10-20-2017 12:18 PM
Hey All,
I wanted to get some feedback on what's beginning to be a more common scenario, especially with the new release of MacBooks requiring the use of dongles exclusively for wired networks.
Consider this scenario:
At this point, everything appears to be functioning as expected, but there has to be a better solution than forcing endpoints to re-enroll with MDM while their specific dongle is plugged in. Is there a solution or talks in progress to address this specific use cases with Apple (or any) endpoints that require dongles for network access?
I remember facing a similar issue with VPN authentications when Apple/Google started hiding/randomizing the mac address, and as a result we now the queries with the UDID. But since these are on-prem authentications failing, it's impossible to pull these extra values from a dot1x/mab authentication.
Thanks!
Chad
Solved! Go to Solution.
10-24-2017 01:53 PM
Wow that's a lot of mac addresses for a single JAMF MDM profile to manage. And then you have multiple machines showing the same mac address depending on where the user moves from one to another desk. .
I agree we have no visibility of wireless mac when connecting via wired, there would need to be an agent that translated the MAC address.
A couple other options:
I asked our SME imbashir to also see if he had any ideas.
There would need to be an enhancement to address without the need for MAC address, please reach out to JAMF and ISE Product Managers
10-21-2017 09:03 AM
Hello Chad,
I will be researching on this. Will reply back on this post soon .
Thanks,
Nidhi
10-24-2017 08:25 AM
Any update on this?
10-21-2017 10:30 AM
I am running into the exact same issue with my deployment. Macbooks + tunderbolt dongle results in a failed MDM lookup everytime. We just gave up on wired MDM enforcement. Pretty sad this was overlooked on the design side.
10-24-2017 08:22 AM
What kind of mac management software are you using in your environment?
10-24-2017 09:27 AM
I'm using Casper Suite (JAMF). I suspect the original poster is as well as it's the most common Mac management software.
10-24-2017 11:03 AM
We are using Casper as well, Chad from Cisco opened the case based on the TAC case we've opened.
JAMF suggesting us to install Any connect ISE compliance module to resolve the wired deployment issue. Looking further into it.
10-24-2017 11:45 AM
We have the ise-compliance module installed as that is required for posture which is also required in our environment. The issue we have is not with posture, it's with MDM registration enforcement. We enforce MDM registration with JAMF for Macbooks on our network. The way MDM registration enforcement works between ISE and JAMF is that ISE will query JAMF via its API integration for the MAC address of the connecting endpoint. Modern macbooks don't have wired ports thus every Macbook uses a dongle of some sort to connect. The Macbook dongles do not exist in MDM resulting in the MDM returning not-registered for the device.
Our users are highly mobile and do not have static desks or static dongles. We've had to disable MDM registration enforcement for wired.
10-24-2017 12:01 PM
They don’t even use the same dongle everytime?
Is there a way to pre-register the dongles to the user in JAMF?
10-24-2017 01:00 PM
Our desks are not permanent desks assigned to users so users float between desks all the time. The desks themselves have either dongles, or docks. So, multiple users could use the same dongle or doc throughout the week. It would be nice if the JAMF query was always done with the WiFi MAC as that is the only consistent MAC address on most Macbooks now since they lack wired ports.
10-24-2017 01:43 PM
I could see that if you are running some kind of agent, but if not, you can only get the MAC on the network.
Personally, I want them to start using domain certs so I can not care about JAMF.
10-24-2017 01:53 PM
Wow that's a lot of mac addresses for a single JAMF MDM profile to manage. And then you have multiple machines showing the same mac address depending on where the user moves from one to another desk. .
I agree we have no visibility of wireless mac when connecting via wired, there would need to be an agent that translated the MAC address.
A couple other options:
I asked our SME imbashir to also see if he had any ideas.
There would need to be an enhancement to address without the need for MAC address, please reach out to JAMF and ISE Product Managers
10-24-2017 03:18 PM
Our workforce is extremely mobile. Most users travel internationally between offices on a weekly or monthly basis.
Deploy ISE posture Anyconnect System Scan to manage wired compliance.
This doesn't address the issue of checking for MDM registration.
Don't run wired.
This is a requirement from the business.
Require users to have their own dongle so that its unique and stays with them
This unfortunately is not how the business is architected and Apple has moved wired ports into the Apple Monitors. Most large enterprise Apple Macbook environments are using apple monitors that double as docks with ethernet ports. As users move around their going to be using different Apple monitors and thus different ethernet ports. When desks don't have Apple monitors, they would then use whatever dongle is available.
My recommendation would be to have the compliance module when installed, share the UDID with the MDM Registration checking process since ISE, JAMF, and the compliance module know the UDID.
I've spoken with imbashir psd and mschmitz before on addressing some high priority bugs in the past and they have been pretty quick in addressing issues in the past.
10-24-2017 03:44 PM
This will be an enhancement to both ISE and the MDM provider , it’s not a bug like the other gentleman said
I have forwarded it along
10-24-2017 12:27 PM
We ran into a similar issue today, but I don't think it's an ISE issue as ISE just asks JAMF if this MAC is compliant and get a compliant, non-compliant, or unknown device response. It seems to be JAMF and having multiple MAC's for a device. The one I saw was a mac, dongle, and dock, so 3 MACs
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide