story with the PM, to try & get it prioritized for a release vehicle.

Aaron

View solution in original post

8 REPLIES 8
Highlighted
Cisco Employee

Corey,

I assume you are asking about validating endpoint attributes with the MDM?  Obviously you must have the pre-req's defined on which MDM to use in order to onboard the user with the correct one, so I am assuming you cannot mean that.

I am sending the link to this thread to the MDM integration PM, Erica.

-Aaron

Highlighted

To my knowledge, you need to define either device type of location as an attribute for MDM selection.  I am wondering if we will ever be able to have a list of MDMs which get checked in order, similar to how we check multiple identity stores in an identity store sequence, eliminating the need to statically define which MDM to use via an attribute.

Highlighted

I understood you correctly, cool.

Yes what you are asking for was something we asked for when first supporting multi-MDM w/ ISE.  Its a roadmap item, but it's not committed to a single release yet.

We just re-emphasized the user-story with the PM, to try & get it prioritized for a release vehicle.

Aaron

View solution in original post

Highlighted

Hi All

I run into same situation. Is there any status update on that? I mean is there alread a commited roadmap or anything similar? I mean the user story is simple: Customer has one MDM (lets say X with version 1) and want this to upgrade to version 2. So there is a limited time, where both systems should be accessible.

As I already posted on this:

https://supportforums.cisco.com/discussion/13223711/multiple-mdm-solutions-and-single-ise-cluster#comment-12085346

...

I was not able to find any solution based on ISE 2.1 P3.

Any solution, hints on this?

Thanks, Marco

Highlighted

Not clear what the specific issue is here.  ISE has supported multiple active MDM servers since ISE 1.4:

Cisco Identity Services Engine Administrator Guide, Release 1.4  - Manage Network Devices [Cisco Identity Services Engin…

However, there was a doc bug at one time  which stated that only one could be activated.  That has since been corrected:

CSCvd39960.  ISE admin guide conflicting info on multiple active MDMs support


One of the key changes in ISE 1.4 to support multiple active MDMs, is to add a condition to match MDM-Server.  This looks into the endpoint record to determine the MDM-Server value associated with endpoint and then perform redirection to that specific MDM Server.


Multi-MDM support in ISE does not work like ID sequence.  Try #1, then #2, then #3.  Once the MDM server is identified, it is linked to endpoint record.  One of the only times you would match a condition for MDM Server 1 and then apply AuthZ Profiler that redirects to MDM Server 2 would be to switch registration to new server, for example, customer is migrating from one vendor to another.  


/Craig

Highlighted

Craig

Thanks for this clarification on how the whole process is done.

Unfortunatly the bug is not visible for me in the bug toolkit and your link references an internal site. Anyway: After doing some more test's, we figured out the following behaviour:

- ISE 2.1 P3 never uses the second MDM AUTHZ rule as long as this linked to this endpoint, which you referenced in your clarification.

- ISE 2.2 P1, seams to be fixed in this point, and the second AUTHZ Rule is used, which is great news. But, in the Endpoint DB does no more show the MDM Endpoints...

Do you have any clarification for this?

Thanks, Marco

Highlighted

Redirect to MDM will populate endpoint record (assuming it is linked to that MDM).  It is imperative that each Auth rule includes MDM Server match condition as its first condition prior to other MDM conditions based on enrollment or compliance.

Highlighted

How about the case where the device is already enrolled in the MDM without ISE’s knowledge? When the device is first being authenticated it won’t have any association with an MDM, however, it may be registered with one of two MDMs. How would you suggest creating the policies for that use case?

Thanks

George

Content for Community-Ad