Showing results for 
Search instead for 
Did you mean: 

ISE BYOD Endpoint notes



This document is to provide any changes made to endpoint OS that impacts BYOD flow for end users.


Prior to troubleshooting endpoint issues, please follow these steps first:

  • If you see support OS issues - Update OS finger printing DB on ISE: This is done by going to Administration > System > Settings, Posture > Updates, then click ‘Update Now’ button. It may take ~ 10 minutes to complete. Although this update is for posture, BYOD flow leverages the same update to identify browser user agent string to get OS information from the client. This menu is available to setup even if the deployment does not have any Apex license.
  • For Android, make sure to download latest version of SPW app from the Google play store
  • For Windows and macOS, make sure to download latest SPW from Cisco to ISE and update Client Provisioning Policy to reflect the newer version of SPW


Android devices

Android Q

CSCvp32898 Day0: Android Qbeta is not able to complete the BYOD flow 

Android 9 (Pie)

  • If BYOD profile includes web proxy settings, SPW requires user to establish Android work profile if not already present on the endpoint
  • With single-SSID flow, user has to delete the SSID setting (That was used to connect with PEAP-MSCHAPv2) for EAP-TLS will function. User will be guided via overlay instructions

Android 6 (Marshmallow) and above

  • Uses EST instead of SCEP between the endpoint and ISE. Requires additional policies on ISE and also change to redirect ACL to allow EST server access from endpoint. Due to this change end users are required to enter network credential for EST authentication in addition to regular WebAuth/802.1X authentication


iOS devices


  • Not in our control, Apple decision

    • When non well known certificate is used for BYOD portal, iOS device requires the root CA certificate to be trusted prior to accepting rest of the profile

    • Dual SSID

      • After on boarding disconnect from guest SSID and reconnect to secure SSID - apple doesn't give us hooks to change this


  • Now iOS device requires user to manually go to profile settings whereas before user was able to open profiles within the browser
  • Profile popup for root CA certificate and SCEP/WiFi profile popup happens back to back without user acknowledging
  • In a single-SSID flow, the iOS device is still connected with PEAP instead of EAP-TLS after CoA. User has to disable Wireless and re-enable it to connect with EAP-TLS
  • Trying for fix in 2.4 patch 9 (TBD) please contact TAC
    • CSCvp54992   BYOD provisioned profile doesn't automatically configure EAP TLS in IOS 12.2
    • CSCvp54949   BYOD flow is broken in IOS 12.2 
    • CSCvo58362   Day0: IOS 12.2 is not able to install Certificate/profile Automatically 



(view in My Videos)



10.12 (High Sierra)

  • When CNA BYOD (mini browser) flow is used, and when user clicks on the hyperlink in the CNA browser, instead of opening up full browser, it opens up within the CNA browser which breaks the BYOD flow.



Version 76

  • BYOD flow is successful, but endpoint cannot connect to the network provisioned by NSP