Ivanti (previously MobileIron) unified endpoint management servers
 Note |
MobileIron is now part of Ivanti. At the time of writing, MobileIron continues to offer Unified Endpoint Management (UEM) solutions such as MobileIron Core (On-Premises) and MobileIron Cloud. |
Cisco ISE release 3.1 leverages APIs through the BasicAuth framework to connect to MobileIron Core or MobileIron Cloud servers. It receives GUID values from these servers. Cisco ISE uses these GUID values instead of MAC addresses to identify endpoints. This process enables reliable authentication even when MAC Address Randomization is in use.
GUID-based authentication uses client certificates, also called X509 or Identity Certificates. To ensure certificates sent from MobileIron Cloud or MobileIron Core servers to Cisco ISE include GUID values, complete these tasks:
To use GUID with Cisco ISE, ensure you have MobileIron Core 11.3.0.0 Build 24 or later.
In the MobileIron Cloud or MobileIron Core administrator portal
-
Create a user account and assign the required API permissions to it.
-
Configure a Certificate Authority (CA).
-
Configure an Identity Certificate to include GUID information.
-
Upload root certificates or trusted certificates, as required.
-
Configure a Wi-Fi profile.
 Tip |
If you have already connected MobileIron Cloud or MobileIron Core servers to your Cisco ISE release 3.1 and want to receive GUIDs from the connected servers, perform steps 3, 4, and 5, as required. When you edit your existing Identity Certificate or Wi-Fi configurations, or both, MobileIron republishes the updated configurations to your managed devices that are connected. Although MobileIron does not recommend using self-signed certificates or a local CA, this guide includes the steps for self-signed certificates and a local CA as an example to highlight the Subject and Subject Alternative Name attribute configurations necessary for handling random and changing MAC addresses in Cisco ISE release 3.1. |
In Cisco ISE:
-
Upload the certificate generated in the MobileIron portal.
-
Connect the MobileIron UEM servers.
Configure MobileIron Cloud UEM servers
To configure MobileIron Cloud UEM server, follow this workflow.
Add MobileIron Cloud user for Cisco ISE operations
Procedure
|
Step 1 |
Log in to the MobileIron Cloud portal. |
|
Step 2 |
From the top menu, choose Users. |
|
Step 3 |
From the Add drop-down list, choose Add API User. |
|
Step 4 |
In the Add API User window, enter values for these fields:
|
|
Step 5 |
In the Assign Roles area, check the Cisco ISE Operations check box to allow the user to invoke the APIs required for Cisco ISE integration. |
|
Step 6 |
Click Done. |
Configure a certificate authority in MobileIron Cloud
You can configure a local CA with this procedure. MobileIron Cloud also offers a wider range of CA configurations. Choose the type that best matches your organization’s requirements.
For information on the various types of certificate management supported by MobileIron Cloud, refer to http://mi.extendedhelp.mobileiron.com/75/all/en/Welcome.htm#LocalCertificates.htm.
Procedure
|
Step 1 |
In the MobileIron Cloud portal, choose . |
|
Step 2 |
Click Add. |
|
Step 3 |
Click Create a Standalone Certificate Authority. |
|
Step 4 |
In the dialog box , enter the details in the respective fields.
|
Upload root or trusted certificates in MobileIron Cloud
If you use a trusted third-party CA to generate identity certificates, you can ignore this task.
If you use the local MobileIron Cloud CA or an internal CA that is private to your company or organization, you must upload the Root Certificate of the CA. When you upload this certificate, it is distributed to the connected devices, which can then trust the source or issuer of the identity certificate used for authentication.
Procedure
|
Step 1 |
From the MobileIron Cloud menu, choose Configurations. |
|
Step 2 |
Click Add and choose Certificate. |
|
Step 3 |
In the Name field, enter a name for the trusted certificate. |
|
Step 4 |
In the Configuration Setup area, click Choose File and choose the trusted or root certificate for your CA. |
|
Step 5 |
Click Next. |
Configure an identity certificate in MobileIron Cloud
Configure an identity certificate in MobileIron Cloud to set up the certificate authentication mechanism for mobile devices. Identity Certificates are X.509 certificates (.p12 or .pfx files). You can also generate identity certificates dynamically using a CA as the source.
Note |
If you have identity certificates in MobileIron cloud that are already configured for Cisco ISE MDM use cases, update the certificate’s settings to enable GUID information retrieval from MobileIron servers. |
Procedure
|
Step 1 |
From the MobileIron Cloud top menu, choose Configurations and click Identity Certificate. |
|
Step 2 |
In the Name field, enter a value. |
|
Step 3 |
In the Configuration Setup area, from the drop-down list, choose Dynamically Generated. |
|
Step 4 |
From the Source drop-down list, choose the CA that you configured in the procedure Configure a Certificate Authority in MobileIron Cloud. |
|
Step 5 |
From the Subject Alternative Name Type drop-down list, choose Uniform Resource Identifier. |
|
Step 6 |
In the Subject Alternative Name Value field, enter ID:Mobileiron:GUID:${deviceGUID}. Configure the Subject Alternative Name field for GUID. Optional: Alternatively, to use the Common Name (CN) field to push GUID to Cisco ISE, in the Subject field, enter CN=ID:Mobileiron:GUID:${deviceGUID}. |
|
Step 7 |
Click Test Configuration and Continue. |
|
Step 8 |
In the Distribute window, click Custom. |
|
Step 9 |
In the Define Device Group Distribution area, choose the device groups that you want to distribute in this configuration and click Done. If you update the SAN or CN fields in an existing identity certificate for Cisco ISE MDM use cases, the updated certificates must be sent to the end users connected to your network. To send the updated certificates to end users, in the window, check the Clear cached certificates and issue new ones with recent updates check box. |
Configure a Wi-Fi profile in MobileIron Cloud
If you have already deployed Wi-Fi profiles to your managed iOS and Android devices, edit the Wi-Fi profiles to include the latest identity certificate configuration. The connected devices will then receive new identity certificates with a GUID in the Subject or Subject Alternative Name attributes.
Procedure
|
Step 1 |
From the MobileIron Cloud menu, choose Configurations and click Wi-Fi. |
||
|
Step 2 |
In the Name field, enter a value. |
||
|
Step 3 |
In the Service Set Identifier (SSID) field, enter the name of your network.
|
||
|
Step 4 |
From the Security Type drop-down list, choose the required option. |
||
|
Step 5 |
In the Enterprise Settings area, in the Protocols tab, check the TLS check box. |
||
|
Step 6 |
In the Authentication tab, enter the required values in the Username and Password fields. |
||
|
Step 7 |
From the Identity Certificate drop-down list, choose the identity certificate that you created in the procedure Configure an identity certificate in MobileIron Cloud. |
||
|
Step 8 |
In the All Versions area, from the Network Type drop-down list, choose Standard and click Next. In the Distribute window, click the required option. |
||
|
Step 9 |
In the Define Device Group Distribution area, check the check boxes adjacent to the device groups that you want to include in this configuration and click Done. |
Configure MobileIron Core UEM servers
To configure MobileIron Core UEM server, follow this workflow.
Add a MobileIron Core user with API permissions
Procedure
|
Step 1 |
Log in to your MobileIron Core administrator portal. |
|
Step 2 |
Choose . |
|
Step 3 |
From the Add drop-down list, choose Add Local User. |
|
Step 4 |
Enter the required values in these fields:
|
|
Step 5 |
Click Save. |
|
Step 6 |
To assign an API role to the newly created user, click Admin and check the check box next to the corresponding user name. |
|
Step 7 |
From the Actions drop-down list, choose Assign to Space. |
|
Step 8 |
Choose a predefined space for the user from the Select Space drop-down list, or choose the roles that you want to assign to the user from the available options. Ensure that the user has tenant administrator permissions and that the API role is enabled for this user. |
|
Step 9 |
Click Save. |
Configure a certificate authority in MobileIron Core
MobileIron Core allows you to choose from a wider range of CA configurations. Choose the option that suits your organization’s requirements. This procedure includes steps for creating self-signed certificates only as an example.
Procedure
|
Step 1 |
In the MobileIron Core administrator portal, choose . |
|
Step 2 |
From the Add drop-down list, choose Generate Self-Signed Cert. |
|
Step 3 |
In the Generate Self-Signed Certificate dialog box that is displayed, enter the required values in each fields:
|
|
Step 4 |
Click Generate. |
|
Step 5 |
Download the CA certificate. Later, you will upload this certificate to Cisco ISE. Click View Certificate next to the certificate that you want to download. Copy all the contents into the displayed dialog box. Paste the certificate content into a text editor and save the document as a .cer file. |
Add root or trusted certificates in MobileIron Core
Procedure
|
Step 1 |
In the MobileIron Core administrator portal, choose . |
|
Step 2 |
From the Add New drop-down list, choose Certificates. |
|
Step 3 |
In the New Certificate Setting dialog box, enter name and description for the certificate in the corresponding fields. |
|
Step 4 |
In the File Name page, click Browse. Choose the root or trusted certificate you need to upload for the CA you configured. The accepted file types are certificate files with extensions .cer, .crt, .pem, and .der. |
|
Step 5 |
Click Save. |
Configure certificate enrollment in MobileIron Core
Procedure
|
Step 1 |
In the MobileIron Core administrator portal, choose . |
|
Step 2 |
Click Add New, choose Certificate Enrollment and then choose the appropriate connector for the CA you have configured. If you are configuring a local CA, Choose Local. This procedure explains how to configure local CA. Choose the certificate enrollment option that matches the CA you have configured to connect your MobileIron Core servers to Cisco ISE. |
|
Step 3 |
In the New Local Certificate Enrollment Setting dialog box that is displayed, provide values for these fields:
|
|
Step 4 |
Click Issue Test Certificate. |
Configure a Wi-Fi profile in MobileIron Core
Procedure
|
Step 1 |
In the MobileIron Core administrator portal, choose . |
|
Step 2 |
From the Add New drop-down list, choose Wi-Fi. |
|
Step 3 |
In the New Wi-Fi Setting dialog box, enter the required values in these fields:
|
Map resources to labels in MobileIron Core
Configure a label to define the configurations, rules, and profiles for a group of endpoints and devices. You can use a label to group endpoints and devices by criteria such as organizational unit, device type, or operating system that are running on an endpoint. After you create a label, assign it to resources in the Policies & Configs page to map configurations, policies, and device or user groups.
To support the Cisco ISE use case, first create an appropriate label. Then apply the certificate enrollment, Wi-Fi profile, and other configurations you create for this use case to that label.
Procedure
|
Step 1 |
Create a label:
|
|
Step 2 |
Assign a label to a Policies & Configs resource:
|
Feedback