Integrate ISE with SCCM so that ISE can retrieve compliance information from SCCM server and leverage the information to grant/deny network access to the user’s Windows device.

SCCM Use cases

NOTE: ISE 1.4+ also supports SCCM integration for Patch Management use cases which is a different workflow.

SCCM Integration supports the following use cases for Managed devices

1. Managed Device which is NOT yet registered with SCCM Server

2. Managed Device which is registered with SCCM Server but NON-Compliant

3. Managed Device which is registered with SCCM Server and Compliant

What’s different from ISE 1.4 ??ISE 1.4 supports integration with multiple Patch management systems and integrates with SCCM as a Patch Management Server. i.e. end user (agent) driven flows, AnyConnect agent working with SCCM Agent using OPSWAT libraries.

Cisco ISE and Microsoft SCCM Configuration Guidehttps://communities.cisco.com/docs/DOC-64013

ISE 2.1 integrates with SCCM manager using the MDM flows i.e. ISE communicates with SCCM Server using WMI to retrieve the current attributes for a device.

RECAP: Patch Management Support for ISE 1.4Patch Management Flow -- SCCM Example

NAD Wired or Wireless

Client Auth to NAD Radius Server = ISELink Up

Accounting Response

Accounting Response

Syslog: Accounting Start

Syslog: Accounting Update

PSN

Accounting Start

Acct Update[Framed-IP]

SCCM

Microsoft System CenterConfiguration Manager

Cisco ISE

Feed Server

Get PostureUpdates

ISE

Session DirectoryMnT

Easy Host

SCCM Agent

Send Posture ReportISE Checks Posture Policy

non-compliantEnforce Policy (COA etc ..)

Enforce Network Policy Posture Report

SCCM Agent

Checks Bases on Opswat Libraries

RECAP: Patch Management Support for ISE 1.4

NAD Wired or Wireless

No Communication between ISE and SCCM Server

SCCM

Microsoft System CenterConfiguration Manager

Cisco ISE

Agent to ISE communication

Easy Host

SCCM Agent

How do I know SCCM Status

SCCM Agent

SCCM Integration flow with ISE 2.1

Device Connects to the Network Radius Server = ISE

SCCM

Microsoft System CenterConfiguration Manager

1. Managed Device which is NOT yet registered with SCCM Server

Cisco ISE

SCCM Server reports Device NOT Registered (unknown) = 0

Display Message to User ”Device NOT Registered”

Allow/ Deny Access based on ISE Authorization Policy

SCCM Managed Device

• Logical Profile• Authz Policy

Update compliant status and lastCheckinTimeStamp of the device in Endpoint.

Issue COA

Check Device Registration with SCCM (WMI Query)

WMI

SCCM Integration flow with ISE 2.1

Device Connects to the Network Radius Server = ISE

SCCM

Microsoft System CenterConfiguration Manager

2. Managed Device which is NON-Compliant

Cisco ISE

Allow/ Deny Access based on ISE Authorization Policy

Check Device Compliant Status AND DaysSinceLastCheckin with SCCM (WMI Query)

Compliant Policy Failed = Issue COA

SCCM Managed Device

• Logical Profile• Authz Policy

”Device is Non-Compliant” = 2AND

“DaysSinceLastCheckin > X”

Update “compliant status” and “lastCheckinTimeStamp” of the device in Endpoint Store

ANDRedirect to Non-Compliant Page on ISE

WMI

SCCM Integration flow with ISE 2.1

Device Connects to the Network Radius Server = ISE

SCCM

Microsoft System CenterConfiguration Manager

3. Managed Device which is registered with SCCM Server and Compliant

Cisco ISE

Allow Access based on ISE Authorization Policy

Check Device Compliant Status AND DaysSinceLastCheckin with SCCM (WMI Query)

Compliant Policy Passed = Issue COA

SCCM Managed Device

• Logical Profile• Authz Policy

”Device is Compliant” = 1AND “DaysSinceLastCheckin < X”

Update “compliant status” and “lastCheckinTimeStamp” of the device in Endpoint Store

ANDRedirect to Compliant Page on ISE

WMI

Adding SCCM Server ISE 2.1

New MDM Attributes in ISE for SCCM Server1. MDM.Server type: MDM (MobileDeviceManager), DM (DeviceManager)2. MDM.lastCheckinTimeStamp: last logon/checkin timestamp for device on SCCM3. MDM.DaysSinceLastCheckin: Number of days since user last checked in or synched the device with SCCM.

Min value = 1, Max value=365If user specifies a value outside this range an error will be displayed

4. MDM.UserNotified: Yes/No – Indicates if user has been notified (about device not registered/not compliant) and acknowledged the message.

ISE 2.1

Sample Logical Profile ISE 2.1

What about Microsoft SCCM Configurations ?https://communities.cisco.com/docs/DOC-66936

• Pre-req’s• Roles and

Permissions• Registry

Settings

SCCM Integration Design ConsiderationsMDM Compliance job

• MDM Compliant Polling job (existing in ISE 2.0) would not run for DM/SCCM Servers.

• This is for performance reasons as WMI does not support ability to retrieve list of non compliant devices in batches.

• Polling interval option will be hidden in external MDM UI.

MDM HeartBeat job

• MDM heartbeat job (existing in ISE 2.0) would be enhanced to poll and check connectivity with SCCM servers.

• Similar to MDM, alarms would be raised if the SCCM server is not reachable.

• Polling interval for Heartbeat job for SCCM will be every 5 mins (same as MDM)

ISE 2.1

SCCM Notifications Notifications for the Device Manager Server

ISE 2.1