2
At-A-Glance Cisco ISE – MDM Partner Integration © 2013 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) Cisco Partner Confidential Overview The advent of mobile devices in the workforce, such as smartphones and tablets, has created a new class of endpoints that must be secured. This is especially true of non-managed “bring your own device” (BYOD) mobile devices that end users personally own but use to access the enterprise WLAN network. Part of the mobile device security equation is enabling security posture validation and access policy enforcement for mobile endpoints. The scenario for mobile endpoints is similar to that of traditional computing endpoints — assess the security posture of the endpoint, then assign specific network access based on the results — although the posture attributes assessed in mobile endpoints are different. More importantly, given the high probability of losing a mobile device, it is critical to have PIN-lock or data disk encryption configured for these devices. Integration between Cisco Identity Services Engine (ISE) and Mobile Device Management (MDM) platforms provides necessary insight into the posture of mobile devices so that companies can enforce appropriate network access policies as required by their IT organizations. Solution Highlights & Components The Cisco ISE and MDM solution comprises Cisco ISE with an Advanced Feature License and an MDM platform from one of our integration partners (see list at end of this document). Integration enables posture compliance assessment and network access control of mobile endpoints attempting to access the network. The solution also performs ongoing posture checks to ensure compliance and the correct network access level is maintained. The following are the integration steps: Cisco ISE profiles devices as they attempt to access the network. This discovery process provides IT professionals the first step of network visibility. Mobile devices are subjected by Cisco ISE to security posture assessment as specified by IT policy. Cisco ISE queries for posture information associated with mobile devices as collected by the MDM partner platforms. Cisco ISE enforces access policy based on the posture status reported by the MDM partner platforms. Access policy may be constructed on specific attributes within Cisco ISE or at a global level of “in compliance” or “not in compliance” within the respective MDM partner platform. End users can manage the status of their devices via the Cisco ISE “My Device” portal. Through this portal, end users can lock, suspend, or un-enroll devices if they lose or replace them. Cisco ISE can perform these functions natively or by integration with the MDM partner platforms. Specific posture attributes collected by the MDM partner platforms for compliance and access policy enforcement in Cisco ISE are: Is the mobile device registered with MDM? Does the mobile device have disk encryption enabled? Does the device have PIN-lock enabled? Has the device been jail-broken/rooted? Global posture compliance decisions may also be made by the MDM platform instead of Cisco ISE. In this scenario, additional attributes such as blacklisted applications or the presence of an enterprise data container may be checked. The MDM platform reports to Cisco ISE if a device is in compliance or not and then Cisco ISE enforces the appropriate network access policy. Use Cases Only allow MDM-enrolled devices on the network — Cisco ISE queries MDM to check if a device has been enrolled before allowing network access. Un-enrolled devices can be diverted to an enrollment portal. Protect against data loss on mobile devices — Cisco ISE queries MDM to ensure PIN-lock and disk encryption are enabled so that if the device is lost, data is not easily accessed. Out of Compliance devices may be diverted to a portal delivering the non-compliance explanation to the end user. Ensure devices accessing the network conform to acceptable use policies — Cisco ISE queries MDM to identify if a device has been jail-broken or rooted. When end users have root access to a mobile device, the device is likely in violation of the manufacturer’s acceptable use policies and increases the exposure to malware infections. Devices out of compliance may be diverted to a portal delivering the noncompliance explanation to the end user. Ensure required applications are installed and blacklisted applications are not installed — MDM partner platforms can perform these application compliance checks and then report a global “in compliance” or “not in compliance” result to Cisco ISE, upon which ISE can enforce the appropriate network access policy. Devices out of compliance may be diverted to a portal delivering the noncompliance explanation to the end user. Benefits Delivers granular policy controls that enable secure network access for mobile devices. Single point of network access policy control converges mobile device network access policy with the broader network access footprint delivered by Cisco ISE. Translates the deep mobile device insight of MDM into network access policy via Cisco ISE.

at_a_glance_c45-726284.pdf

Embed Size (px)

Citation preview

  • At-A-Glance

    Cisco ISE MDM Partner Integration

    2013 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

    Cis

    co P

    artn

    er C

    onfid

    entia

    l OverviewThe advent of mobile devices in the workforce, such as smartphones and tablets, has created a new class of endpoints that must be secured. This is especially true of non-managed bring your own device (BYOD) mobile devices that end users personally own but use to access the enterprise WLAN network. Part of the mobile device security equation is enabling security posture validation and access policy enforcement for mobile endpoints.

    The scenario for mobile endpoints is similar to that of traditional computing endpoints assess the security posture of the endpoint, then assign specific network access based on the results although the posture attributes assessed in mobile endpoints are different. More importantly, given the high probability of losing a mobile device, it is critical to have PIN-lock or data disk encryption configured for these devices.

    Integration between Cisco Identity Services Engine (ISE) and Mobile Device Management (MDM) platforms provides necessary insight into the posture of mobile devices so that companies can enforce appropriate network access policies as required by their IT organizations.

    Solution Highlights & ComponentsThe Cisco ISE and MDM solution comprises Cisco ISE with an Advanced Feature License and an MDM platform from one of our integration partners (see list at end of this document). Integration enables posture compliance assessment and network access control of mobile endpoints attempting to access the network. The solution also performs ongoing posture checks to ensure compliance and the correct network access level is maintained. The following are the integration steps:

    Cisco ISE profiles devices as they attempt to access the network. This discovery process provides IT professionals the first step of network visibility.

    Mobile devices are subjected by Cisco ISE to security posture assessment as specified by IT policy.

    Cisco ISE queries for posture information associated with mobile devices as collected by the MDM partner platforms.

    Cisco ISE enforces access policy based on the posture status reported by the MDM partner platforms. Access policy may be constructed on specific attributes within Cisco ISE or at a global level of in compliance or not in compliance within the respective MDM partner platform.

    End users can manage the status of their devices via the Cisco ISE My Device portal. Through this portal, end users can lock, suspend, or un-enroll devices if they lose or replace them. Cisco ISE can perform these functions natively or by integration with the MDM partner platforms.

    Specific posture attributes collected by the MDM partner platforms for compliance and access policy enforcement in Cisco ISE are:

    Is the mobile device registered with MDM?

    Does the mobile device have disk encryption enabled?

    Does the device have PIN-lock enabled?

    Has the device been jail-broken/rooted?

    Global posture compliance decisions may also be made by the MDM platform instead of Cisco ISE. In this scenario, additional attributes such as blacklisted applications or the presence of an enterprise data container may be checked. The MDM platform reports to Cisco ISE if a device is in compliance or not and then Cisco ISE enforces the appropriate network access policy.

    Use Cases Only allow MDM-enrolled devices on the network

    Cisco ISE queries MDM to check if a device has been enrolled before allowing network access. Un-enrolled devices can be diverted to an enrollment portal.

    Protect against data loss on mobile devices Cisco ISE queries MDM to ensure PIN-lock and disk encryption are enabled so that if the device is lost, data is not easily accessed. Out of Compliance devices may be diverted to a portal delivering the non-compliance explanation to the end user.

    Ensure devices accessing the network conform to acceptable use policies Cisco ISE queries MDM to identify if a device has been jail-broken or rooted. When end users have root access to a mobile device, the device is likely in violation of the manufacturers acceptable use policies and increases the exposure to malware infections. Devices out of compliance may be diverted to a portal delivering the noncompliance explanation to the end user.

    Ensure required applications are installed and blacklisted applications are not installed MDM partner platforms can perform these application compliance checks and then report a global in compliance or not in compliance result to Cisco ISE, upon which ISE can enforce the appropriate network access policy. Devices out of compliance may be diverted to a portal delivering the noncompliance explanation to the end user.

    Benefits Delivers granular policy controls that enable secure

    network access for mobile devices. Single point of network access policy control converges

    mobile device network access policy with the broader network access footprint delivered by Cisco ISE.

    Translates the deep mobile device insight of MDM into network access policy via Cisco ISE.

  • At-A-Glance

    2013 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) C45-726284-04 09/13

    Cis

    co P

    artn

    er C

    onfid

    entia

    l

    Supported MDM PartnersAs of Cisco ISE Release 1.2:

    AirWatch Fiberlink MobileIron Citrix

    Good Technology SAP Afaria Symantec

    For More InformationAdditional product information regarding each of MDM partner may be found on the Cisco Developer Network Marketplace site at: http://marketplace.cisco.com/catalog.

    AirWatch Citrix Fiberlink Good Technology MobileIron SAP Afaria SymantecISE Release Version 1.2 1.2 1.2 1.2 1.2 1.2 1.2

    MDM Vendor Release Version 6.2 8.0 April 2013 in MaaS360 2.3 (2.1 for clients) 5.5 7 SP3 Symantec App Center 4.1.10

    Link to MDM Vendor Collateral on CDN Site http://marketplace.cisco.com/catalog/companies/airwatch

    http://marketplace.cisco.com/catalog/products/4062

    http://marketplace.cisco.com/catalog/companies/fiberlink

    http://marketplace.cisco.com/catalog/companies/good

    http://marketplace.cisco.com/catalog/companies/mobileiron

    https://marketplace.cisco.com/catalog/products/4058

    http://marketplace.cisco.com/catalog/companies/symantec

    Posture/Compliance Enforcement

    Device Registered with MDM YES YES YES YES YES YES YES

    Device in Overall Compliance YES YES YES YES YES YES YES

    Disk Encryption On YES YES YES YES YES YES YES

    PIN Lock On YES YES YES YES YES YES YES

    Jail-Broken/Root Access YES YES YES YES YES YES YES

    Scheduled Periodic Compliance Re-Check YES YES YES YES YES YES YES

    On-Demand Compliance Re-Check YES YES YES YES YES YES YES

    Compliance Failure HandlingEnd-User Compliance Failure Reason Messages YES YES YES YES YES YES YES

    Device ActionsRemote Lock/Suspend YES YES YES YES YES YES YES

    Remote Full Device Wipe YES YES YES YES YES YES YES

    Remote Corporate Data-Only Wipe YES YES YES YES YES YES YES

    Device Info CollectedManufacturer YES YES YES YES YES YES YES

    Model YES YES YES YES YES YES YES

    Phone IMEI YES YES YES YES YES YES YES

    Serial # YES YES YES YES YES YES YES

    OS Version YES YES YES YES YES YES YES

    Phone # YES YES YES YES YES YES YES

    MAC Address YES YES YES YES YES YES YES

    Reporting/NotificationIntegrated in Cisco ISE Mobile Device Report YES YES YES YES YES YES YES

    Feature & Release Summary


book1631.pdf pdf

book1631.pdf pdf

Documents
pdf cp1cp2.pdf

pdf cp1cp2.pdf

Documents
PDF (Stumpf_hj_1960.pdf)

PDF (Stumpf_hj_1960.pdf)

Documents
Pdf ed174 pdf

Pdf ed174 pdf

Documents
Pdf ed170 pdf

Pdf ed170 pdf

Documents
PDF Compressor Pro - core.ac.uk · PDF Compressor Pro. PDF Compressor Pro. PDF Compressor Pro. PDF Compressor Pro. PDF Compressor Pro. PDF Compressor Pro. PDF Compressor Pro. PDF

PDF Compressor Pro - core.ac.uk · PDF Compressor Pro. PDF Compressor Pro. PDF Compressor Pro. PDF Compressor Pro. PDF Compressor Pro. PDF Compressor Pro. PDF Compressor Pro. PDF

Documents
Pdf ed163 pdf

Pdf ed163 pdf

Documents
pdf Documento PDF

pdf Documento PDF

Documents
PDF version PDF

PDF version PDF

Documents
Pdf joni pdf

Pdf joni pdf

Documents
strategia2014.pdf pdf

strategia2014.pdf pdf

Documents
ketab4pdf.blogspotن الحرب سون تزو #فور_ريد.pdf · PDF ketab4pdf.blogspot.com PDF ketab4pdf.blogspot.com PDF ketab4pdf.blogspot.com PDF ketab4pdf.blogspot.com PDF

ketab4pdf.blogspotن الحرب سون تزو #فور_ريد.pdf · PDF ketab4pdf.blogspot.com PDF ketab4pdf.blogspot.com PDF ketab4pdf.blogspot.com PDF ketab4pdf.blogspot.com PDF

Documents
PDF (07_Chapter_7.pdf)

PDF (07_Chapter_7.pdf)

Documents
PDF (Hunt_t_1964.pdf)

PDF (Hunt_t_1964.pdf)

Documents
ELEKTRICNI_STROJI_1.pdf .pdf

ELEKTRICNI_STROJI_1.pdf .pdf

Documents
Resumen PDF Resumen PDF Resumen PDF Resumen PDF Resumen PDF Resumen PDF Resumen PDF

Resumen PDF Resumen PDF Resumen PDF Resumen PDF Resumen PDF Resumen PDF Resumen PDF

Documents
boi17{lai ae nlclolf(pdf) 01 pdf pdf pdf pdf pdf pdf p f 26 i

boi17{lai ae nlclolf(pdf) 01 pdf pdf pdf pdf pdf pdf p f 26 i

Documents
2015_ReporteLaboratorio4_.pdf .pdf

2015_ReporteLaboratorio4_.pdf .pdf

Documents
Biodecodificaciòn pdf..pdf

Biodecodificaciòn pdf..pdf

Documents
Pdf ed165 pdf

Pdf ed165 pdf

Documents
Pdf ed166 pdf

Pdf ed166 pdf

Documents
Pdf ed176 pdf

Pdf ed176 pdf

Documents
scan0083.pdf scan0084 - Crescent Public Schools Care Plan.pdfscan0083.pdf scan0084.pdf scan0085.pdf scan0086.pdf scan0087.pdf scan0088.pdf scan0089.pdf How the length of the commute

scan0083.pdf scan0084 - Crescent Public Schools Care Plan.pdfscan0083.pdf scan0084.pdf scan0085.pdf scan0086.pdf scan0087.pdf scan0088.pdf scan0089.pdf How the length of the commute

Documents
Pdf pdf pdf

Pdf pdf pdf

Documents
PDF in Theorie und Praxis - qucosa.de · Inhalt Quellen Was ist PDF? PDF-Struktur PDF erstellen PDF analysieren PDF bearbeiten PDF drucken und Troubleshooting Rechtliches Spezialthemen

PDF in Theorie und Praxis - qucosa.de · Inhalt Quellen Was ist PDF? PDF-Struktur PDF erstellen PDF analysieren PDF bearbeiten PDF drucken und Troubleshooting Rechtliches Spezialthemen

Documents
DA20_100_AFM_inc_Rev5.pdf DA20_100_AFM_inc_Rev5.pdf DA20_100_AFM_inc_Rev5.pdf DA20_100_AFM_inc_Rev5.pdf DA20_100_AFM_inc_Rev5.pdf DA20_100_AFM_inc_Rev5.pdf DA20_100_AFM_inc_Rev5.pdf

DA20_100_AFM_inc_Rev5.pdf DA20_100_AFM_inc_Rev5.pdf DA20_100_AFM_inc_Rev5.pdf DA20_100_AFM_inc_Rev5.pdf DA20_100_AFM_inc_Rev5.pdf DA20_100_AFM_inc_Rev5.pdf DA20_100_AFM_inc_Rev5.pdf

Documents
book1487.pdf pdf

book1487.pdf pdf

Documents
Pdf ed168 pdf

Pdf ed168 pdf

Documents
Pdf ed167 pdf

Pdf ed167 pdf

Documents
H20youryou[2] · 2020. 9. 1. · 65 pdf pdf xml xsd jpgis pdf ( ) pdf ( ) txt pdf jmp2.0 pdf xml xsd jpgis pdf ( ) pdf pdf ( ) pdf ( ) txt pdf pdf jmp2.0 jmp2.0 pdf xml xsd

H20youryou[2] · 2020. 9. 1. · 65 pdf pdf xml xsd jpgis pdf ( ) pdf ( ) txt pdf jmp2.0 pdf xml xsd jpgis pdf ( ) pdf pdf ( ) pdf ( ) txt pdf pdf jmp2.0 jmp2.0 pdf xml xsd

Documents