cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
62655
Views
27
Helpful
0
Comments
pavagupt
Cisco Employee
Cisco Employee

Introduction

            Mobile Device Management (MDM) servers secure, monitor, manage, and support mobile devices deployed across mobile operators, service providers, and enterprises. MDM servers act as a policy server that controls the use of some applications on a mobile device (for example, an email application) in the deployed environment. However, the network is the only entity that can provide granular access to endpoints based on access control lists (ACL). Cisco ISE queries the MDM servers for the necessary device attributes to create ACLs that provide network access control for those devices.

Following document illustrates how to integrate Microsoft Intune server as an MDM server in ISE and validate it.

 

Microsoft Azure Intune Integration 

  1. Log in to the Microsoft Azure portal.
  2. Go to your Active Directory domain > App registrations, click New registration.

pavagupt_18-1606122486595.png

  1. In the Register An Application window displayed, enter a value in the Name field and select Accounts in this organizational directory only radio button.  Click Register.

pavagupt_19-1606122486625.png

  1. The Overview window of the newly registered application is displayed.

pavagupt_20-1606122486673.png

  1. With the above window open, log in to the Cisco ISE administration portal from other browser tab. From the main menu, choose Administration > System > Certificates > System Certificates.  

pavagupt_21-1606122486675.png

  1. Check the Default self-signed server certificate or certificate used for admin purpose, and click Export. Then, click View for the details of this certificate. Scroll down the displayed Certificate Hierarchy dialog box to the Fingerprints area. You will refer to these values at a later step.

pavagupt_22-1606122486691.png

  1. In the Microsoft Azure AD portal, click Certificates and Secrets under newly registered application from the left menu pane. Click Upload Certificate and upload the certificate you just exported from Cisco ISE.

pavagupt_23-1606122486714.png

  1. After the certificate uploads, verify that the Thumbprint value displayed on the window matches the Fingerprint value in the Cisco ISE certificate.

pavagupt_24-1606122486720.png

  1. Choose Manifest from the left menu pane. In the content displayed, check the value of displayName. The value must match the common name mentioned in the Cisco ISE certificate.

pavagupt_25-1606122486734.png

  • Choose API Permissions from the left menu pane. Add the following API permissions.

Screenshot at Oct 07 20-14-54.png 

  • (optional)Adding "Azure Active Directory Graph" (Legacy APIs) permissions isn't allowed from new application registrations as it is going to be depreciated in June 2022. Please follow below procedure for adding "Azure Active Directory Graph" (Legacy API) permissions to new Application
    • Click "Add a Permission" from "API Permissions" WindowAdd-permissions-snapshot.jpg

   Select "APIs for my organization uses" tab and search "Windows Azure Active Directory"

permissions.jpg

   Select required Delegated/Application permissions and add to your application

delegated-app-permissions.jpg

  • Collect the following details from the Overview window of the application:
    1. Application (client) ID
    2. Directory (tenant) ID
    3. Click Endpoints on the Overview window and copy the value of the Oauth 2.0 Token Endpoint (V2) field

pavagupt_27-1606122486774.png

Cisco ISE Configuration

            Now that we have configured required config on Microsoft Azure Intune side, we will now try to integrate it with Cisco ISE configuration.

  1. Download certificates from https://graph.windows.net and https://fef.manage.microsoft.com/ in PEM (chain) format. The following certificates must be downloaded and imported into your ISE trusted certifcate chain for successful communication between ISE and Intune server.
    1. Baltimore CyberTrust Root
    2. DigiCert SHA2 Secure Server CA
    3. DigiCert Global Root CA
    4. DigiCert Global Root G2
    5. Microsoft Azure TLS Issuing CA 01
    6. Microsoft Azure TLS Issuing CA 02
    7. Microsoft Azure TLS Issuing CA 05
    8. Microsoft Azure TLS Issuing CA 06
      NOTE: Microsoft Intune certificates are updated and you might have to import new Root Certificates as well in order to have a successful connection from ISE. Refer to Microsoft PKI repository where you can find the various certificate authorities used in Azure.
  2. In the Cisco ISE administration portal, choose Administration > System > Certificates > Trusted Certificates. For each of the four certificates you just downloaded, carry out the following steps:
    1. Click Import.
    2. Click Choose File and choose the downloaded certificate from your system.
    3. Allow the certificate to be trusted for use by Infrastructure and Cisco Services. In the Usage area, check the Trust for authentication within ISE and Trust for authentication of Cisco Services check boxes.
    4. Click Save.
  3. Using the noted client ID, Directory ID and Oauth 2.0 Token Endpoint, in the Cisco ISE administration portal, choose Administration > Network Resources > External MDM. Click Add
    1. Name – name of the MDM server in ISE for reference.
    2. Choose OAuth – Client Credentials from the Authentication Type drop-down list.
    3. In the Auto Discovery URL field, enter “https://graph.windows.net/< Directory (tenant) ID>
    4. In the Client ID field, enter the Application (client) ID value from the Intune application.
    5. In the Token Issuing URL field, enter the Oauth 2.0 Token Endpoint (V2) value.
    6. Enter the required values for the Polling Interval and Time Interval For Compliance Device ReAuth Query fields.

pavagupt_28-1606122486895.png

 

NOTE: Ensure to configure proxy if your ISE need to reach out to Microsoft through proxy.

  1. Click Test Connection to ensure Cisco ISE can connect to the Microsoft server.

pavagupt_29-1606122486899.png

 

  1. When the connection test is successful, choose Enabled from the Status drop-down list. Click Save.  
  2. Ensure ISE shows intune configuration after saving.

pavagupt_30-1606122486912.png

Verification

            Following section is to validate the integrated ISE + Microsoft Intune server to get the endpoint compliance/attributes and accordingly admin the endpoint network access.  

  1. In the Cisco ISE administration portal choose Administration > Network Resources > External MDM. The Intune server added must be displayed in the list of MDM Servers.

pavagupt_31-1606122486946.png

  1. Navigate to Policy > Policy Sets and create authorization policies in a policy set as shown below. Basically, we are trying to create policies for
    1. UnRegistered
    2. Registered & Compliant
    3. Registered & NonCompliant

pavagupt_32-1606122486966.png

  1. You can now authenticate using the endpoint which was registered against MDM Intune server and verify whether your configuration is working fine or not. If everything is working fine, endpoint should be matching with the policies that you have written above.

pavagupt_33-1606122486985.png

  1. You can come to know the attributes retrieved from MDM Intune server by going to context-visibility - > endpoints > Compliance > <endpoint-ID>

pavagupt_34-1606122486992.png

 

  1. You can also important MDM attributes of the endpoint from External Mobile Device Management Reports by navigating to Operations > Reports > Reports > Endpoints & Users > External Mobile Device Management reports

pavagupt_35-1606122487007.png

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: