cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Community November 2020 Spotlight Award Winners

How to: Integrate Cisco ISE MDM with Microsoft Intune

922
Views
5
Helpful
0
Comments

Introduction

            Mobile Device Management (MDM) servers secure, monitor, manage, and support mobile devices deployed across mobile operators, service providers, and enterprises. MDM servers act as a policy server that controls the use of some applications on a mobile device (for example, an email application) in the deployed environment. However, the network is the only entity that can provide granular access to endpoints based on access control lists (ACL). Cisco ISE queries the MDM servers for the necessary device attributes to create ACLs that provide network access control for those devices.

Following document illustrates how to integrate Microsoft Intune server as an MDM server in ISE and validate it.

 

Microsoft Azure Intune Integration 

  1. Log in to the Microsoft Azure portal.
  2. Go to your Active Directory domain > App registrations, click New registration.

pavagupt_18-1606122486595.png

  1. In the Register An Application window displayed, enter a value in the Name field and select Accounts in this organizational directory only radio button.  Click Register.

pavagupt_19-1606122486625.png

  1. The Overview window of the newly registered application is displayed.

pavagupt_20-1606122486673.png

  1. With the above window open, log in to the Cisco ISE administration portal from other browser tab. From the main menu, choose Administration > System > Certificates > System Certificates.  

pavagupt_21-1606122486675.png

  1. Check the Default self-signed server certificate or certificate used for admin purpose, and click Export. Then, click View for the details of this certificate. Scroll down the displayed Certificate Hierarchy dialog box to the Fingerprints area. You will refer to these values at a later step.

pavagupt_22-1606122486691.png

  1. In the Microsoft Azure AD portal, click Certificates and Secrets under newly registered application from the left menu pane. Click Upload Certificate and upload the certificate you just exported from Cisco ISE.

pavagupt_23-1606122486714.png

  1. After the certificate uploads, verify that the Thumbprint value displayed on the window matches the Fingerprint value in the Cisco ISE certificate.

pavagupt_24-1606122486720.png

  1. Choose Manifest from the left menu pane. In the content displayed, check the value of displayName. The value must match the common name mentioned in the Cisco ISE certificate.

pavagupt_25-1606122486734.png

  • Choose API Permissions from the left menu pane. Add the following API permissions to the application:

pavagupt_26-1606122486751.png

  • Collect the following details from the Overview window of the application:
    1. Application (client) ID
    2. Directory (tenant) ID
    3. Click Endpoints on the Overview window and copy the value of the Oauth 2.0 Token Endpoint (V2) field

pavagupt_27-1606122486774.png

Cisco ISE Configuration

            Now that we have configured required config on Microsoft Azure Intune side, we will now try to integrate it with Cisco ISE configuration.

  1. Use a browser to download certificates from https://graph.windows.net and https://fef.msuc05.manage.microsoft.com/ in the PEM (chain) format. The following certificates must be downloaded:
    1. Microsoft IT TLS CA 1
    2. Baltimore CyberTrust Root
    3. DigiCert SHA2 Secure Server CA
    4. DigiCert Global Root CA
  2. In the Cisco ISE administration portal, choose Administration > System > Certificates > Trusted Certificates. For each of the four certificates you just downloaded, carry out the following steps:
    1. Click Import.
    2. Click Choose File and choose the downloaded certificate from your system.
    3. Allow the certificate to be trusted for use by Infrastructure and Cisco Services. In the Usage area, check the Trust for authentication within ISE and Trust for authentication of Cisco Services check boxes.
    4. Click Save.
  3. Using the noted client ID, Directory ID and Oauth 2.0 Token Endpoint, in the Cisco ISE administration portal, choose Administration > Network Resources > External MDM. Click Add
    1. Name – name of the MDM server in ISE for reference.
    2. Choose OAuth – Client Credentials from the Authentication Type drop-down list.
    3. In the Auto Discovery URL field, enter “https://graph.windows.net/< Directory (tenant) ID>
    4. In the Client ID field, enter the Application (client) ID value from the Intune application.
    5. In the Token Issuing URL field, enter the Oauth 2.0 Token Endpoint (V2) value.
    6. Enter the required values for the Polling Interval and Time Interval For Compliance Device ReAuth Query fields.

pavagupt_28-1606122486895.png

 

NOTE: Ensure to configure proxy if your ISE need to reach out to Microsoft through proxy.

  1. Click Test Connection to ensure Cisco ISE can connect to the Microsoft server.

pavagupt_29-1606122486899.png

 

  1. When the connection test is successful, choose Enabled from the Status drop-down list. Click Save.  
  2. Ensure ISE shows intune configuration after saving.

pavagupt_30-1606122486912.png

Verification

            Following section is to validate the integrated ISE + Microsoft Intune server to get the endpoint compliance/attributes and accordingly admin the endpoint network access.  

  1. In the Cisco ISE administration portal choose Administration > Network Resources > External MDM. The Intune server added must be displayed in the list of MDM Servers.

pavagupt_31-1606122486946.png

  1. Navigate to Policy > Policy Sets and create authorization policies in a policy set as shown below. Basically, we are trying to create policies for
    1. UnRegistered
    2. Registered & Compliant
    3. Registered & NonCompliant

pavagupt_32-1606122486966.png

  1. You can now authenticate using the endpoint which was registered against MDM Intune server and verify whether your configuration is working fine or not. If everything is working fine, endpoint should be matching with the policies that you have written above.

pavagupt_33-1606122486985.png

  1. You can come to know the attributes retrieved from MDM Intune server by going to context-visibility - > endpoints > Compliance > <endpoint-ID>

pavagupt_34-1606122486992.png

 

  1. You can also important MDM attributes of the endpoint from External Mobile Device Management Reports by navigating to Operations > Reports > Reports > Endpoints & Users > External Mobile Device Management reports

pavagupt_35-1606122487007.png

 

Content for Community-Ad