cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13227
Views
26
Helpful
15
Replies

Multiple MDM Support - similar to Identity Store Sequence

cmoomey
Cisco Employee
Cisco Employee

Curious if Cisco has the capability roadmapped to support multiple MDM providers similar multiple authentication sources via an Identity Store Sequence.  Customer is migrating from one MDM to another, and it is challenging to create specific MDM rules based upon location (WLC) or device type.  Customer has roaming users and desires support for the multiple MDM feature much like the identity store sequence capability.  Please let me know if there are additional details I can provide...  Thanks...         

1 Accepted Solution

Accepted Solutions

I understood you correctly, cool.

Yes what you are asking for was something we asked for when first supporting multi-MDM w/ ISE.  Its a roadmap item, but it's not committed to a single release yet.

We just re-emphasized the user-story with the PM, to try & get it prioritized for a release vehicle.

Aaron

View solution in original post

15 Replies 15

Aaron Woland
Cisco Employee
Cisco Employee

Corey,

I assume you are asking about validating endpoint attributes with the MDM?  Obviously you must have the pre-req's defined on which MDM to use in order to onboard the user with the correct one, so I am assuming you cannot mean that.

I am sending the link to this thread to the MDM integration PM, Erica.

-Aaron

To my knowledge, you need to define either device type of location as an attribute for MDM selection.  I am wondering if we will ever be able to have a list of MDMs which get checked in order, similar to how we check multiple identity stores in an identity store sequence, eliminating the need to statically define which MDM to use via an attribute.

I understood you correctly, cool.

Yes what you are asking for was something we asked for when first supporting multi-MDM w/ ISE.  Its a roadmap item, but it's not committed to a single release yet.

We just re-emphasized the user-story with the PM, to try & get it prioritized for a release vehicle.

Aaron

Hi All

I run into same situation. Is there any status update on that? I mean is there alread a commited roadmap or anything similar? I mean the user story is simple: Customer has one MDM (lets say X with version 1) and want this to upgrade to version 2. So there is a limited time, where both systems should be accessible.

As I already posted on this:

https://supportforums.cisco.com/discussion/13223711/multiple-mdm-solutions-and-single-ise-cluster#comment-12085346

...

I was not able to find any solution based on ISE 2.1 P3.

Any solution, hints on this?

Thanks, Marco

Not clear what the specific issue is here.  ISE has supported multiple active MDM servers since ISE 1.4:

Cisco Identity Services Engine Administrator Guide, Release 1.4  - Manage Network Devices [Cisco Identity Services Engin…

However, there was a doc bug at one time  which stated that only one could be activated.  That has since been corrected:

CSCvd39960.  ISE admin guide conflicting info on multiple active MDMs support


One of the key changes in ISE 1.4 to support multiple active MDMs, is to add a condition to match MDM-Server.  This looks into the endpoint record to determine the MDM-Server value associated with endpoint and then perform redirection to that specific MDM Server.


Multi-MDM support in ISE does not work like ID sequence.  Try #1, then #2, then #3.  Once the MDM server is identified, it is linked to endpoint record.  One of the only times you would match a condition for MDM Server 1 and then apply AuthZ Profiler that redirects to MDM Server 2 would be to switch registration to new server, for example, customer is migrating from one vendor to another.  


/Craig

Craig

Thanks for this clarification on how the whole process is done.

Unfortunatly the bug is not visible for me in the bug toolkit and your link references an internal site. Anyway: After doing some more test's, we figured out the following behaviour:

- ISE 2.1 P3 never uses the second MDM AUTHZ rule as long as this linked to this endpoint, which you referenced in your clarification.

- ISE 2.2 P1, seams to be fixed in this point, and the second AUTHZ Rule is used, which is great news. But, in the Endpoint DB does no more show the MDM Endpoints...

Do you have any clarification for this?

Thanks, Marco

Redirect to MDM will populate endpoint record (assuming it is linked to that MDM).  It is imperative that each Auth rule includes MDM Server match condition as its first condition prior to other MDM conditions based on enrollment or compliance.

How about the case where the device is already enrolled in the MDM without ISE’s knowledge? When the device is first being authenticated it won’t have any association with an MDM, however, it may be registered with one of two MDMs. How would you suggest creating the policies for that use case?

Thanks

George

In my environment we use AirWatch for mobile devices, and JAMF for Macbook laptops, witht he assistance of TAC we were able to configure an autorization policy by creating Endpoint profiles forcing the mobile devices to query Airwatch and the MAcbook Laptops to quesy JAMF.  It seemed successful but in my testing I find the issue starts when a uses gets a new device, even though it is enrolled in one or the other all Apple devices start as Apple-Device and especially new iOS devices as they would fail authentication and not profile properly. 

Because of this we reverted to a REST/API script to handle JAMF.  There is a good YouTube video explaining how to handle multiple MDM's using a script.

https://www.youtube.com/watch?v=TwbAiu3DsKc

 

I have my hopes that ISE 3.x may handle this better, but haven't heard yet.

Hello,

 

Did you use a third party for REST/API Script?  We have a similar scenario, where we are using Intune as MDM for IOS devices (iPhones) and JAMF as MDM for macOS Laptops. Configured both in ISE as external MDM. These devices would be connecting to a common SSID, and have configured a single policy set, with MDM server Name condition placed first. Not sure if this will work. Yet to be tested.

craiglebutt
Level 4
Level 4

hi


Following this above.  currently on 2.2 p17

We have Mobiliron and (intune as POC), Mobiliron currently manages our BYOD and internal devices, but they want to move this to intune, with the view to moving all our mobile devices from Mobiliron to Intune in the future.

 

Currently have a BYOD SSID, added, I have but the MDM name first is the Auth policy in both.

 

Is this not working because it is in the same Policy Set or is there extra config required?

I don't want to create another SSID as already have 15

 

Ignore the disabled part, they where enabled when tested.

Any help much appreciated

 

cheers

did you ever get this working?

 

no, still working oin it

With current release versions of ISE (<= 3.1), you need to have a matching condition (Profiling, Endpoint ID Group, etc) to define which endpoints will use which External MDM. ISE will not try one MDM, fail to find the endpoint, then try another MDM like an ID Source Sequence.
There is, however, an enhancement in the upcoming version of ISE 3.2 (currently in the Beta stage), to provide that capability with multiple MDMs.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: