02-08-2016 07:39 PM
Curious if Cisco has the capability roadmapped to support multiple MDM providers similar multiple authentication sources via an Identity Store Sequence. Customer is migrating from one MDM to another, and it is challenging to create specific MDM rules based upon location (WLC) or device type. Customer has roaming users and desires support for the multiple MDM feature much like the identity store sequence capability. Please let me know if there are additional details I can provide... Thanks...
Solved! Go to Solution.
02-10-2016 06:20 AM
I understood you correctly, cool.
Yes what you are asking for was something we asked for when first supporting multi-MDM w/ ISE. Its a roadmap item, but it's not committed to a single release yet.
We just re-emphasized the user-story with the PM, to try & get it prioritized for a release vehicle.
Aaron
02-09-2016 03:15 PM
Corey,
I assume you are asking about validating endpoint attributes with the MDM? Obviously you must have the pre-req's defined on which MDM to use in order to onboard the user with the correct one, so I am assuming you cannot mean that.
I am sending the link to this thread to the MDM integration PM, Erica.
-Aaron
02-10-2016 06:15 AM
To my knowledge, you need to define either device type of location as an attribute for MDM selection. I am wondering if we will ever be able to have a list of MDMs which get checked in order, similar to how we check multiple identity stores in an identity store sequence, eliminating the need to statically define which MDM to use via an attribute.
02-10-2016 06:20 AM
I understood you correctly, cool.
Yes what you are asking for was something we asked for when first supporting multi-MDM w/ ISE. Its a roadmap item, but it's not committed to a single release yet.
We just re-emphasized the user-story with the PM, to try & get it prioritized for a release vehicle.
Aaron
05-23-2017 12:50 AM
Hi All
I run into same situation. Is there any status update on that? I mean is there alread a commited roadmap or anything similar? I mean the user story is simple: Customer has one MDM (lets say X with version 1) and want this to upgrade to version 2. So there is a limited time, where both systems should be accessible.
As I already posted on this:
...
I was not able to find any solution based on ISE 2.1 P3.
Any solution, hints on this?
Thanks, Marco
07-07-2017 01:03 PM
Not clear what the specific issue is here. ISE has supported multiple active MDM servers since ISE 1.4:
However, there was a doc bug at one time which stated that only one could be activated. That has since been corrected:
CSCvd39960. ISE admin guide conflicting info on multiple active MDMs support
One of the key changes in ISE 1.4 to support multiple active MDMs, is to add a condition to match MDM-Server. This looks into the endpoint record to determine the MDM-Server value associated with endpoint and then perform redirection to that specific MDM Server.
Multi-MDM support in ISE does not work like ID sequence. Try #1, then #2, then #3. Once the MDM server is identified, it is linked to endpoint record. One of the only times you would match a condition for MDM Server 1 and then apply AuthZ Profiler that redirects to MDM Server 2 would be to switch registration to new server, for example, customer is migrating from one vendor to another.
/Craig
07-13-2017 08:48 AM
Craig
Thanks for this clarification on how the whole process is done.
Unfortunatly the bug is not visible for me in the bug toolkit and your link references an internal site. Anyway: After doing some more test's, we figured out the following behaviour:
- ISE 2.1 P3 never uses the second MDM AUTHZ rule as long as this linked to this endpoint, which you referenced in your clarification.
- ISE 2.2 P1, seams to be fixed in this point, and the second AUTHZ Rule is used, which is great news. But, in the Endpoint DB does no more show the MDM Endpoints...
Do you have any clarification for this?
Thanks, Marco
07-13-2017 09:14 AM
Redirect to MDM will populate endpoint record (assuming it is linked to that MDM). It is imperative that each Auth rule includes MDM Server match condition as its first condition prior to other MDM conditions based on enrollment or compliance.
07-14-2017 05:08 PM
How about the case where the device is already enrolled in the MDM without ISE’s knowledge? When the device is first being authenticated it won’t have any association with an MDM, however, it may be registered with one of two MDMs. How would you suggest creating the policies for that use case?
Thanks
George
11-10-2020 06:41 AM
In my environment we use AirWatch for mobile devices, and JAMF for Macbook laptops, witht he assistance of TAC we were able to configure an autorization policy by creating Endpoint profiles forcing the mobile devices to query Airwatch and the MAcbook Laptops to quesy JAMF. It seemed successful but in my testing I find the issue starts when a uses gets a new device, even though it is enrolled in one or the other all Apple devices start as Apple-Device and especially new iOS devices as they would fail authentication and not profile properly.
Because of this we reverted to a REST/API script to handle JAMF. There is a good YouTube video explaining how to handle multiple MDM's using a script.
https://www.youtube.com/watch?v=TwbAiu3DsKc
I have my hopes that ISE 3.x may handle this better, but haven't heard yet.
09-28-2021 06:51 AM
Hello,
Did you use a third party for REST/API Script? We have a similar scenario, where we are using Intune as MDM for IOS devices (iPhones) and JAMF as MDM for macOS Laptops. Configured both in ISE as external MDM. These devices would be connecting to a common SSID, and have configured a single policy set, with MDM server Name condition placed first. Not sure if this will work. Yet to be tested.
03-29-2021 05:26 AM - edited 03-29-2021 05:28 AM
hi
Following this above. currently on 2.2 p17
We have Mobiliron and (intune as POC), Mobiliron currently manages our BYOD and internal devices, but they want to move this to intune, with the view to moving all our mobile devices from Mobiliron to Intune in the future.
Currently have a BYOD SSID, added, I have but the MDM name first is the Auth policy in both.
Is this not working because it is in the same Policy Set or is there extra config required?
I don't want to create another SSID as already have 15
Ignore the disabled part, they where enabled when tested.
Any help much appreciated
cheers
07-21-2021 11:33 PM
did you ever get this working?
05-30-2022 03:38 AM
no, still working oin it
05-30-2022 03:32 PM - edited 05-30-2022 03:33 PM
With current release versions of ISE (<= 3.1), you need to have a matching condition (Profiling, Endpoint ID Group, etc) to define which endpoints will use which External MDM. ISE will not try one MDM, fail to find the endpoint, then try another MDM like an ID Source Sequence.
There is, however, an enhancement in the upcoming version of ISE 3.2 (currently in the Beta stage), to provide that capability with multiple MDMs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide