Integrating Jamf Pro with Cisco ISE 3.1
Jamf Pro 10.42.0 or later supports Cisco Identity Services Engine (ISE) 3.1, which introduced the ability to use GUIDs instead of MAC addresses for computer and mobile device identification in Cisco ISE. Using GUIDs eliminates undesirable behaviors, such as misidentification of Apple devices caused by the private address being turned on (iOS) or spoofing of the MAC address. A single GUID is used to identify an individual device, whereas multiple MAC addresses could identify an individual device.
You can use advanced searches in Jamf Pro to determine computer and mobile device compliance.
To integrate Jamf Pro with Cisco ISE 3.1 and leverage GUIDs, your network must use certificate-based authentication. In addition, one of the Subject Alternative Name URI fields for your network certificate must have the following specific value: ID:JAMF:GUID:$MANAGEMENTID
. The $MANAGEMENTID
variable will be replaced by the Jamf Pro-assigned management ID for the computer or mobile device when the certificate is issued via a configuration profile. Jamf Pro supports issuing the network certificate with the SAN URI field using either the SCEP payload or the Certificate payload within a configuration profile.
If you are using Jamf Pro's Certificate payload for API-issued certificates, the PKI provider must be either DigiCert or Active Directory Certificate Services (AD CS).
Venafi PKI integrations with Jamf Pro, which use the Jamf PKI Proxy, do not support the use of GUIDs at this time. However, you can continue to use MAC addresses for device identification with Venafi PKI integrations.
Cisco ISE 2.x continues to be supported by Jamf Pro 10.42.0 or later.
For more information, see the Jamf Integration with ISE as MDM documentation from Cisco.
This article is not intended is a comprehensive guide for integrating Jamf Pro with Cisco ISE 3.1. The examples provided may differ from your environment.
Jamf Pro
Jamf Pro 10.42.0 or later
A Jamf Pro account with the following Read privileges:
Advanced Computer Searches
Advanced Mobile Device Searches
Computers
Mobile Devices
Network Integration
Experience with the following concepts that are discussed in the Jamf Pro Documentation:
Cisco ISE
Cisco Identity Services Engine (ISE) 3.1
EAP-TLS authentication for your network
Experience with identity management, certificates, and policy sets in Cisco ISE. For more information, see the Cisco Identity Services Engine 3.1 documentation from Cisco.
You may have additional conditions configured for your environment. For example, if you have multiple external MDM servers set up, you must add a condition that specifies which one you want to use.