Overview of unified endpoint management in Cisco ISE
If you secure, monitor, manage, and support network endpoints by using Unified Endpoint Management (UEM) or Mobile Device Management (MDM) servers, you can configure Cisco ISE to interoperate with these servers. Integrate Cisco ISE with your endpoint management servers to access device attribute information through APIs. To enable network access control, you can use the device attributes to create Access Control Lists (ACLs) and authorization policies.
Cisco ISE PSNs also use APIs to fetch lists of noncompliant devices from connected UEM or MDM servers at set polling intervals. Cisco ISE quarantines any noncompliant endpoints with active sessions at the time of polling and issues CoAs based on the fetched information.
You can configure your endpoint management servers to integrate them with Cisco ISE. Use the required configurations for your MDM or UEM vendor, such as
-
Cisco Meraki Systems Manager
-
Ivanti (previously MobileIron UEM) core and cloud UEM services
-
Microsoft Endpoint Manager Intune
Cisco ISE also supports these endpoint management servers:
-
42Gears
-
Absolute
-
Blackberry - BES
-
Blackberry - Good Secure EMM
-
Citrix XenMobile 10.x (On-prem)
-
Globo
-
IBM MaaS360
-
JAMF Casper Suite
-
Microsoft Endpoint Configuration Manager
-
Mosyle
-
SAP Afaria
-
Sophos
-
SOTI MobiControl
-
Symantec
-
Tangoe
-
Omnissa (previously AirWatch)
![]() Note |
Cisco ISE can be integrated with Jamf Pro 10.42.0 or later. |
After you configure the MDM or UEM servers to connect to Cisco ISE, join these servers to your Cisco ISE deployment. See "Configure Mobile Device Management Servers in Cisco ISE" in the chapter "Secure Access" in the Cisco ISE Administrator Guide for your release.
Cisco ISE MDM API Version 3 for GUID
From Cisco ISE release 3.1, you can handle random and changing MAC addresses of endpoints. You can use Cisco ISE MDM API Version 3 to receive a unique endpoint identifier, called GUID, from connected MDM and UEM servers. Cisco ISE then uses the GUID to identify an endpoint instead of its MAC address. See "Handle Random and Changing MAC Addresses With Mobile Device Management Servers" in the chapter "Secure Access" in the Cisco ISE Administrator Guide for your release.
To receive GUID from a UEM or MDM server, these conditions must be met:
-
The UEM or MDM server supports Cisco ISE MDM API Version 3.
-
Configure the certificates for Cisco ISE usage in your UEM or MDM so that the Subject Alternative Name field, the Common Name field, or both, push the GUID to Cisco ISE.
The following UEM or MDM servers currently support Cisco ISE MDM API Version 3:
-
Cisco Meraki Systems Manager
-
Ivanti (previously MobileIron UEM) core and cloud UEM services
-
Microsoft Endpoint Manager Intune
-
JAMF Casper Suite
-
Omnissa (previously AirWatch)
Note
For information on Omnissa configuration, see Omnissa Product Documentation.