Mobile Device Management (MDM) servers secure, monitor, manage, and support mobile devices deployed across mobile operators, service providers, and enterprises. MDM servers act as a policy server that controls the use of some applications on a mobile device (for example, an email application) in the deployed environment. However, the network is the only entity that can provide granular access to endpoints based on access control lists (ACL). Cisco ISE queries the MDM servers for the necessary device attributes to create ACLs that provide network access control for those devices.
Following document illustrates how to integrate Microsoft Intune server as an MDM server in ISE and validate it.
Microsoft Azure Intune Integration
Log in to the Microsoft Azure portal.
Go to your Active Directory domain > App registrations, click New registration.
In the Register An Application window displayed, enter a value in the Name field and select Accounts in this organizational directory only radio button. Click Register.
The Overview window of the newly registered application is displayed.
With the above window open, log in to the Cisco ISE administration portal from other browser tab. From the main menu, choose Administration > System > Certificates > SystemCertificates.
Check the Default self-signed server certificate or certificate used for admin purpose, and click Export. Then, click View for the details of this certificate. Scroll down the displayed Certificate Hierarchy dialog box to the Fingerprints area. You will refer to these values at a later step.
In the Microsoft Azure AD portal, click Certificates and Secrets under newly registered application from the left menu pane. Click Upload Certificate and upload the certificate you just exported from Cisco ISE.
After the certificate uploads, verify that the Thumbprint value displayed on the window matches the Fingerprint value in the Cisco ISE certificate.
Choose Manifest from the left menu pane. In the content displayed, check the value of displayName. The value must match the common name mentioned in the Cisco ISE certificate.
Choose API Permissions from the left menu pane. Add the following API permissions to the application:
Collect the following details from the Overview window of the application:
Application (client) ID
Directory (tenant) ID
Click Endpoints on the Overview window and copy the value of the Oauth 2.0 Token Endpoint (V2) field
Cisco ISE Configuration
Now that we have configured required config on Microsoft Azure Intune side, we will now try to integrate it with Cisco ISE configuration.
In the Cisco ISE administration portal, choose Administration > System > Certificates > Trusted Certificates. For each of the four certificates you just downloaded, carry out the following steps:
Click Choose File and choose the downloaded certificate from your system.
Allow the certificate to be trusted for use by Infrastructure and Cisco Services. In the Usage area, check the Trust for authentication within ISE and Trust for authentication of Cisco Services check boxes.
Using the noted client ID, Directory ID and Oauth 2.0 Token Endpoint, in the Cisco ISE administration portal, choose Administration > NetworkResources > ExternalMDM. Click Add
Name – name of the MDM server in ISE for reference.
Choose OAuth – Client Credentials from the Authentication Type drop-down list.
In the Client ID field, enter the Application (client) ID value from the Intune application.
In the Token Issuing URL field, enter the Oauth 2.0 Token Endpoint (V2) value.
Enter the required values for the Polling Interval and Time Interval For Compliance Device ReAuth Query fields.
NOTE: Ensure to configure proxy if your ISE need to reach out to Microsoft through proxy.
Click Test Connection to ensure Cisco ISE can connect to the Microsoft server.
When the connection test is successful, choose Enabled from the Status drop-down list. Click Save.
Ensure ISE shows intune configuration after saving.
Following section is to validate the integrated ISE + Microsoft Intune server to get the endpoint compliance/attributes and accordingly admin the endpoint network access.
In the Cisco ISE administration portal choose Administration > NetworkResources > ExternalMDM. The Intune server added must be displayed in the list of MDM Servers.
Navigate to Policy > Policy Sets and create authorization policies in a policy set as shown below. Basically, we are trying to create policies for
Registered & Compliant
Registered & NonCompliant
You can now authenticate using the endpoint which was registered against MDM Intune server and verify whether your configuration is working fine or not. If everything is working fine, endpoint should be matching with the policies that you have written above.
You can come to know the attributes retrieved from MDM Intune server by going to context-visibility - > endpoints > Compliance > <endpoint-ID>
You can also important MDM attributes of the endpoint from External Mobile Device Management Reports by navigating to Operations > Reports > Reports > Endpoints & Users > External Mobile Device Management reports
Dear Team, I guess everyone is keeping safe. I'm upgraded my Video Surveillance Operations Manager from 7.11.0 to 7.11.2 and i got the below warning message. Please kindly review the attached and advice.
Hello everyone! I have some problem with one host who uses anyconnect. For example when host connect to Cisco ASA, host gets ip address from pool but the public IP of host is not available from my network until host disconnect.For example: Usern...
Hello,I am doing the system settings on a FTD 2130.When I did a copy/paste the token to registrate the license, I got this message "cannot connect to smart licensing server".I followed the quick start guide to do my settings :e.g. outside (dhcp mode), ins...
We thought this was going to be a relatively easy fix to get Secure LDAP up again after ASA upgrade. Recently upgraded an ASA5525 to 9.14.2 and AnyConnect authentication was impacted by cert requirement according the 9.13 release notes we need ...