Jump to content

Cisco ISE integration to WS1 UEM


Go to solution Solved by Sascha Warno,

Recommended Posts

Posted

Hello

We currently are looking into splitting our devices to different netoworks/firewall rules, this ofcourse we wanna make as dynamic and automatic as possible. It may be possible in the future that this could be 5-6 different networks with different firewall rules.

Today we only have one network for our MDM-devices and ISE is looking at the OID when the device tries to connect to send it to the correct network

I would preferbly not want to use different certificates for different networks/firewall rules, we looked at the ISE integration you can do, i'm not completly sure of how you can query UEM, is smartgroups possible to query?
If not i quite don't understand what the benefits of the integration would be

I've read both documentation from CISCO and Omnissa
Cisco Identity Services Engine Administrator Guide, Release 3.4 - Secure Access [Cisco Identity Services Engine] - Cisco
https://techzone.omnissa.com/resource/integrating-workspace-one-uem-and-cisco-ise-v31-and-beyond

We run UEM on-premise
Anyone else runs this and have any input to help us further?

  • Replies 3
  • Created
  • Last Reply

Top Posters In This Topic

Posted

Hey Leo,

It adds device status into the equation for network access, if a device is non complaint or compromised, that data can be used by ISE to block access. 

you can also do IP range based enrollment to split your devices into groups or use Tags and Workspace ONE Intelligence to tag and add to smart groups according to IP Range etc. 

I hope that answers your question

  • Employee
  • Solution
Posted

As Michael stated, the integration adds compliance information to the authorization by providing a MDM device identifier during the authentication with certificates. The integration only gathers basic device information from the MDM service that could be used (https://docs.ansible.com/ansible/latest/collections/cisco/ise/endpoint_module.html#parameter-mdmAttributes that listing is missing MDMUdid) but seem not usable in your specific use case. My understanding is you want to organize the devices inside Cisco ISE?! There is no easy way for an API based automation as the listing of networkdevices on the ISE side only gives basic info on and you would need to drill down into every device returned to find its associated MDMUdid which you could use to find extra info using the UEM APIs. 

Posted

Ok then I understand what it's meant for, ofcourse it's a good thingy to be able to block network access in that way.

I was hoping it was able to query something like smartgroups or tags.
For our Windows endpoints (not UEM managed, we use SCCM for them) we use Active Directory groups to manage this which is working very neat.

Group 1 = Net1
Group2 = Net2 etc.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...