Home
Support
Product Support
Security
Cisco Identity Services Engine
Configuration Guides

Integrate MDM and UEM Servers with Cisco ISE

View all Saved Content

PDF

Is this helpful?

Helpful Unhelpful

Feedback

Thank you for your feedback. Your response has been recorded.

Ask about this document

Cisco Configuration Guide, Release 4.2

Table of contents

Expand all sections

About this document

Integrate UEM and MDM Servers with Cisco ISE

Unified endpoint management in Cisco ISE
MAC address for VPN-connected endpoints

Integrate Cisco Meraki Systems Manager

Cisco Meraki Systems Manager
Set up Cisco Meraki Systems Manager as an MDM or UEM server

Integrate Microsoft Endpoint Manager Intune

Microsoft Intune and Cisco ISE
Configure Microsoft Endpoint Manager Intune
Manage VPN-connected mobile devices with Microsoft Intune
Connect Microsoft Intune to Cisco ISE as a mobile device management server

Integrate Ivanti (previously MobileIron) UEM

Ivanti (previously MobileIron) UEM servers
Set up MobileIron Cloud UEM servers
Set up MobileIron Core UEM servers

Set up MobileIron Cloud UEM servers

Updated: February 6, 2026

Want to summarize with AI?

On this page

Overview

Add MobileIron Cloud user for Cisco ISE operations
Establish a certificate authority in MobileIron Cloud
Upload root or trusted certificates in MobileIron Cloud
Create an identity certificate in MobileIron Cloud
Define a Wi-Fi profile in MobileIron Cloud

Overview

This section describes how to configure MobileIron Cloud UEM servers.

To configure MobileIron Cloud UEM server, follow this workflow.

Add MobileIron Cloud user for Cisco ISE operations.
Configure a certificate authority in MobileIron Cloud.
Upload root or trusted certificates in MobileIron Cloud.
Configure an identity certificate in MobileIron Cloud.
Configure a Wi-Fi profile in MobileIron Cloud.

Add MobileIron Cloud user for Cisco ISE operations

Procedure

	1.	Log in to the MobileIron Cloud portal.
	2.	From the top menu, choose Users.
	3.	From the Add drop-down list, choose Add API User.
	4.	In the Add API User window, enter values for these fields: Username Email Address First Name Last Name Password Confirm Password
	5.	In the Assign Roles area, check the Cisco ISE Operations check box to allow the user to invoke the APIs required for Cisco ISE integration.
	6.	Click Done.

Establish a certificate authority in MobileIron Cloud

You can configure a local CA with this procedure. MobileIron Cloud also offers a wider range of CA configurations. Choose the type that best matches your organization’s requirements.

For information on the various types of certificate management supported by MobileIron Cloud, refer to http://mi.extendedhelp.mobileiron.com/75/all/en/Welcome.htm#LocalCertificates.htm.

Procedure

	1.	In the MobileIron Cloud portal, choose Admin > Certificate Management.
	2.	Click Add.
	3.	Click Create a Standalone Certificate Authority.
	4.	In the dialog box , enter the details in the respective fields. Name In the Subject Parameters area, enter a value for at least one of these fields: Common Name Email Organization Unit Organization Street Address City Region Country In the Key Generation Parameters area: From the Key Type drop-down list, choose RSA. From the Signature Algorithm drop-down list, choose SHA256withRSA. From the Key Length drop-down list, choose 2048.

Upload root or trusted certificates in MobileIron Cloud

If you use a trusted third-party CA to generate identity certificates, you can ignore this task.

If you use the local MobileIron Cloud CA or an internal CA that is private to your company or organization, you must upload the Root Certificate of the CA. When you upload this certificate, it is distributed to the connected devices, which can then trust the source or issuer of the identity certificate used for authentication.

Procedure

	1.	From the MobileIron Cloud menu, choose Configurations.
	2.	Click Add and choose Certificate.
	3.	In the Name field, enter a name for the trusted certificate.
	4.	In the Configuration Setup area, click Choose File and choose the trusted or root certificate for your CA.
	5.	Click Next.

Create an identity certificate in MobileIron Cloud

Configure an identity certificate in MobileIron Cloud to set up the certificate authentication mechanism for mobile devices. Identity Certificates are X.509 certificates (.p12 or .pfx files). You can also generate identity certificates dynamically using a CA as the source.

Tip

If you have identity certificates in MobileIron cloud that are already configured for Cisco ISE MDM use cases, update the certificate’s settings to enable GUID information retrieval from MobileIron servers.

Procedure

	1.	From the MobileIron Cloud top menu, choose Configurations and click Identity Certificate.
	2.	In the Name field, enter a value.
	3.	In the Configuration Setup area, from the drop-down list, choose Dynamically Generated.
	4.	From the Source drop-down list, choose the CA that you configured in the procedure Configure a Certificate Authority in MobileIron Cloud.
	5.	From the Subject Alternative Name Type drop-down list, choose Uniform Resource Identifier.
	6.	In the Subject Alternative Name Value field, enter ID:Mobileiron:GUID:${deviceGUID}. Configure the Subject Alternative Name field for GUID. Optional: Alternatively, to use the Common Name (CN) field to push GUID to Cisco ISE, in the Subject field, enter CN=ID:Mobileiron:GUID:${deviceGUID}.
	7.	Click Test Configuration and Continue. The Configuration Test Successful dialog box displays the details of the created identity certificate.
	8.	In the Distribute window, click Custom.
	9.	In the Define Device Group Distribution area, choose the device groups that you want to distribute in this configuration and click Done. If you update the SAN or CN fields in an existing identity certificate for Cisco ISE MDM use cases, the updated certificates must be sent to the end users connected to your network. To send the updated certificates to end users, in the Configurations > Choose Config > Edit window, check the Clear cached certificates and issue new ones with recent updates check box.

Define a Wi-Fi profile in MobileIron Cloud

If you have already deployed Wi-Fi profiles to your managed iOS and Android devices, edit the Wi-Fi profiles to include the latest identity certificate configuration. The connected devices will then receive new identity certificates with a GUID in the Subject or Subject Alternative Name attributes.

Procedure

	1.	From the MobileIron Cloud menu, choose Configurations and click Wi-Fi.
	2.	In the Name field, enter a value.
	3.	In the Service Set Identifier (SSID) field, enter the name of your network. Note The Auto Join check box is checked by default. Keep the default selection.
	4.	From the Security Type drop-down list, choose the required option.
	5.	In the Enterprise Settings area, in the Protocols tab, check the TLS check box.
	6.	In the Authentication tab, enter the required values in the Username and Password fields.
	7.	From the Identity Certificate drop-down list, choose the identity certificate that you created in the procedure Create an identity certificate in MobileIron Cloud. Optional: In the Trust tab, check the check box adjacent to the trusted certificate that you want to use.
	8.	In the All Versions area, from the Network Type drop-down list, choose Standard and click Next. In the Distribute window, click the required option.
	9.	In the Define Device Group Distribution area, check the check boxes adjacent to the device groups that you want to include in this configuration and click Done.

Need help?

Open a support case

(Requires a Cisco Service Contract)

Bias-free language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.