Supported Mobile Device Management Use Cases
Cisco ISE performs the following functions with external MDM servers:
-
Manages device registration: Unregistered endpoints that access the network are redirected to a registration page that is hosted on the MDM server. Device registration includes the user role, device type, and so on.
-
Handles device remediation: Endpoints are granted restricted access during remediation.
-
Augments endpoint data: The endpoint database is updated with information from the MDM server that you cannot gather using the Cisco ISE profiling services. Cisco ISE uses multiple device attributes that you can view in the Endpoints page. Choose .
The following are examples of the device attributes available.
-
MDMImei: xx xxxxxx xxxxxx x
-
MDMManufacturer: Apple
-
MDMModel: iPhone
-
MDMOSVersion: iOS 6.0.0
-
MDMPhoneNumber: 5550100
-
MDMSerialNumber: DNPGQZGUDTFx
-
Polls the MDM server every four hours for device compliance data. Configure the polling interval in the External MDM Servers page. (To view this page, choose .
-
Issues device instructions through the MDM server: Cisco ISE issues remote actions for user devices through the MDM server. Initiate remote actions from the Cisco ISE administration portal through the Endpoints page. To view this page, choose . Check the check box next to the MDM server and click MDM Actions. Choose the required action from the drop-down list displayed.
Vendor MDM Attributes
When you configure an MDM server in Cisco ISE, Cisco ISE queries the MDM server for device attribute information and adds the information to the MDM system dictionary. The following attributes are used for registration status, and are commonly supported by MDM vendors.
Cisco ISE uses APIs to query MDM servers for the required device attributes. Cisco ISE Release 3.1 and later releases support MDM APIs Version 3. The Version 3 APIs include APIs that allow Cisco ISE to send queries to MDM servers for device attributes that help Cisco ISE identify endpoints that use MAC address randomization. Cisco ISE queries the MDM server for the following attributes:
-
GUID: A unique device identifier that replaces the use of MAC address to identify a device.
-
MAC addresses: The list of MAC addresses that a UEM or MDM server has recorded for a particular device. A maximum of five MAC addresses are shared for a device.
If an MDM server does not provide values for the required attributes, Cisco ISE fills the attributes fields with the default values that are mentioned in the following table.
Attribute Name |
Attribute Dictionary |
Default Value |
Data That is Expected From UEM or MDM Servers |
Data That is Expected From Microsoft SCCM Servers |
---|---|---|---|---|
DaysSinceLastCheckin Supported from MDM API Version 3 |
MDM |
None |
The number of days since a user has last checked in or synchronized a device with the UEM or MDM server. The valid range is 1–365 days. |
The number of days since a user has last checked in or synchronized a device with the SCCM server. The valid range is 1–365 days. |
DeviceCompliantStatus |
MDM |
NonCompliant |
Compliant or NonCompliant. |
Compliant or NonCompliant. |
DeviceRegisterStatus |
MDM |
UnRegistered |
Registered or UnRegistered. |
Registered or UnRegistered. |
DiskEncryptionStatus |
MDM |
Off |
On or Off. |
On or Off. |
IMEI |
MDM |
None |
The IMEI number of the device. |
Not applicable. |
JailBrokenStatus |
MDM |
Unbroken |
Reachable or UnReachable. |
Reachable or UnReachable. |
MDMFailureReason |
MDM |
None |
The device failure reason. |
The device failure reason. |
MDMServerName |
MDM |
None |
The name of the server. |
The name of the server. |
MDMServerReachable |
MDM |
Reachable |
Reachable or UnReachable. |
Reachable or UnReachable. |
MEID |
MDM |
None |
The MEID value of the device. |
Not applicable. |
Manufacturer |
MDM |
None |
The name of the device manufacturer. |
Not applicable. |
Model |
MDM |
None |
The name of the device model. |
Not applicable. |
OsVersion |
MDM |
None |
The operating system version of the device. |
Not applicable. |
PhoneNumber |
MDM |
None |
The phone number of the device. |
Not applicable. |
PinLockStatus |
MDM |
Off |
On or Off. |
Not applicable. |
SerialNumber |
MDM |
None |
The serial number of the device. |
Not applicable. |
ServerType |
MDM |
None |
MDM for a Mobile Device Manager server. DM for Desktop Device Manager server. |
DM for Desktop Device Manager server. |
UDID |
MDM |
None |
The UDID number of the device. |
Not applicable. |
UserNotified |
MDM |
No |
Yes or No |
Not applicable. |
If a vendor's unique attributes are not supported, you may be able to use ERS APIs to exchange vendor-specific attributes. Check the vendor's documentation for information on the ERS APIs that are supported.
The new MDM dictionary attributes are available for use in authorization policies.