Solved: Off-Prem Onboarding without an MDM

pethomas · ‎04-27-2016

Hi Guys

Is there a work flow available to onboard a device remotely?

The context is a school district would like to remotely onboard student devices before the beginning of a new school year. They currently do not have an MDM. The students will already have a AD account at the school.

Thanks

Peter

Jason Kunst · ‎04-28-2016

Windows, MacOS, and Android (when Android user connected to VPN over local

WiFI) should work for BYOD using AC with ACIDEX support starting in ASA 9.2..1

and AC 3.1MR5.

It required the Anyconnect to pass along the internal MAC address (not the VPN tunnel).

View solution in original post

Jason Kunst · ‎04-28-2016

Windows, MacOS, and Android (when Android user connected to VPN over local

WiFI) should work for BYOD using AC with ACIDEX support starting in ASA 9.2..1

and AC 3.1MR5.

It required the Anyconnect to pass along the internal MAC address (not the VPN tunnel).

pethomas · ‎04-28-2016

Thanks Jason - just so I get this right - is this correct?

1: The school could publish an AnyConnect installer on a public site

2: The student then install AnyConnect and then Authenticate to the ASA using AD credentials

3: Assuming split tunneling is disallowed, ISE/ASA will initiate the onboarding (Certs and SPW) process (using the wireless Mac address that has been passed down using ACIDEX)

Thanks

Peter

Jason Kunst · ‎04-29-2016

the 1st step is not required as the Asa hosts anyconnect already

they would simply need to web to the asa to start a connection and then download the package via that site

once package downloaded they would initiate VPN connection

once vpn established they could require (through redirect) that the device goes through byod flow

pethomas · ‎04-29-2016

Thanks Jason

cheers

Peter