Home
Support
Product Support
Security
Cisco Identity Services Engine
Configuration Guides

Integrate MDM and UEM Servers with Cisco ISE

View all Saved Content

PDF

Is this helpful?

Helpful Unhelpful

Feedback

Thank you for your feedback. Your response has been recorded.

Ask about this document

Cisco Configuration Guide, Release 4.2

Table of contents

Expand all sections

About this document

Integrate UEM and MDM Servers with Cisco ISE

Unified endpoint management in Cisco ISE
MAC address for VPN-connected endpoints

Integrate Cisco Meraki Systems Manager

Cisco Meraki Systems Manager
Set up Cisco Meraki Systems Manager as an MDM or UEM server

Integrate Microsoft Endpoint Manager Intune

Microsoft Intune and Cisco ISE
Configure Microsoft Endpoint Manager Intune
Manage VPN-connected mobile devices with Microsoft Intune
Connect Microsoft Intune to Cisco ISE as a mobile device management server

Integrate Ivanti (previously MobileIron) UEM

Ivanti (previously MobileIron) UEM servers
Set up MobileIron Cloud UEM servers
Set up MobileIron Core UEM servers

Unified endpoint management in Cisco ISE

Updated: February 6, 2026

Want to summarize with AI?

On this page

Overview

Cisco ISE MDM API version 3: Enhanced device identification with GUID

Overview

This section explains how you can integrate your Cisco ISE with endpoint management servers, Unified Endpoint Management (UEM) or Mobile Device Management (MDM), to access device attribute information from these servers through APIs.

If you secure, monitor, manage, and support network endpoints by using Unified Endpoint Management (UEM) or Mobile Device Management (MDM) servers, you can configure Cisco ISE to interoperate with these servers. Integrate Cisco ISE with your endpoint management servers to access device attribute information through APIs. To enable network access control, you can use the device attributes to create Access Control Lists (ACLs) and authorization policies.

Cisco ISE Policy Service Nodes (PSN) also use APIs to fetch lists of noncompliant devices from connected UEM or MDM servers at set polling intervals. Cisco ISE quarantines any noncompliant endpoints with active sessions at the time of polling and issues CoAs based on the fetched information.

You can configure your endpoint management servers to integrate them with Cisco ISE. Use the required configurations for your MDM or UEM vendor, such as

Cisco Meraki Systems Manager
Ivanti (previously MobileIron UEM) core and cloud UEM services
Microsoft Endpoint Manager Intune

Cisco ISE also supports these endpoint management servers:

42Gears
Absolute
Blackberry - BES
Blackberry - Good Secure EMM
Citrix XenMobile 10.x (On-prem)
Globo
IBM MaaS360
Jamf Casper Suite
Jamf Pro 10.42.0 or later
Microsoft Endpoint Configuration Manager
Mosyle
SAP Afaria
Sophos
SOTI MobiControl
Symantec
Tangoe
Omnissa (previously AirWatch)

After you configure the MDM or UEM servers to connect to Cisco ISE, join these servers to your Cisco ISE deployment. See "Configure Mobile Device Management Servers in Cisco ISE" in the chapter "Secure Access" in the Cisco ISE Administrator Guide for your release.

Cisco ISE MDM API version 3: Enhanced device identification with GUID

Cisco ISE MDM API version 3 enables device identification using a Globally Unique Identifier (GUID) instead of MAC addresses to uniquely identify devices, improving accuracy in deployments with randomized or changing MAC addresses. From Cisco ISE release 3.1, this enhancement enables more reliable network access control by using GUIDs provided by MDM servers instead of traditional device identifiers.

You can use Cisco ISE MDM API version 3 to receive a unique endpoint identifier, called GUID, from connected MDM and UEM servers. Cisco ISE then uses the GUID to identify an endpoint instead of its MAC address. Refer to "Handle Random and Changing MAC Addresses With Mobile Device Management Servers" in the chapter "Secure Access" in the Cisco ISE Administrator Guide for your release.

To receive GUID from a UEM or MDM server, these conditions must be met:

The UEM or MDM server supports Cisco ISE MDM API version 3.
Configure the certificates for Cisco ISE usage in your UEM or MDM so that the Subject Alternative Name field, the Common Name field, or both, push the GUID to Cisco ISE.

These UEM or MDM servers currently support Cisco ISE MDM API version 3:

Cisco Meraki Systems Manager
Ivanti (previously MobileIron UEM) core and cloud UEM services
Microsoft Endpoint Manager Intune
JAMF Casper Suite
Omnissa (previously AirWatch)

For information on Omnissa configuration, refer to Omnissa Product Documentation.

Need help?

Open a support case

(Requires a Cisco Service Contract)

Bias-free language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.