Thanks Tim. Customer is using Public certificates for the portals but internal CA for the EAP authentication so from the sounds of it should be good.

hslai can you elaborate on your last point? The admin certificates will be new and customer does have rules for certificate redirect to portal for expiring certificates. They are using their Microsoft CAs and not the internal ISE CA for handing out certificates.

Apple iOS devices do not allow installing another configuration profile with the same name if the payload is changed. The configuration profile on Apple iOS devices is signed by the admin certificate of ISE PSN, which authenticated and performed the BYOD, so that this admin certificate is part of the payload.

The workaround is to use a single wild-card of UCC certificate for all ISE PSNs for the same set of network devices.

Thanks so if I understand this correctly since this is a fresh environment will all new PSNs/Certificates only two options would be to delete old profile and re-enroll or change profile name. This will only affect them when they come to renew the certificate for Apple iOS devices correct?

That is about it.

As I recalled, ok to have two configuration profiles named differently but with the same Wi-Fi network ID. I've not recently tested it because we have been using the same name.

Thanks!!! I guess my only concern would be how iOS would prioritize profiles. If it kept trying to use the old profile ISE would redirect to client to the BYOD provisioning portal. Guess only option is really to delete that old profile. Interesting I have not seen this caveat called out in any documentation.

For endpoint group static assignments, we may use CSV export of endpoints from ISE 1.3 and then import to ISE 2.0.

If needing portalUser, then use ISE endpoint API from ISE ERS. The on-line doc @ https://<ISE-PPAN-IP-or-FQDN>:9060/ers/sdk will have more info, once ERS is enabled.