cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1598
Views
1
Helpful
12
Replies

Cisco ISE MDM Integration Android For Work

saber.jouini
Level 1
Level 1

Hello all,

We are using MDM integration with Cisco ISE through API calls.

Everything was working well during the PoV but since a Change from Google Android the MAC address of Smartphones is not given anymore to MDM (Android working profile context since Android 7.x) and as ISE is using MAC address as identifier of Android Smartphones for MDM API Call we are facing an issue.

Could you please tell me (maybe after seeing with Cisco developers) if MDM API calls for Android Smartphones can be performed using a different attribute than MAC address (for example UDID for iphones)?


Thanks a lot for your help.

1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee

I will reach out to our SME if there is an action plan around this but don’t think there is going to be a quick fix for this.

Suggest the following

Open tac case and get associated defect

1. Rely on client onboarding with the MDM provider on guest or separate onboarding SSID before connecting to your internal secure network.

2. Once they are MDM onboarded (preferably with a certificate for EAP-TLS) then allow connectivity to secure network if only using EAP-TLS with valid cert.

Wait for fix to later tie-in compliance to the connectivity

If EAPTLS and MDM complaint full access

Otherwise limited access

View solution in original post

12 Replies 12

Jason Kunst
Cisco Employee
Cisco Employee

I will reach out to our SME if there is an action plan around this but don’t think there is going to be a quick fix for this.

Suggest the following

Open tac case and get associated defect

1. Rely on client onboarding with the MDM provider on guest or separate onboarding SSID before connecting to your internal secure network.

2. Once they are MDM onboarded (preferably with a certificate for EAP-TLS) then allow connectivity to secure network if only using EAP-TLS with valid cert.

Wait for fix to later tie-in compliance to the connectivity

If EAPTLS and MDM complaint full access

Otherwise limited access

Hello,

Thanks for your answer.

In addition to BYOD network access, we are also using an architecture with Cisco Anyconnect VPN for Smartphones based on MDM checks via ISE.

So in order to enhance Security before allowing VPN connections, we need to check a piece of information given by the MDM API call.

Ok there might be a way around this using anyconnect ACIDEX? Can you open another case separately with the MDM issue under that community as well and see if any answers from there?

All of the associated communities are listed here: https://communities.cisco.com/community/technology/security/pa

Yes, in absence of MAC address, we will perform the query based on AC UDID or Carrier ID (assuming AC VPN client and ASA VPN gateway)

Hello,

Thanks for your answer.

How can we modify the query from based on MAC address to based on AC UDID or Carrier ID on Cisco ISE ?

As noted, it is automatic if MAC address is not received in ACIDEX.

The problem is that we are receiving the MAC address of the Smartphone on Cisco ISE so it is trying to perform a query based on MAC address. The issue is that the MAC address is hidden on MDM.

Ok. This represents a relatively new scenario where we have acquired MAC address but MDM agent is not able to collect due OS blocking access. We have seen this with typical apps, but most OSes have still allowed MDM vendors access to this information.  In this case, it appears not so not sure if this is limitation of specific vendor MDM implementation, or across the board.

In any case, I would suggest opening a TAC case and filing a defect.  It may also be used as a placeholder against the partner MDM if they are unable to acquire the MAC where other vendors can (not sure if that is the case yet), but defect can also be used to track the need for enhanced logic whereby we automatically (or based on config option) perform lookup using alternate endpoint ID even when MAC address known.  I will also copy PM team internally on this one so aware of issue.  If able to file defect, please copy to post.

Craig

Hi Craig,

It's a new implementation from Google android 7  they now hide the MAC address, please have a look at this post :

 

https://stackoverflow.com/questions/43338359/get-device-mac-adress-in-android-nougat-and-o-programmatically

 

DevicePolicyManager.getWifiMacAddress() is already used by AirWatch to retrieve WIFI MAC Address. But this function will only returned a valid MAC address if the device is work managed/Device owner It doesn’t work when using Work Profile (managing only a container).

 

From ISE side the only solution would be to permit configuration of the attribute we are using in the API for the query the MDM (not necessary the MAC address)

 

Would recommend get a tac case open and defect attached

Make sure a tac case is attached and matched to a defect, will forward to PM team

csarrazi
Cisco Employee
Cisco Employee

Hi team,

I'm looking for a BU contact to discuss with Google, With the Customer we are in contact with Google and VMware and the best way to find a solution et to organize a common Webex. please give me the contact and I will organize the Webex.

regards

Christophe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: