Cisco ISE 1 2 Mobile Device Management Integration
Cisco ISE 1. 2 Mobile Device Management Integration Ravi Singh System Engineer February 26, 2013 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
• The BYOD Solution Gap • ISE vs MDM • Enforce Policy for Resource Access • Manage Device Compliance • Bridging the BYOD Gap • MDM Integration Requirements • Configurations • The Apple i. OS User Experience © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
ISE 1. 1 Cisco BYOD with Identity Services Engine © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Context Defines Criteria for Access © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Enterprise Infrastructure Interoperability Centralized Management MDM Secure and Manage Mobile Devices Manage Mobile Apps Secure Content Distribution Secure, Manage and Enhance Collaboration on Mobile Devices © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Non-Compliant Apple i. OS Policy as defined by IT Administrator © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Reason for Device Non-Compliance “Pin-Lock Not Set on device” © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Application Non-Compliance © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Version 1. 2 Version 7. 1 Version 5. 0 Version 6. 2 Version 2. 3 Mobile Collaboration Management Services Version 1. 0 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
ISE 1. 2 Integrate ISE to MDM HERE no © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
MDM FQDN or IP Address MDM Admin User with API Access Sends HTTP GET https: //mdm-server/ciscoise/mdminfo Start Here © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Response: HTTP Headers HTTP/1. 1 200 OK XML schema <? xml version="1. 0" encoding="UTF-8" standalone="yes"? > <xs: schema version="1. 0" xmlns: xs="http: //www. w 3. org/2001/XMLSchema"> <xs: element name="ise_api" type="ISEApi. Register"/> <xs: complex. Type name=" ISEApi. Register "> <xs: sequence> <xs: element name="name" type="Name. Type"/> <xs: element name="api_version" type="xs: string"/> <xs: element name="api_path" type="xs: string"/> ISE Sends HTTP GET <xs: element name="redirect_url" type="xs: string"/> <xs: element name=”query_max_size” type=”xs: integer” /> <xs: element name=”messaging_support” type=”xs: boolean” /> https: //mdm. ip. addr/ciscoise/mdminfo <xs: element name="vendor" type="xs: string"/> <xs: element name="product_name" type="xs: string"/> <xs: element name="product_version" type="xs: string"/> </xs: sequence> </xs: complex. Type> <xs: simple. Type name='Name. Type' > <xs: restriction base='xs: string' > <xs: enumeration value='mdminfo' /> </xs: restriction> </xs: simple. Type> </xs: schema> © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
ISE Sees XML • ISE Polls MDM for Compliance Attributes • API Defined by ISE 1. 2 Product Group • MDM Partner Integration Requires API Adoption © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
MDM Dictionary Attributes Enables Context for Auth. Z Conditions © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
MDM Web Redirection Task Enables Context for Auth. Z Conditions © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
MDM-redirect Access Control List ISE 1. 2 MDM Auth. Z Profile Permit DNS Permit ISE Permit MDM Deny All ACL – Generates MDM Redirect • ACL Configurations will vary • Access to Internet for cloud based MDM REQUIRED © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
MDM Auth. Z rules Active Directory User Group Based Authorized Access Levels Device Onboarding Auth. Z Rule © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
“Wireless_MAB” Authorization Rule = Any Wireless Connection with a Layer 2 MAC Address redirect the session to central web authentication on ISE © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Check MDM for Registration Status Check MDM for Compliance Status © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
2 1 3 4 5 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Permit resource access based on Active Directory Groups © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
• Integrating industry MDM BYOD with Cisco’s solution • ISE 1. 2 checks MDM for context • MDM Partners Adopt ISE 1. 2 API • Additional MDM Onboarding Step • New Authorization rules for MDM redirect portal • Active Directory determines access levels © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
• TAC BYOD Troubleshooting Forum https: //techzone. cisco. com • Pre-Recorded ISE 1. 2 to MDM Onboarding Video Demos • http: //wwwin. cisco. com/tech/snsbu/prod-sols/ise/#section. Name=4 • Cisco BYOD CVD http: //www. cisco. com/en/US/docs/solutions/Enterprise/Borderless_Networks/U nified_Access/byoddg. html © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
- Slides: 29