Home
Support
Product Support
Security
Cisco Identity Services Engine
Configuration Guides

Integrate MDM and UEM Servers with Cisco ISE

View all Saved Content

PDF

Is this helpful?

Helpful Unhelpful

Feedback

Thank you for your feedback. Your response has been recorded.

Ask about this document

Cisco Configuration Guide, Release 4.2

Table of contents

Expand all sections

About this document

Integrate UEM and MDM Servers with Cisco ISE

Unified endpoint management in Cisco ISE
MAC address for VPN-connected endpoints

Integrate Cisco Meraki Systems Manager

Cisco Meraki Systems Manager
Set up Cisco Meraki Systems Manager as an MDM or UEM server

Integrate Microsoft Endpoint Manager Intune

Microsoft Intune and Cisco ISE
Configure Microsoft Endpoint Manager Intune
Manage VPN-connected mobile devices with Microsoft Intune
Connect Microsoft Intune to Cisco ISE as a mobile device management server

Integrate Ivanti (previously MobileIron) UEM

Ivanti (previously MobileIron) UEM servers
Set up MobileIron Cloud UEM servers
Set up MobileIron Core UEM servers

Set up MobileIron Core UEM servers

Updated: February 6, 2026

Want to summarize with AI?

On this page

Overview

Add a MobileIron Core user with API permissions
Establish a certificate authority in MobileIron Core
Add root or trusted certificates in MobileIron Core
Provision certificate enrollment in MobileIron Core
Define a Wi-Fi profile in MobileIron Core
Map resources to labels in MobileIron Core

Overview

This section describes how to configure MobileIron Core UEM servers.

To configure MobileIron Core UEM server, follow this workflow.

Add a MobileIron Core user with API permissions.
Configure a certificate authority in MobileIron Core.
Add root or trusted certificates in MobileIron Core.
Configure certificate enrollment in MobileIron Core.
Configure a Wi-Fi profile in MobileIron Core.
Map resources to labels in MobileIron Core.

Add a MobileIron Core user with API permissions

Procedure

	1.	Log in to your MobileIron Core administrator portal.
	2.	Choose Devices and Users > Users.
	3.	From the Add drop-down list, choose Add Local User.
	4.	Enter the required values in these fields: User ID First Name Last Name Password Confirm Password Email
	5.	Click Save.
	6.	To assign an API role to the newly created user, click Admin and check the check box next to the corresponding user name.
	7.	From the Actions drop-down list, choose Assign to Space.
	8.	Choose a predefined space for the user from the Select Space drop-down list, or choose the roles that you want to assign to the user from the available options. Ensure that the user has tenant administrator permissions and that the API role is enabled for this user.
	9.	Click Save.

Establish a certificate authority in MobileIron Core

MobileIron Core allows you to choose from a wider range of CA configurations. Choose the option that suits your organization’s requirements. This procedure includes steps for creating self-signed certificates only as an example.

Procedure

	1.	In the MobileIron Core administrator portal, choose Services > Local CA.
	2.	From the Add drop-down list, choose Generate Self-Signed Cert.
	3.	In the Generate Self-Signed Certificate dialog box that is displayed, enter the required values in each fields: Local CA Name Key Length CSR Signature Algorithm Key Lifetime (in days) Issuer Name
	4.	Click Generate.
	5.	Download the CA certificate. Later, you will upload this certificate to Cisco ISE. Click View Certificate next to the certificate that you want to download. Copy all the contents into the displayed dialog box. Paste the certificate content into a text editor and save the document as a .cer file.

Add root or trusted certificates in MobileIron Core

Procedure

	1.	In the MobileIron Core administrator portal, choose Policies and Configs > Configurations.
	2.	From the Add New drop-down list, choose Certificates.
	3.	In the New Certificate Setting dialog box, enter name and description for the certificate in the corresponding fields.
	4.	In the File Name page, click Browse. Choose the root or trusted certificate you need to upload for the CA you configured. The accepted file types are certificate files with extensions .cer, .crt, .pem, and .der.
	5.	Click Save.

Provision certificate enrollment in MobileIron Core

This procedure describes how to connect a local CA as an example. It highlights the Subject and Subject Alternative Name attribute configurations needed to handle random and changing MAC addresses in Cisco ISE release 3.1. MobileIron does not recommend the use of self-signed certificates or a local CA.

Procedure

	1.	In the MobileIron Core administrator portal, choose Policies and Configs > Configurations.
	2.	Click Add New, choose Certificate Enrollment and then choose the appropriate connector for the CA you have configured. If you are configuring a local CA, Choose Local. This procedure explains how to configure local CA. Choose the certificate enrollment option that matches the CA you have configured to connect your MobileIron Core servers to Cisco ISE.
	3.	In the New Local Certificate Enrollment Setting dialog box that is displayed, provide values for these fields: Name Local CAs Key Type Subject: To use the Subject field to share the UUID (referred to as GUID in Cisco ISE) with Cisco ISE release 3.1 and later, enter CN=ID:Mobileiron:GUID:${deviceGUID}. Key Length CSR Signature Algorithm In the Subject Alternative Names area, click Add and choose Uniform Resource Identifier from the Type drop-down list. In the Value column, enter ID:Mobileiron:GUID:${deviceGUID}. This field shares the UUID (referred to as GUID in Cisco ISE) with Cisco ISE release 3.1 and later.
	4.	Click Issue Test Certificate.

Define a Wi-Fi profile in MobileIron Core

Procedure

	1.	In the MobileIron Core administrator portal, choose Policies and Configs > Configurations.
	2.	From the Add New drop-down list, choose Wi-Fi.
	3.	In the New Wi-Fi Setting dialog box, enter the required values in these fields: In the EAP Type area, check the TLS check box. From the Identity Certificate drop-down list, choose the certificate enrollment that you configured in the procedure Provision certificate enrollment in MobileIron Core. Click Save.

Map resources to labels in MobileIron Core

Configure a label to define the configurations, rules, and profiles for a group of endpoints and devices. You can use a label to group endpoints and devices by criteria such as organizational unit, device type, or operating system that are running on an endpoint. After you create a label, assign it to resources in the Policies & Configs page to map configurations, policies, and device or user groups.

To support the Cisco ISE use case, first create an appropriate label. Then apply the certificate enrollment, Wi-Fi profile, and other configurations you create for this use case to that label.

Procedure

	1.	Create a label: In the MobileIron Core administrator portal, choose Devices & Users > Labels. Click Add Label. In the Add Label dialog box, enter a name for the label in the Name field. In the Criteria area, define the parameters of this label by choosing the appropriate values in the Field, Operator, and Value fields. Click Save.
	2.	Assign a label to a Policies & Configs resource: In the MobileIron Core administrator portal, click Policies & Configs and choose the resource menu of your choice. Check the check box for the configuration or policy to which you want to assign the label that you created. From the Actions drop-down list, choose Apply To Label. In the Apply To Label dialog box, check the check box adjacent to the label that you want to apply, and click Apply.

Need help?

Open a support case

(Requires a Cisco Service Contract)

Bias-free language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.