Integrate SureMDM With Cisco ISE
The Cisco Identity Services Engine (ISE) delivers intelligent and integrated safeguarding via intent-based policies and compliance solutions. By integrating with SureMDM, this partnership ensures robust network security while enabling business endpoints to connect to the organization's network. This integration further facilitates the assignment of precise access privileges to endpoints under 42Gears management, in accordance with the compliance regulations established by your organization.
Cisco ISE integration is available only for Enterprise licenses.
Prerequisite
Enterprises should have a Cisco ISE server.
To integrate SureMDM with Cisco ISE, follow these steps:
Log into the SureMDM Web Console.
Navigate to Settings > Account Settings > Enterprise Integrations > Cisco ISE Integration.
On the Cisco ISE Integration page, select Enable Cisco ISE Integration.
Enter the desired Username and Password, and click Save.
This credential will be used to configure SureMDM in the Cisco ISE server.
Now, you need to generate a certificate to establish a secure connection between Cisco ISE and SureMDM servers.
- Generate certificate (PEM file) for the desired SureMDM URL using the following command on the Linux machine:
openssl s\_client -showcerts -connect \<SureMDM Server URL\>:443 \</dev/null 2\>/dev/null\|openssl x509 -outform PEM \> 42gearscertfile.pem
URL for DNS should be changed accordingly.
- Log into the Cisco ISE server and navigate to Administration > Systems > Certificates > Trusted Certificates and then upload the generated certificate (PEM file).
Ensure Validate Certificate Extension is not selected.
Navigate to Administration > Network Resources > ExternalMDM to add SureMDM to Cisco ISE.
Click Add and fill the following details:
- Name: Give a desired name
- Server Type: Select Mobile Device Manager from the drop-down list
- Authentication Type: Select Basic from the drop-down list
- Hostname/IP address: Enter the Domain Name
Domain name of your SureMDM console.
- Port: Enter the Port no.443
- Instance Name: Enter the SureMDM Account ID (Navigate to SureMDM Web Console and click the Settings icon located at the top right of the screen to see the SureMDM Account ID)
Instance Name should follow the pattern: ciscoise/{Account ID}.
- Username/Password: Enter the credentials created in SureMDM. Refer to step no.4.
- Description: Enter the description
- Polling Interval: Enter the polling interval
Polling Interval is the time taken for the SureMDM server to send data to the ISE server.
- Time Interval For Compliance Device ReAuth Query: Enter the time
:::noote This is the waiting time for the Cisco ISE server to provide results on the compliance* status of devices. :::
- Status: Select Enabled
- Click Test Connection to check whether ISE can communicate with SureMDM.
& Ensure that you get the connection successful message.
Click Submit to save the configuration .
On successful configuration, SureMDM will list under Administration > Network Resources > External MDM > MDM Servers.
Navigate to Administration > ISE Policy > Policy Sets.
Select Policy > Authorization Rules.
You can configure suitable policy sets based on business needs.
Policies are evaluated from top to bottom, so be sure of your authorization rules.
- At least one compliance authorization rule has to be deployed on the device for the device to be compliant.
- Enroll the device in SureMDM, deploy the suitable compliance jobs, and then, try connecting to the enterprise endpoint. If the device is compliant, it will be granted access by the MDM solution.
The following screenshot shows the number of endpoints that are compliant as Active Endpoints and the number of endpoints that are non-compliant as Rejected Endpoints on the Cisco ISE server.