1. Cisco ISE 1.2 Mobile Device Management Integration
Ravi Singh
System Engineer
February 26, 2013

2. Agenda The BYOD Solution Gap Bridging the BYOD Gap
ISE vs MDM
Enforce Policy for Resource Access
Manage Device Compliance
Bridging the BYOD Gap
MDM Integration Requirements
Configurations
The Apple iOS User Experience

3. The BYOD Solution Gap

4. If Yes, then “Grant Access” Else “Deny”
ISE 1.1
Cisco BYOD with Identity Services Engine

5. Context Aware Resource Access
Context Defines
Criteria for Access

6. Mobile Device Manager
Enterprise Infrastructure Interoperability
Centralized Management
MDM
Manage Mobile Apps
Secure Content Distribution
Secure and Manage Mobile Devices
Secure, Manage and Enhance Collaboration on Mobile Devices

7. MDM Compliance Check Non-Compliant Apple iOS Policy as defined by
IT Administrator

8. Pin Lock Non Compliance
Reason for Device Non-Compliance
“Pin-Lock Not Set on device”

9. Application Non Compliance

10. Bridging the Gap

11. Software Integration Requirements
Version 7.1
Version 1.2
Version 6.2
Version 5.0
Version 2.3
Mobile Collaboration
Management Services
Version 1.0

12. Inserting MDM as New Context
ISE 1.2
Inserting MDM as New Context
Integrate ISE to MDM HERE no

13. ISE 1.2 Infrastructure Configuration
MDM FQDN or IP Address
MDM Admin User with
API Access
Sends HTTP GET
Start Here

14. Example: MDM Server GET Information
Response:
HTTP Headers
HTTP/ OK
XML schema
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xs:schema version="1.0" xmlns:xs="
<xs:element name="ise_api" type="ISEApiRegister"/>
<xs:complexType name=" ISEApiRegister ">
<xs:sequence>
<xs:element name="name" type="NameType"/>
<xs:element name="api_version" type="xs:string"/>
<xs:element name="api_path" type="xs:string"/>
<xs:element name="redirect_url" type="xs:string"/>
<xs:element name=”query_max_size” type=”xs:integer” />
<xs:element name=”messaging_support” type=”xs:boolean” />
<xs:element name="vendor" type="xs:string"/>
<xs:element name="product_name" type="xs:string"/>
<xs:element name="product_version" type="xs:string"/>
</xs:sequence>
</xs:complexType>
<xs:simpleType name='NameType' >
<xs:restriction base='xs:string' >
<xs:enumeration value='mdminfo' />
</xs:restriction>
</xs:simpleType>
</xs:schema>
ISE Sends HTTP GET

15. Example: MDM Server Get Info Reply
ISE Sees XML
ISE Polls MDM for Compliance Attributes
API Defined by ISE 1.2 Product Group
MDM Partner Integration Requires API Adoption

16. MDM Dictionaries Added to ISE 1.2
MDM Dictionary Attributes
Enables Context for AuthZ
Conditions

17. MDM Authorization Profile
MDM Web Redirection Task
Enables Context for AuthZ
Conditions

18. WLC 7.2+ ACL Configuration
MDM-redirect Access Control List
ISE 1.2 MDM AuthZ Profile
Permit DNS
Permit ISE
Permit MDM
Deny All ACL – Generates MDM Redirect
ACL Configurations will vary
Access to Internet for cloud based MDM REQUIRED

19. Integrating MDM into the AuthZ Policy
MDM AuthZ rules
Active Directory User Group Based Authorized Access Levels
Device Onboarding AuthZ Rule

20. iOS Employee Experience

21. Wireless MAC Address Onboarding
“Wireless_MAB” Authorization Rule =
Any Wireless Connection with a Layer 2 MAC Address redirect the session to central web authentication on ISE

22. ISE 1.2: iOS BYOD Onboarding

23. MDM Based Authorization Context
Check MDM for Registration Status
Check MDM for Compliance Status

24. Airwatch: iOS Enrollment Experience2 1 3 4 5

25. Airwatch Example: Non-Compliance

26. Authorization Rules For Access
Permit resource access based on Active Directory Groups

27. Take Away Integrating industry MDM BYOD with Cisco’s solution
ISE 1.2 checks MDM for context
MDM Partners Adopt ISE 1.2 API
Additional MDM Onboarding Step
New Authorization rules for MDM redirect portal
Active Directory determines access levels

28. Reference TAC BYOD Troubleshooting Forum
Pre-Recorded ISE 1.2 to MDM Onboarding Video Demos
Cisco BYOD CVD
nified_Access/byoddg.html