Integrating Jamf Pro with Cisco ISE 3.1

Jamf Pro 10.42.0 or later supports Cisco Identity Services Engine (ISE) 3.1, which introduced the ability to use GUIDs instead of MAC addresses for computer and mobile device identification in Cisco ISE. Using GUIDs eliminates undesirable behaviors, such as misidentification of Apple devices caused by the private address being turned on (iOS) or spoofing of the MAC address. A single GUID is used to identify an individual device, whereas multiple MAC addresses could identify an individual device.

You can use advanced searches in Jamf Pro to determine computer and mobile device compliance.

To integrate Jamf Pro with Cisco ISE 3.1 and leverage GUIDs, your network must use certificate-based authentication. In addition, one of the Subject Alternative Name URI fields for your network certificate must have the following specific value: ID:JAMF:GUID:$MANAGEMENTID. The $MANAGEMENTID variable will be replaced by the Jamf Pro-assigned management ID for the computer or mobile device when the certificate is issued via a configuration profile. Jamf Pro supports issuing the network certificate with the SAN URI field using either the SCEP payload or the Certificate payload within a configuration profile.

If you are using Jamf Pro's Certificate payload for API-issued certificates, the PKI provider must be either DigiCert or Active Directory Certificate Services (AD CS).

Note:

Venafi PKI integrations with Jamf Pro, which use the Jamf PKI Proxy, do not support the use of GUIDs at this time. However, you can continue to use MAC addresses for device identification with Venafi PKI integrations.

Cisco ISE 2.x continues to be supported by Jamf Pro 10.42.0 or later.

For more information, see the Jamf Integration with ISE as MDM documentation from Cisco.

Note:

This article is not intended is a comprehensive guide for integrating Jamf Pro with Cisco ISE 3.1. The examples provided may differ from your environment.

Jamf Pro

Requirements
  1. Create an advanced computer or mobile device search including criteria to find computers or mobile devices that will be used to show compliance with Cisco ISE.
  2. Create a network integration and choose the advanced computer or mobile device searches you created from the Advanced Computer Search For Compliance Verification and Advanced Mobile Device Search For Compliance Verification pop-up menus.
  3. Create a configuration profile for computers, mobile devices, or both, depending on the managed device types in your organization.
  4. If you are using an external CA:
    1. In the Certificate payload of the configuration profile, select the external CA from the Select Certificate Option pop-up menu.
    2. Choose "Uniform Resource Identifier" from the Subject Alternative Names pop-up menu.
    3. Enter the following value in the SAN Name field.
      ID:JAMF:GUID:$MANAGEMENTID
  5. If you are using SCEP:
    1. In the SCEP payload of the configuration profiles, select "Uniform Resource Identifier" from the Subject Alternative Name Type pop-up menu.
    2. Enter the following value in the Subject Alternative Name Value field.
      ID:JAMF:GUID:$MANAGEMENTID
  6. In PKI Certificates > Managed Certificate Template, download the CA certificate.

    You will upload the CA certificate to Cisco ISE.

Cisco ISE

Requirements
  • Cisco Identity Services Engine (ISE) 3.1

  • EAP-TLS authentication for your network

  • Experience with identity management, certificates, and policy sets in Cisco ISE. For more information, see the Cisco Identity Services Engine 3.1 documentation from Cisco.

  1. Add or edit a certificate authentication profile within external identity sources and do the following:
    1. In the Use Identity From section, select Certificate Attribute.
    2. Choose Subject Alternative Name from the pop-up menu.

    This setting allows the GUID to be retrieved from the certificate.

  2. Trust the Jamf Pro CA certificate by importing the CA certificate that you downloaded from Jamf Pro, and select Trust for authentication within ISE during upload.
  3. Add or edit the external MDM server, and ensure that "Cert - SAN URI, GUID" is enabled.
    Note:

    Jamf recommends enabling only the "Cert - SAN URI, GUID" device identifier.

  4. Add or edit policy sets:
    1. Define the following conditions for when the policy set should be applied:
      DEVICE·Device Type EQUALS All Device Types
      Normalised Radius·RadiusFlowType EQUALS Wireless802_1x
    2. Include the following condition in your authentication policy sets:
      Network Access·EapAuthentication EQUALS EAP-TLS
    3. Select the name of the certificate authentication profile that you configured earlier, and then select Use from the pop-up menu.
    4. Add an authorization policy with the following condition:
      MDM·DeviceCompliantStatus EQUALS Compliant
Note:

You may have additional conditions configured for your environment. For example, if you have multiple external MDM servers set up, you must add a condition that specifies which one you want to use.