Virtual_Leo Posted August 30 Posted August 30 Hello We currently are looking into splitting our devices to different netoworks/firewall rules, this ofcourse we wanna make as dynamic and automatic as possible. It may be possible in the future that this could be 5-6 different networks with different firewall rules. Today we only have one network for our MDM-devices and ISE is looking at the OID when the device tries to connect to send it to the correct network I would preferbly not want to use different certificates for different networks/firewall rules, we looked at the ISE integration you can do, i'm not completly sure of how you can query UEM, is smartgroups possible to query? If not i quite don't understand what the benefits of the integration would be I've read both documentation from CISCO and Omnissa Cisco Identity Services Engine Administrator Guide, Release 3.4 - Secure Access [Cisco Identity Services Engine] - Cisco https://techzone.omnissa.com/resource/integrating-workspace-one-uem-and-cisco-ise-v31-and-beyond We run UEM on-premise Anyone else runs this and have any input to help us further?
Michael Troelstrup Posted August 30 Posted August 30 Hey Leo, It adds device status into the equation for network access, if a device is non complaint or compromised, that data can be used by ISE to block access. you can also do IP range based enrollment to split your devices into groups or use Tags and Workspace ONE Intelligence to tag and add to smart groups according to IP Range etc. I hope that answers your question
Employee Solution Sascha Warno Posted September 2 Employee Solution Posted September 2 As Michael stated, the integration adds compliance information to the authorization by providing a MDM device identifier during the authentication with certificates. The integration only gathers basic device information from the MDM service that could be used (https://docs.ansible.com/ansible/latest/collections/cisco/ise/endpoint_module.html#parameter-mdmAttributes that listing is missing MDMUdid) but seem not usable in your specific use case. My understanding is you want to organize the devices inside Cisco ISE?! There is no easy way for an API based automation as the listing of networkdevices on the ISE side only gives basic info on and you would need to drill down into every device returned to find its associated MDMUdid which you could use to find extra info using the UEM APIs.
Virtual_Leo Posted September 3 Author Posted September 3 Ok then I understand what it's meant for, ofcourse it's a good thingy to be able to block network access in that way. I was hoping it was able to query something like smartgroups or tags. For our Windows endpoints (not UEM managed, we use SCCM for them) we use Active Directory groups to manage this which is working very neat. Group 1 = Net1 Group2 = Net2 etc.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now