Accepted Solutions
There is no need to redirect endpoints if policies are configured in the proper way.
There are two important things which need to be added for multi-MDM scenario when there are endpoints which were registered out-of band:
1. MDM server name attribute
2. Differentiator attribute before MDM server name condition
When you create policies ISE executes attribute collection (AKA Queried PIP) in the same order as they are listed in authorization policies.
In multi MDM server scenario we can't just a MDM server name attribute since it creates an ambiguity when ISE needs to decide which MDM server to query for specific endpoint.
As a result of such ambiguity for every endpoint ISE will pick MDM server from the first policy which contains MDM server name.
Below you may see an example from my lab for two MDM serves - Meraki and SCCM.
1. Differentiator attribute - In my case it's an AD group. Presence of this attribute in the policy pushes ISE to query External AD group PIP first. As a result further policy selection is limited only to policies which contain specific AD group
In your scenario i think you can use a Certificate template attribute as a differentiator.
2. MDM server name condition - this one will trigger a query to the proper server.
3. Endpoint MDM attributes
Example contains only two 'Non-Compliant' policies but all other policies (except redirect polices) should be configured in the same way.
In case if you wish to keep redirect polices you should't use there an MDM server name since you specify the server name in authorization profile.
There is no need to redirect endpoints if policies are configured in the proper way.
There are two important things which need to be added for multi-MDM scenario when there are endpoints which were registered out-of band:
1. MDM server name attribute
2. Differentiator attribute before MDM server name condition
When you create policies ISE executes attribute collection (AKA Queried PIP) in the same order as they are listed in authorization policies.
In multi MDM server scenario we can't just a MDM server name attribute since it creates an ambiguity when ISE needs to decide which MDM server to query for specific endpoint.
As a result of such ambiguity for every endpoint ISE will pick MDM server from the first policy which contains MDM server name.
Below you may see an example from my lab for two MDM serves - Meraki and SCCM.
1. Differentiator attribute - In my case it's an AD group. Presence of this attribute in the policy pushes ISE to query External AD group PIP first. As a result further policy selection is limited only to policies which contain specific AD group
In your scenario i think you can use a Certificate template attribute as a differentiator.
2. MDM server name condition - this one will trigger a query to the proper server.
3. Endpoint MDM attributes
Example contains only two 'Non-Compliant' policies but all other policies (except redirect polices) should be configured in the same way.
In case if you wish to keep redirect polices you should't use there an MDM server name since you specify the server name in authorization profile.
