Introduction

In the era of mobile-first work environments, organizations increasingly rely on Mobile Device Management (MDM) solutions to secure and manage the growing number of mobile devices accessing their networks.  Identity Services Engine (ISE) integrates seamlessly with MDM platforms to enforce security policies based on device posture, ensuring that only compliant, secure devices can connect to the corporate network. Configuring ISE policies for MDM enables dynamic, context-aware access controls that enhance security while supporting mobility. This post will explore configuring ISE policies for MDM integration, empowering your organization to efficiently manage mobile devices while protecting sensitive data and network resources.

Configure Meraki as an MDM/UEM Server

In this post I will walk through MDM integration with ISE. MDM is used to deploy, secure, monitor, integrate, and manage mobile devices in the workplace. The MDM software downloaded to the mobile device can control the distribution of applications and patches as well as data and configuration on the endpoint.

While there is a long list of MDM solutions you can use with ISE, I’ll be using Meraki Enterprise Mobility Management (EMM) since that’s the MDM solution I have access to. If you want a complete list of providers officially supported in the ISE ecosystem, click here.

I’ll build on my previous BYOD configuration, including downloading the Meraki MDM software. ISE will provide granular access to the endpoints, while the Meraki MDM will be the posture decision point.

In ISE, navigate to Administration>Certificates>Certificate Management>System Certificates.

Export the certificate currently being used for Admin services.

Export the certificate only.

In Meraki, navigate to Systems Manager>Manage>Settings

Click Add Profile

On the Add New Profile pop-up, choose Device profile (default) and click Continue.

I am going to name this profile as ISE-Default.

For the Scope, choose All devices.

Click on the Add Settings link.

Click SCEP Certificate.

We will name this SCEP Certificate as ISE_SCEP.

For the Subject Name, I will fill in CN=Owner email.

For the Subject alternative name, I will fill in  uri=ID:MerakiSM:DeviceID:$SM Device ID. 

I will keep the remaining settings at their defaults.

Click Save. 

Click Add Settings again.

Click on Certificate.

Name the certificate as ISE_Admin.

The CertStore will be System.

Browse to the ISE Admin certificate you downloaded and upload it.

Click Save.

Click Add settings again.

Click Wi-Fi Settings.

Add the name of your SSID.

From the Security tab, choose WPA/WPA2 Enterprise.

This will display the Enterprise Settings.

Check the TLS box under the Protocols tab.

Under the Authentication tab, select ISE_SCEP from the Identity Certificate drop-down.

Under the Trust tab, check the box next to your ISE certificate.

Click Save.

Navigate to Organization>Configure>MDM.

Scroll down to the ISE Settings.

Download the Current SCEP CA Certificate.

Integrating the MDM with ISE

To set up the integration with Meraki, ISE needs to trust the Meraki certificate. To download this certificate, open Firefox, navigate to https://dashboard.meraki.com, and log in.

After logging in, click the lock next to the URL in the address bar.

Click on More Information.

Click View Certificate.

Download the certificate and the chain.

In ISE, navigate to Administration>Certificates>Certificate Management>Trusted Certificates.

Click Import.

Import the Meraki certificate and its chain.

Click Submit.

Go back to the Meraki dashboard.

Navigate to Organization>Configure>MDM in the Meraki dashboard.

Scroll down to the ISE settings.

Copy the Setup URL, Username, and Password.

We will use this in our ISE configuration.

In ISE, navigate to Administration>Network Resource>External MDM.

Click Add.

I will name this MDM integration as Meraki.

The Server Type will remain as Mobile Device Manager.

For the Authentication Typekeep it as Basic.

Add n124.meraki.com as the Hostname/IP Address of the MDM server.

Use 443 as the port.

Add the username and password you copied from your Meraki dashboard for ISE.

Change the status to Enabled.

Click Test Connection.

After the connection is successful, you will have an option for Device Identifier. 

Choose Cert – SAN URI-GUID since Meraki can now support the Cisco ISE MDM API Version 3.

Click Save.

You should now see your Meraki MDM added in the MDM list and enabled.

Configuring the Meraki MDM Policy

For my lab, I will configure a simple policy in Meraki.

 I will require the download of the Meraki Systems Manager, and my mobile device requires a passcode.

Navigate to Systems Manager>Configure Policies

Click Add New.

I will name the new policy PASSCODE-ONLY and check the box next to Passcode Lock.

Navigate to Systems Manager>Configure>General

Scroll down to the ISE Settings portion of the page.

Click on Add a new security policy scope. 

Under the Systems Manager security policy, I will pick PASSCODE-ONLY from the dropdown.

I will choose With ANY of as the Tag scope.

For the Tags, I will choose Android devices and iOS devices.

Click Save Changes.

For our mobile devices,  I can define certain variables about the passcode in the mobile settings.

Navigate to Systems Manager>Manage>Settings.

Click Add Profile.

On the Add New Profile pop-up, choose Device profile (default) and click Continue.

I am going to name this profile as ISE-Lab.

For the Scope, selectWith ANY of the following tags.

For the Device Tags, select Android devices and iOS devices.

For Policy Tags, select the PASSCODE-ONLY – compliant devices.

Then, click on the Add Settings link.

Click on the iOS tab on top.

Click on the Passcode Policy.

For the minimum length, choose 6.

For the Auto-Lock, select 5.

Uncheck the box for Only lock work profile.

Click Save when completed.

Navigate to Systems Manager>Manage>Apps

Next, I will set the apps I want installed on my mobile devices.

Click Add app.

Click on Android.

Choose Play Store app and click Next.

Search for Cisco Network Setup Assistant and click on the app.

Scroll down to the bottom of the screen.

For Scope, select with ANY of the following tags.

For Policy tags, choose PASSWORD-CODE – compliant devices.

Click Save.

You will now see your app in the Apps list.

Configuring the ISE Policy for MDM

Note: For brevity, we will be doing this ISE configuration assuming that the BYOD configurations and wireless ACLs detailed in this post or this post have already been configured.

In the Wireless Controller, navigate to Configuration>Security>URL Filters.

Edit the BYOD-URL-Filter.

Add *.meraki.com to the URL filter.

Click Apply to Device.

In ISE, navigate to Policy>Policy Elements>Results>Authorization>Authorization Profiles.

Click Add.

Name this Authorization Profile as MDM-NO-REG.

Check the box next to Web Redirection (CWA, MDM, NSP, CPP). 

Select the following:

  • Portal: MDM Redirect
  • ACL: BYOD_Flow
  • Value: MDM Portal (default)
  • MDM Server: Meraki

Click Submit.

Duplicate the MDM-NO-REG Authorization Profile and name the new profile MDM-NON-COMPLIANT.

Click Submit.

Navigate to Policy>Policy Sets

Expand the previously created Wireless Dot1x policy set.

Scroll down to the Authorization Policy.

Disable the previously created BYOD Registered Authorization Rule.

Click on the gear next to the rule and choose Insert new row above.

Create the following rules:

  • Name: MDM Compliant and Registered
  • Conditions:
    • Network Access:EapAuthentication EQUALS EAP-TLS
    • MDM:DeviceRegisterStatus EQUALS Registered
    • MDM:DeviceCompliantStatus EQUALS Complaint
    • MDM:MDMServerReachable EQUALS Reachable
    • IdentityGroup:Name EQUALS Endpoint Identity Groups:RegisteredDevices
  • Result: Wireless_Employee
  • Name: MDM Non-Compliant 
  • Conditions:
    • Network Access:EapAuthentication EQUALS EAP-TLS
    • MDM:DeviceRegisterStatus EQUALS Registered
    • MDM:DeviceCompliantStatus EQUALS Complaint
    • MDM:MDMServerReachable EQUALS Reachable
    • IdentityGroup:Name EQUALS Endpoint Identity Groups:RegisteredDevices
  • Result: MDM-NON-COMPLIANT
  • Name: MDM Unregistered
  • Conditions:
    • Network Access:EapAuthentication EQUALS EAP-TLS
    • MDM:DeviceRegisterStatus EQUALS UnRegistered
    • MDM:MDMServerReachable EQUALS Reachable
    • IdentityGroup:Name EQUALS Endpoint Identity Groups:RegisteredDevices
  • Result: MDM-NON-REG

The below screenshot should be what your Authorization Policy should look like.

Click Save. 

The policy written like this will result in the following flow:

  1. Endpoint first onboards via BYOD and downloads a certificate
  2. If the user is not registered to the Meraki MDM, they are redirected to register if they try to access internal resources.
    Note: You can tweak and lock this down more, but I set it up just to block internal resources
  3. If an endpoint is not compliant with the Meraki MDM policy, they are only given access to the MDM redirect..
  4. The endpoint is compliant and allows access to all employees access

Note: My policy is to use the default BYOD portal for the BYOD rules and put all registered devices in the pre-created Registered Devices group. If you want to change the look of the portal or the group that the endpoints end up in after registration, you can navigate to Administration>Device Portal Management>BYOD to change it there under the portal settings. Also, you could skip the BYOD process in your deployment or have certificates issued through Meraki. I went with utilizing my existing BYOD policy, but there are easier ways to start your policy from scratch.

MDM User Flow

The is how the flow will appear to the end user.

Step 1: The user gets the BYOD splash page and starts the BYOD onboarding process

Step 1: My user gets the BYOD splash page and starts the BYOD onboarding process

Step 2 – User can enter details about this device they are registering

Step 2 - User can enter details about this device they are registering

Step 3 – User is guided to download the Network Assistant Wizard from the Google Marketplace (Android Only)

Step 3 - User is guided to download the Network Assistant Wizard from the Google Marketplace (Android Only)

Step 4 – User downloads the Network Setup Assistant (One time only)

Step 4 - User downloads the Network Setup Assistant (One time only)

Step 5 – The Network Assistant downloads the certificate from ISE via SCEP and reconnects them to the network (One time only)

Step 5 - The Network Assistant downloads the certificate from ISE via SCEP and reconnects them to the network (One time only)

Step 6 – User is not registered with MDM so they are guided to a Meraki Systems Manager page to register

Step 6 - User is not registered with MDM so they are guided to a Meraki Systems Manager page to register

Step 7 – The user is guided to download the Meraki Systems Manager from the Google Marketplace

Step 7 - The user is guided to download the Meraki Systems Manager from the Google Marketplace

Step 8 – The user downloads the Meraki Systems Manager

Step 8 - The user downloads the Meraki Systems Manager

Step 9 – After the user downloads the Systems Manager, they register it to the Meraki cloud and it assesses whether their device is compliant with the policy or not. If it is compliant, they are given access to internal resources as an employee. If it is not compliant, they are given only internet access so they can’t access proprietary information or potentially create a security risk for the internal network

Step 9 - After the user downloads the Systems Manager, they register it to the Meraki cloud and it assesses whether their device is compliant with the policy or not. If it is compliant, they are given access to internal resources as an employee. If it is not compliant, they are given only internet access so they can't access proprietary information or potentially create a security risk for the internal network