This document is to provide any changes made to endpoint OS that impacts BYOD flow for end users.
Prior to troubleshooting endpoint issues, please follow these steps first:
Update OS finger printing DB on ISE: This is done by going to Administration > System > Settings, Posture > Updates, then click ‘Update Now’ button. It may take ~ 10 minutes to complete. Although this update is for posture, BYOD flow leverages the same update to identify browser user agent string to get OS information from the client. This menu is available to setup even if the deployment does not have any Apex license.
For Android, make sure to download latest version of SPW app from the Google play store
For Windows and macOS, make sure to download latest SPW from Cisco to ISE and update Client Provisioning Policy to reflect the newer version of SPW
Android 9 (Pie)
If BYOD profile includes web proxy settings, SPW requires user to establish Android work profile if not already present on the endpoint
With single-SSID flow, user has to delete the SSID setting (That was used to connect with PEAP-MSCHAPv2) for EAP-TLS will function. User will be guided via overlay instructions
Android 6 (Marshmallow) and above
Uses EST instead of SCEP between the endpoint and ISE. Requires additional policies on ISE and also change to redirect ACL to allow EST server access from endpoint. Due to this change end users are required to enter network credential for EST authentication in addition to regular WebAuth/802.1X authentication
Now iOS device requires user to manually go to profile settings whereas before user was able to open profiles within the browser
Profile popup for root CA certificate and SCEP/WiFi profile popup happens back to back without user acknowledging
In a single-SSID flow, the iOS device is still connected with PEAP instead of EAP-TLS after CoA. User has to disable Wireless and re-enable it to connect with EAP-TLS
When non well known certificate is used for BYOD portal, iOS device requires the root CA certificate to be trusted prior to accepting rest of the profile
10.12 (High Sierra)
When CNA BYOD (mini browser) flow is used, and when user clicks on the hyperlink in the CNA browser, instead of opening up full browser, it opens up within the CNA browser which breaks the BYOD flow.
Does someone have a pointer or a list of the supported MDM attributes I can work with in ISE 2.4 when we integrate with MS Intune?
I'm looking for similar information as it is shown in the ISE with SCCM integration document at h...
Hi Everyone, Need to confirm below config is good for Dynamic NAT on 8.2 nat (outside) 1 access-list Security outsideaccess-list Security extended permit ip object-group Outside object-group Test logobject-group network Outsidenetwork-object hos...
If FinalCatchAllRule in Default egress rule is set to Deny_IP on TrustSec EgressPolicy Matrix screen, it seems that not only overlay but also underlay communication will be denied. I want to know the setting that only overlay communication is rejecte...
Hello Email Security Community,Perhaps this question was asked many times and I did do my best to search through the whole forum.I followed an advice but still, scratching my head trying to understand what is wrong.I need to whitelist a specific email add...