A new version of the Cisco Identity Services Engine (ISE) integration remedies an issue that was impacting its ability to interface with mobile device management (MDM) solutions like Jamf Pro for some customers. While Cisco had provided workarounds for the problem from the time it was identified, the release of Jamf Pro includes support for ISE 3.1, which makes it possible for Jamf and Cisco solutions to work together efficiently while keeping pace with Apple’s security and privacy measures.
The background: Cisco ISE and Jamf Pro
Jamf and Cisco have a history of providing customers with integrations that enhance their operations and make the most of their investment in IT services. One of the earliest of these is Jamf Pro’s integration with Cisco ISE, which provides secure network access to users and devices with a zero-touch strategy. IT admins can use Cisco ISE to determine status information such as which users are connected to the network and which applications are installed and running; it can also serve to automate policy enforcement.
When integrated with Jamf’s device management capabilities, Cisco ISE gathers data from Jamf Pro to verify which computers and mobile devices on the network are compliant with the organization’s standards. It then can determine the level of network access to grant to each device; for instance, if a non-managed device attempts to access resources on the network, the end user will receive a notification of the need to enroll the device first. The integration also allows Cisco ISE to send remote commands to computers including passcode lock and wipe. This functionality empowers admins to strengthen their organization’s security posture and to identify, contain and remediate threats with enhanced speed and efficiency; the combined power of Jamf and Cisco work to promote a defense-in-depth strategy.
iOS 14 release introduces issues with MAC address randomization
When Apple released iOS 14 to the public in September 2020, one of the new features included in the upgrade was MAC address randomization. Media access control (MAC) addresses are unique identifiers assigned to devices on a network, which are revealed when devices communicate with each other over the network or even probe a new network. With the widespread adoption of smart phones and other networked mobile devices, it became possible to monitor the spatial location of devices by following their MAC addresses.
The obvious negative ramifications of this development for security and privacy led Apple to make their devices generate a random MAC address every time they interface with a new network, so they no longer can be traced from one location to another. Other manufacturers have shared Apple’s concerns, and both Android 10 and Windows 10 have introduced MAC address randomization as well.
Unfortunately, this innovation caused problems for Cisco ISE and other network security tools that relied on a MAC address as a unique device identifier. This made it difficult to look up devices in Jamf Pro, which held the actual MAC address. If a device logged in to a network with a different MAC address, in some cases it would fail to be authenticated and granted access to network resources. A field notice published by Cisco around the time of the public release of iOS 14 detailed the problem, which did not impact all customers and could be circumvented by a relatively simple workaround. Still, the issue called for an adjustment to Cisco ISE that would allow it to look up devices without relying on a MAC address.
Cisco ISE 3.1 can now look up devices with GUID
As explained in the release notes for Cisco ISE 3.1, this new version employs a different approach to locating devices on a network. Admins can configure ISE to use a globally unique identifier (GUID), to identify devices and interface about them with an MDM service. The Jamf Pro integration for Cisco ISE now allows for all communications between the two solutions about devices to use GUID instead of MAC addresses. This new device identification method also solves for environments where dongles and multiple network interfaces would cause lookups to fail.
This fix is welcome news to IT admins who want to take advantage of the combined power of Jamf and Cisco to manage device access and compliance. The rapid pace of Apple’s innovation pushes us all to improve our technology offerings and create solutions that offer the best balance of security and accessibility for customers.
What do our customers say about using Cisco ISE with Jamf Pro?
Curious about the combined value of Jamf Pro and Cisco ISE? Check out a few of the reviews on Jamf Marketplace about the integration:
Most of the organizations I worked for in the past years have used Cisco ISE. Integrating this with Jamf Pro was easy and gave us visibility into the endpoints. We also utilize it to authenticate our users based on their role/process, before granting them access to our network. - smpotter (2/25/22)
I used Cisco Identity Services Engine (ISE) in my previous organization for Mac endpoints. The integration with Jamf Pro was really simple. It gave us endpoint visibility, which is connected in our infra and zero trust access control, as per the defined rules and policies. We were using it to authenticate our users based on their role/process, before granting them access to our network. - surajitbapan (2/25/22)
We've used Cisco ISE for several years now. Based on the information we can gather from each device, we can then identify which wireless network the device can connect to and what services they have access to. We can also look at access history when necessary for disciplinary reasons. We ran into a few issues during the deployment, but once those were worked out the integration has been very beneficial in ensuring network security. - Ktrojano (2/28/22)
I am pleasantly surprised at how easy it was to integrate this with our MacOS environment - Tyler Verlato (10/31/21)
Find out further details about how Cisco Secure and Jamf work together.
Visit the Cisco ISE listing in Jamf Marketplace.
Have market trends, Apple updates and Jamf news delivered directly to your inbox.