Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
For all wired, wireless, and virtual private network (VPN) deployment scenarios, Cisco Identity Services Engine (ISE) will no longer be able to obtain registration or compliance information from the Microsoft Intune Mobile Device Management (MDM) integration via Media Access Control-based (MAC) or Unique Device Identifier-based (UDID) queries.
Microsoft will deprecate the Intune ?NAC service? API on December 31, 2022. This API supports MAC address and UDID-based queries. Once deprecated, all queries from ISE to Intune will need to utilize Microsoft’s Compliance API which is based on Global Unique Identifier (GUID) as the unique identifier. ISE integrates with Microsoft Intune to determine corporate asset ownership or registration as well as security compliance. Prior to ISE 3.1, integration was done using the Cisco ISE MDM APIv2 via the Intune NAC service, which used the endpoint’s MAC address or UDID (in the case of VPN flows where MAC address was not available) as the means of endpoint identification. ISE 3.1 introduced MDM APIv3 which also supports the use of a GUID for endpoint identification during MDM queries. Microsoft Intune supports this with their Compliance API. In order for ISE to be able to query an MDM using GUID rather than MAC address, a deployment must: A. Be running ISE 3.1 or above. B. Be configured for MDM managed endpoints to authenticate to the network using a certificate-based authentication mechanism, where the GUID is embedded in the certificate. C. Not rely on MDM integration for VPN flows since MAC address and UDID-based queries will not be supported after December 31, 2022. As some operating system vendors begin to limit the ability of applications to access MAC addresses, it is becoming more challenging for MDM vendors to collect and rely on MAC addresses on these platforms. As a result, Microsoft has decided to stop the use of MAC addresses across all operating systems and will consequently decommission the Intune NAC service on December 31, 2022. From that point onward, Microsoft will only support queries using the Compliance API using GUIDs.
In order to continue using the Microsoft Intune MDM integration, please perform the following: 1. Upgrade the ISE software to ISE Release 3.1 or later. 2. Configure the use of MDM APIv3 Microsoft Intune integration ? including deploying certificates to all Intune registered endpoints and ensure those certificates are used for network authentication. For further information, please see the Integrate MDM and UEM Servers with Cisco ISE Configuration Guide. 3. For VPN-based endpoints, a workaround does not exist yet. It is suggested to use ISE posture to check for security compliance as an alternative to verification against Intune. Please refer to the ISE Posture Prescriptive Deployment Guide for further information. If you also use another MDM, you may be able integrate it with Cisco ISE with MAC addresses as the basis for the integration. Please refer to the ISE Administrator Guide for further information.
For ISE versions 3.0 or below, or any ISE 3.1 or above deployment using MDM APIv2 Microsoft Intune integration, the API queries to Intune will fail and Intune managed endpoints will appear as ?not-registered? and ISE will trigger an alarm indicating the Intune API is unreachable.