Introduction

Cisco ISE is aligned with the Zero Trust Network Access solution, ensuring that users and devices receive the appropriate privileges and access upon connecting to the network. Let's explore how we can provide secure and compliant access to endpoints managed by UEM/MDM vendors when integrated with Cisco ISE. We will also go through how MDM V3 APIs which relies on Certificate IDs are superior over MDM V2 to tackle MAC randomization or dongle or docking stations complications along with variations in having GUIDs under certificate CN or SAN fields.

 

UEM/MDM Introduction

Over a period of time, Unified Endpoint Management (UEM) has evolved from Mobile Device Management (MDM). Initially, Mobile Device Management (MDM) was utilized to secure access to devices and organizational data primarily on mobile devices, desktops, and later it expanded to include IoT, printers, laptops, and more. As time progressed, Unified Endpoint Management (UEM) emerged from Mobile Device Management (MDM) with significantly enhanced controls and components. Currently, the UEM vendors available possess the following components:

• MDM (Mobile Device Management): Handles the device hardware
  
  • Who owns the device?
  • What operating system does it use?
  • Has it been "jail broken"?
  • If lost or stolen, what data would be lost?
  • How would you troubleshoot a device?
  • Do you have a mobile device inventory?
• MAM (Mobile Application Management): Handles the Apps installed on the device
  
  • What apps can be installed or used?
  • How can they be deployed and licensed?
  • Can updates be required?
  • How can apps and data be removed?
• MCM (Mobile Content Management): Content accessed by and stored on the device
  
  • What content can be accessed or blocked?
  • Which files can be accessed or shared?
  • How can VPN access be required to protect corporate data?
  • How can copy/paste and email attachments be controlled?
• MIM (Mobile Identity Management): The identity of the device and its user
  
  • Who is using the device? Are they trusted?
  • Is the device trusted too?
  • Is the user allowed to access apps and resources?
  • Can we use a schedule or device location to limit access?

Since the UEM/MDM managed devices have network and resource access upon connecting to the network, integrating Cisco ISE with the UEM/MDM vendor allows for the control of network access based on the compliance status of an endpoint. For example, if a managed device does not comply with established policies, if the PIN Lock status is not configured, or if the device has been jailbroken or rooted, Cisco ISE can assign differentiated privileges according to the ISE policies that utilize these MDM attributes. This integration not only enhances security but also ensures that only compliant devices can access sensitive resources, thereby protecting the network from potential threats.

NOTE: Compliance policies are defined on the UEM/MDM vendor, not on the Cisco ISE.  

Cisco ISE Compliance

The endpoints, devices, and things connect to the network over wired, wireless, VPN, or 5G. On behalf of the endpoint, Network Access Devices (NADs) will send RADIUS requests to Cisco ISE for policy evaluation. Cisco ISE then checks against supported identity stores such as Certificate Authentication Profiles (CAP), Active Directory, LDAP, etc., for authentication. Once authentication is successful, Cisco ISE evaluates authorization policies to provide differentiated privileges. Information accumulated during policy evaluation can be shared with Cisco ecosystem partners for contextual insights and segmentation accordingly. 

 

 

Compliance is a process of adhering to a set of rules and regulations that organizations follow. Cisco ISE offers **Posture**, **UEM/MDM**, and **Threat Centric NAC (TC-NAC)** services as part of Compliance. You require **Premier licenses** in order to utilize the Cisco ISE Posture, UEM/MDM, and Threat Centric NAC (TC-NAC) Compliance services.

 

Now, when the question arises regarding whether to use the Posture service or UEM/MDM, please refer to the table below for clarification.

Aspect	Posture Service	MDM Service
Compliance Management	ISE	UEM/MDM Vendor
ISE License	Premier	Premier
Agent	Cisco Secure Client	MDM Agent/Profiles
Remediation	Yes	No
Other Features	Agent, Agentless, Stealth, Temporal, Posture Lease, PRA & Grace Period	Visibility & Profiling
Policies	Granular	Granular
Network Access	Real Time Evaluation	MDM Status
OS Coverage	Windows, macOS & Linux	Windows, macOS, Linux, iOS, Android, ..etc
Operations	Deploying and Maintaining Compliance checks, Agents, OS Updates	Deploying Certificates and maintenance of cert attributes
Deploying Apps	Yes (Remediation)	Yes

 You can additionally add Threat Centric Service (TC-NAC) to Posture or UEM/MDM service so as to give differentiated privileges not only on compliance, but also using threat/vulnerability information from TC-NAC. 

 

UEM/MDM Integration & MDM API Versions

Cisco ISE can be integrated with UEM/MDM servers in addition to AAA to provide secure and compliant access to managed devices. Cisco ISE allows you to create policies based on the following MDM attribute values stored or shared by the respective UEM/MDM vendor:

NOTE: Please note that UEM/MDM servers share different attributes based on which you can write the policies.
* DaysSinceLastCheckin
* Manufacturer
* OsVersion
* DeviceComplianceStatus
* MDMFailureReason
* PhoneNumber
* DeviceRegistrationStatus
* MDMServerName
* PinLockStatus
* DiskEncryptionStatus
* MDMServerReachable
* SerialNumber
* IMEI
* MEID
* ServerType
* JailBroken
* Model
* UDID
* UserNotified

Cisco ISE can be integrated with UEM/MDM vendors over MDM V2 or MDM V3 API, as shown above. Let's now understand what exactly MDM V2 and MDM V3 are.

 

MDM V2 API

When the users and devices are connected to the network, the RADIUS ACCESS-REQUEST initiated from Network Access Devices includes the Calling-Station-ID, which is essentially the MAC address of the endpoint/device that will be used to query the UEM/MDM server for compliant information in order to provide differentiated privileges. The MDM V2 API relies entirely on the endpoint MAC address to retrieve the compliant information of the managed device from the UEM/MDM server.

 

MDM V3 API

Since the MDM V2 API depends on the RADIUS Calling-Station-ID seen by ISE, which is the MAC address, there are situations—such as when MAC Randomization is enabled on the endpoint or when the endpoint is connected via a dongle or docking station—where this does not correspond to the actual MAC address of the endpoint, leading to incorrect query attributes.

 

This is the reason for the enhancement from MDM API V2 to MDM API V3, which relies on unique attributes such as GUID, UDID, Management ID, etc., that can be used to query the UEM/MDM server to obtain compliant information. This GUID, UDID, Management ID, or ID can be imprinted in the managed user/device certificate's Subject: Common Name or Subject Alternative Name: URI fields.

 

 

You can configure Cisco ISE to utilize the certificate's Subject: Common Name or Subject Alternative Name: URI, legacy MAC address, or any combination thereof to query the UEM/MDM and retrieve compliance information to provide differentiated privileges. 

 

When the endpoint/device authenticates using the certificate, Cisco ISE verifies the certificate using a Certificate Authentication Profile (CAP), retrieves the GUID, UDID, ID, or Management ID from the certificate's Subject: Common Name or Subject Alternative Name: URI fields to query the UEM/MDM vendor to retrieve compliant information and grant differentiated privileges based on the policies.

 

So, below articulates which MDM API you could rely on to query the UEM/MDM server based on the authentication protocols

Aspect	MDM v2 API	MDM v3 API
Query based on	MAC Address in RADIUS	•GUID in Certificate’s CN/SAN •MAC Address in RADIUS
MAC Only Dependent	Yes	No
Config/Operational challenge	Disable MAC Randomization?	•Provisioning Certs and maintenance •Separate templates for different managed OS endpoints based on MDM Vendors

VPN

VPN use case is a little different. When the endpoint connects over the VPN, the certificate or MAC address is known to the VPN headend rather than Cisco ISE. Cisco AnyConnect or Secure Client shares certificate attributes/MAC address information over ACIDEX to Cisco ISE, allowing ISE to query UEM/MDM using these attributes to retrieve compliance information.

 

Below image articulates which MDM API version that you could use based on the authenticaiton protocols 

 

 

Below are the ecosystem partners currently supported under UEM/MDM integration with their respective MDM API versions:

 

Optimization, Policy Examples and Best Practices

Compliance Cache Expiration Time

The number of times the endpoint connects to the network (first time/reauthentication/reconnecting, etc.) determines how many times Cisco ISE needs to query the UEM/MDM server to retrieve compliant information for authorization. To optimize or reduce the number of queries against the UEM/MDM server, the "Compliance Cache Expiration Time" (ranging from 1 minute to 7 days) can be utilized. During the "Compliance Cache Expiration Time," when the endpoint connects to the network, Cisco ISE uses stored information to provide authorization instead of querying the UEM/MDM server. If you seek more recent compliance information, smaller values can be employed. However, keep in mind that a smaller "Compliance Cache Expiration Time" value may result in a higher number of queries against the UEM/MDM server and increased load on Cisco ISE. Adjust this value according to the load and scale.

 

Polling Interval

Cisco ISE can provide restricted or quarantine access to non-compliant managed devices. You have the option to redirect users to a customizable ISE BlockHole or an external page, allowing users to take action to make their devices compliant. However, the compliant status is updated on the UEM/MDM server. To obtain the latest information, Cisco ISE performs a bulk query using all non-compliant endpoints against the UEM/MDM server for every polling interval configured to retrieve compliance status information. Cisco ISE then raises a Change of Authorization (CoA) if there is any change in the connected endpoint (for example, from non-compliant to compliant) to provide the appropriate privileges to those endpoints.

 

Considering the no. of non-compliant endpoints in UEM/MDM server, smaller polling interval could impact the Cisco ISE performance as Cisco ISE uses bulk query for every Polling interval configured and Cisco ISE need to cross check the saved information, it's advised to keep Polling interval to an optimal value.

 

Policy Examples

There is no special knob/control available for you to enable/disable UEM/MDM service. By default, if you have premier license, you could make use of UEM/MDM service. Once Integrated with any UEM/MDM server, you could use MDM Dictionary attributes in your policies.

 

Below are the examples for writing the policies utilizing MDM enrollment status and compliance status

 

To force the Cisco ISE to query UEM/MDM vendor for compliance status rather than relying on cached/saved information, you can use MDM:MDMServerName attribute as shown below

  

 

You can also use any of the MDM attributes such as MDM:DiskEncryptionStatus, MDM:JailBrokenStatus, or MDM:PinLockStatus to give authorization

 

Optionally, you can also make use of External Groups or authentication methods in order along with MDM dictionary attributes to give differentiated privileges to UEM/MDM managed endpoints.

  

When Cisco ISE can't reach UEM/MDM or MDM/UEM server isn't responding or not reachable, then you could use MDM:MDMServerReachable attribute to give privileges to managed devices

 

Cisco ISE and Microsoft Endpoint Management (Intune) Integration Demo

 

Cisco ISE and Jamf Integration Demo

 

 

Cisco ISE and Ivanti (Formerly MobileIron) Integration Demo

 

 

Cisco ISE and Meraki System Manager Integration Demo

 

 

Multiple UEM/MDM Vendor Integration

There are situations where customer could have multiple UEM/MDM servers. It could be because of managing different type of endpoints with different UEM/MDM servers or different locations being managed by different UEM/MDM server or probably customer might be migrating from one to another.
Cisco ISE supports integrating with multiple UEM/MDM servers. By default, querying multiple UEM/MDM is disabled on the cisco ISE. When enabled, there are two options below available for Cisco ISE to fall back to subsequent UEM/MDM servers
1. Endpoint is not registered with the configured primary MDM/UEM server
<<An endpoint is not registered or enrolled with the first or primary MDM / UEM integration that Cisco ISE queries, as configured in authorization policies>>
2. Primary MDM/UEM server sends error/exception response
<<Cisco ISE receives an error or exception response from the first assigned or known MDM / UEM servers, when fetching compliance information. See the Endpoint Context Visibility window for information on the MDM / UEM servers associated with an endpoint.>>

 

References

• UEM/MDM Integration: https://cs.co/ise-mdm
• Cisco Live BRKSEC-2454: One Unified Approach for Secure Compliance Access with ISE and UEM/MDM Integration
• ISE Integration with Intune MDM
• Cisco ISE Update for Microsoft Security Identifiers
• Cisco ISE Ecosystem Partners: https://cs.co/ise-ecosystem-partners 
• MDM V3 API - https://cs.co/ise-mdmv3api 
• Cisco ISE Big Encyclopedia Resources Guide - https://cs.co/ise-berg