ISE profile / posture IOS device

is there a way to profile or posture an IOS device as to wheather or not it has been rooted?
our Corporate policy would like to say that if rooted, you get zero access.
Thanks
Scott

No - future MDM integration that Cisco is working on should be able to bring is type of information to ISE. Cisco have indicated MDM integration is coming in Q4 2012.
Sent from Cisco Technical Support iPad App

Similar Messages

  • Is it possible to enroll multiple profile in IOS device,

    I like to enroll multiple profile in IOS device to manage iPad, is it possible to enroll

    Oh, sorry, when you said you were using Mac Mail, I made an incorrect assumption. The mail program you're using on a computer has no bearing on this.
    Are you using a POP3 account? Or an IMAP account? They are fairly different. If you're using a POP3 account with no ability to set filters on the server, no there's not much you can do. If it's IMAP, are you sure your provider doesn't offer any web interface?
    Another option would be to set up another email account just for news letters and so forth. That way, you could just look at that account when you wanted to see the news letters buy your "regular" account would have a much less cluttered inbox.

  • ISE Profiling for Wireless Devices (WLC 5508) like Laptops and Mobile Devices

    Hi,
    We have integrated WLC 5508 to cisco ise 3315 with ios 1.1.1 and using Guest Sponsor portal for wireless guest users.
    Where we have created open ssid in wlc and redirect web login portal in wlc for guest  users. We have enable all respective node in policy service for profiling and also configure snmp in wlc as well as in ise.
    When guest user is connected to open ssid its get redirected to web login page of ise portal and when it gets login we are  only able to see the username which guest user login but not the end device in monitoring log.
    Wireless End devices are not able to get profiled can any one tell me what configuration I need to do on ise or wlc side to profiled end guest wireless device like android,iphone and laptops
    Thanks
    Pranav

    Hi Tarikh,
    I only want to identify the end devices for wilress guest user. I have configured MAB Authentication and configure autorization policy where in mention identity group any condition as wlc web authentication and athorization profile only guest mentioning plain access for the same.
    Can you help me how I can achived profiling for wirless guest devices. I have configured all profiling probes . Enable snmp on wlc as well as in network devices.
    What else I need to configured to achived just identiting device nothing but profiling and which should reflect in authnetication logs.
    Thanks
    Pranav

  • ISE 1.2 IOS device re-auth (device drops WiFi)

    My guest users use web-auth for authentication. An issue I've run into is that IOS devices drop WiFi during lock/sleep. This means if they were authenticated, then they will have to reconnect/reauthenticate to the SSID. I would like to find a way for these users to automatically reauthenticate (assuming they are still within their original session's timeout value). Think two hour meeting. Is there a way for me to set this up in ISE policy?
    Something like:
    IF user was authenticated within the session timeout value (6hrs)
    THEN automatically let them back on without having to re-authenticate
    Thanks.

    OK, I'm seeing a lot of "Correct Answer" type replies in another similar posting, but not a complete answer.  I have a similar issue, but only on a 2504 running 7.4.110.  I have two 5508s running 7.4.115, and they don't seem to have this issue, however I could be wrong.  Also, I'm running ISE 1.2, patch 2, soon to be patch 3 with the 5508s.  I no not yet have ISE working with the 2504, but that is coming.  We're not running Flex-Connect.
    My users are a mix of guest users via the ISE Sponsor Portal, and employees, who authenticate via Active Directory.  I am having problems putting the specifications into user-friendly terms.  If I have to add a Registration Portal, I need to be able to explain who would use it and under what situation(s)
    So, I guess what I'm looking for is what is the minimum OS I should be running on each platform to support ISE, WebAuth, and Apple & Android devices.
    I don't seem to have Security --> Local Policy on either of my builds, so I'm guessing that this was added in 7.5.  Given ISE 1.2, is there some mimimal WLC builds I should be using.  Alternatively, is there ANY reason to NOT upgrade to 7.6
    Tarik's link seems to include ISE 1.1.1, so I'm not sure how applicable it is to ISE 1.2.  I'm not opposed to using device registration for employee devices, but I do not believe I wishto do this for guest/sponsored devices.  I am not planning on a full BYOD rollout, so I do not wish to complicate things with an advanced license.  My understanding is that with AD integration, I probably don't need a MyDevices portal.
    In short, I'd like guest devices to have to auth at most once per day, and employees should be good until their AD credential expires.  Again, I thought I had this working on a pilot using WLC 5508s and 7.4.115, but this definitely is not working in WLC 2504 with 7.4.110.
    The only other thing I'd want to to be able to put the guest devices on one VLAN/SSID and the employee devices on another, but that's not as important at this time.

  • ISE profiling on Apple-Device, Apple-iPhone and Apple-iPad

    hi,
    I have a question on ISE profiling, espcially on Apple-device.
    My testing environment: when i use iphone to connect, by default the result profiled me as apple-device.
    But when i try to get it more specific, i mark the identity store as apple-iphone on the authorization rule, it fail somehow. It seem it cannot go deeper to analyze it's iphone, instead of Apple-Device.
    The default of the apple-iphone porfiler condition for apple-iphone is checking the hostname and user-agent. So when i try to use the safari browser to get online, it won't bounce me as apple-iphone profile somehow..
    Question:
    01. what should i do in order the profiler can analyze directly it was the apple-iPhone, or any thing need to configure ? say like authorization rule?
    Thanks
    Noel

    Are you getting redirected to the web portal in ISE? That is the most common way the ISE can get the user agent of the browser in order to profile the device as the apple-iphone. Give that a try and then see if the user agent is learned, you should get a message to refresh your browser momentarily. Then coa should trigger and the wireless controller should get the new authorization profile that you configured for your apple-iphone endpoints.
    Thanks
    tarik Admani

  • Profile Manager - iOS device limit?

    Has anyone found any information from Apple (or elsewhere) on approximately how many iOS devices Profile Manager can support?

    I would try demoting your Open Directory server from Master to Standalone in the Server Admin app - there's an assistant in Server Admin > Open Directory > Settings > General > click the change button.
    Once it's demoted to a standalone, restart.
    From there, don't create an OD Master again - go to Profile Manager in Server.app and run through the wizard again.  In the process, it will create an OD Master for you.
    Hope that helps,
    Chris

  • IOS Device-Sensor and ISE profiling not working

    Hello,
    I configured IOS device-sensor on one 2960CG-8-TCL switch. IOS is 15.2(2)E.
    Switchconfig:
    device-sensor filter-list dhcp list dhcp-list
     option name host-name
    device-sensor filter-spec dhcp include list dhcp-list
    device-sensor accounting
    device-sensor notify all-changes
    Switch does DHCP-Snooping and "show device-sensor cache all" shows the DHCP name:
    Device: b2b5.2fff.sa43 on port GigabitEthernet0/1
    Proto Type:Name                       Len Value
    DHCP    12:host-name                   17 0C 0F 11 31 22 41 50 43 33 31 32 30 30 30 37 38
                                              38
    RADIUS probe on ISE is activated and TCPdump shows the accounting packets from the switch (see attachment).
    I configured a profiling rule ot check for DHCP-Hostname with "contains". This rule does not work however. The device is getting profiled with a MAC-OUI via RADIUS-probe but the DHCP-Profile is not working.
    Is this supposed to work?

    That is interesting. I haven't worked with the "Device Sensor" much so I am running out of ideas. I really thought the certainty level was going to fix your issue as I have had issues similar like yours in the past where the certainty level of my custom rule was the same as a default one so mine custom rule was never hit. . I thought this was the case with you since your device was hitting the parent policy of "HP-Device" but not moving any further. With that being  l would still recommend keeping your custom conditions with higher certainty levels to avoid such situations.
    Couple of more things:
    1. What profiling probes do you have enabled?
    2. Have you tried retrieving the DHCP hostname via another sensor/method. For example, via the DHCP probe and ip-helper?
    3. Do you have the following commands entered on your switch:
    access-session template monitor
    no macro auto monitor
    device-sensor accounting
    device-sensor notify all-changes

  • Cisco ISE trying to posture a device that should not be able to be postured

    Overview:
    Cisco ISE version 1.1.4. Windows PC will be postured using Web NAC agent. Mobile devices (Apple/Android) can't be postured and will be exempted from posturing. Mobile devices will be exempted using the condition EndPoints:PostureApplicable EQUALS No. This worked fine and mobile devices will be caught by this condition while Windows device will be caught by another that sends to posturing.
    Mobile device authorisation policy configured:
    Problem:
    A few days later, mobile devices doesn't seem to end up in the policy that has EndPoints:PostureApplicable EQUALS No. After having a look at monitoring, Cisco ISE is classifies  mobile devices as Posturable. The Posture Status previously was "NotApplicable" now shows up as "Pending". See below.
    Troubleshooting:
    I tried a total of 4 different mobile devices. 2 Apple and 2 Android. All of them have the Posture Status of "Pending". Interestingly after a few tries, both the Androids starting working and have the PostureStatus of "NotApplicable", no configuration changes were made. The 2 Apple device still doesn't work and show up as "Pending".
    I have restarted ISE, Access Point and Apple device. I have also tried other Apple device. All with the same problem.
    Have any of you guys experienced this before?

    Hi,
    I have also experienced the same issues as yourself and would recommend opening a tac case. However I have used the device registration web portal to redirect all previous detected mobile devices to accept the aup and have them statically assigned to an endpoint group so they do not hit this scenario.
    I know it is a workaround but its the only way i could get this to work and not affect devices that were one time detected as such.
    Tarik Admani
    *Please rate helpful posts*

  • ISE 1.3 IOS 8.1 Unsupported Browswer Error in Device Registration Page

    I recently upgraded to ISE 1.3.  We are now getting unsupported browser errors in the device registration redirect page on ipad and iphone IOS devices running 8.1.  We are running 7.6 as 8.0 was unstable with ISE1.2.1.  The device registration redirect page worked fine with these same devices in ISE 1.2.1.  Is there a work around short of turning off registration?  The "mydevices" page seams to work, but does not populate the mac addresses of the devices like the device registration page does.

    Are you using Safari or another browser? You need to use Safari as Chrome will show an error message like unsupported browser...
    I did the NSP with an iPad iOS 8.1.1 and ISE 1.3 and it worked fine...
    ISE 1.3 compatibility was just released today and says 8.0 is officially supported; does not mention 8.1:
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/compatibility/ise_sdt.html
    Patrick

  • Do I need internet access on my iOS devices to enroll with Profile Manager?

    Hi, I'm trying to configure Profile Manager on a closed network. The Mac Server does have Internet access, but the network for the iOS devices can only have communication with the server, but not to the internet because of company policies. Is there a way around to make it work or do I need internet access on the iOS devices as well?
    I've made the enrollment process in another network with internet access for every device and everything works well, but on the other network(no internet for iOS devices)  everything seems ok (from conection to the server, profile certifiacation and stuf) but the devices can't send or receive anything else, like pushed configurations and device info. Ports and everything is ok, I even read that they need to be on an open network so I know it all comes down to having internet access, but just wanted to ask if there's another way around?? Suggestions?
    Thanks!

    You can share internet connection with your XP-PC using a router(as I do with XP-old MAC's,connected via cable).You may look for more info at:
    http://homepage.mac.com/car1son/mylinksyssetup.html
    and
    http://homepage.mac.com/car1son/os9xnet_nfilesharing.html
    Did you ever use a MAC before? Have you got Airport at your PC?Which?
    Good luck

  • OS X Server 3 - Profile manager - I can't enroll any iOS devices

    OS X Server 3 - Profile manager - I can't enroll any iOS devices
    I have OS X Server setup on a Mac Mini and an Airport Extreme.
    Airport is 10.0.1.1 and server is 10.0.1.3.
    Server is setup to use DNS itself by server.mydomain.com
    Airport is setup to use the server as DNS and the server then routes DNS queries onward to the internet.
    Essentially anyone on my internal network thinks server.mydomain.com is the server itself. This is what I want.
    From the outside, anyone searching for server.mydomain.com get's some page on a free hosting site with "Server is not accessible from the internet"
    I also use a self-signed certificate to secure communications. It's valid.
    Now this configuration has worked for the past two years. Out of curiosity in Server 3.1.1 I decided to give Profile manager a shot. Set it up, no worries.
    Installed the Trust Profile first and then the Enroll profile. Done.
    I can enroll and wipe, lock any mac in my firm remotely. Everything works, except iOS devices.
    Any iOS device I try it fails at "Installing profile", I tried friend's phones, my own iPad... every iPad in my firm. It fails consistently at the same step, with no error code what so ever.
    Is there  a checklist I need to go through? Do I need some kind of weird certificate setup?
    PS. Is it a problem if my devices are enrolled as development devices, thei UUID is in Apple's device list for beta software and iOS development?

    The Problem is your DNS is being pushed locally to the iOS Device from your Airport Extreme and the DNS on your Airport extreme is undoubtedly a public form of DNS that does not recognize your private server's ip address or HQDN, in Airport Utility point the DNS at your server and let your Server provide the public DNS mapping and allow your Router to provide your Server's DNS.  This should resolve your issue and allow you to enroll your iOS Devices by logging into the Profile Manager Web Portal from the iOS Device. 

  • Can an IOS device be enrolled through profile manager when the server is set as .private?  If so what steps?

    I have my server set as server.xxxxxx.private, and need to know if it is possible to enroll it using profile manager.  I assume this would have to be done when the IOS device is on the same network, and subsequently the DNS server would have to be added to the WiFi configuration.  When I do this it tells me that Safari can't open the page.  I manually installed the self signed certificate.

    Same issues here.
    Buggy as ****..
    Also after some time, the Profile Manager PAne doesn't even fill in Server.app.....stays at Loading...
    Nevertheless, the service itself works with the bug you outlined, plus enroll is impossible for me (check my post here: Can't enroll devices with Profile Manager - invalid key  )
    I hope all these get fixed in 10.7.1   !!!

  • Flash.profiler.showRedrawRegions not working on iOS device ?

    flash.profiler.showRedrawRegions(true);
    i added the code above in my project to try to see the redraw regions when debugging on iOS device, but it seems that the runtime does not shows the actual redraw regions but draw a fix size rectangle on the top left corner

    Really old thread here, checking in.

  • Configuration Profile for Apple Devices with ISE

    Hi,
    is there any possibility to put configuration profiles on apple device with the ise? I need to disable the dataroaming function in forgein countries for ipads.
    Best regards
    Felix

    Nice. Only trouble there seems to be multiple entry for same mac address there for same resource id.
    So when I try to get them as substring i get multiple copies of same mac address.
    But looks like this will work as solution to this problem.
    So far I was doing it this way (And i am sure there is clearer way to do it.)
    SUBSTRING((SELECT ',' + CAST(t2.MACAddress0 AS VARCHAR(40))
                FROM (SELECT DISTINCT ResourceID, MACAddress0 FROM  v_GS_NETWORK_ADAPTER) t2
                WHERE t2.ResourceID = ResourceID
                ORDER BY t2.ResourceID, t2.MACAddress0
                FOR XML PATH ('')
            ), 2, 100) [MACAddresses]

  • Preparing an iOS device with Apple Configurator and Profiles

    Hi,
    I am using Apple configurator 1.5 to prepare iPods with an updated iOS, backup and profile. Up until recently, I was able to install the the updates and the backup but the profile is not being send to the device. I have to stop the "prepare" setup and manually add the profile to each device.

    I recommend posting in the iPhone or iPad for the Enterprise forums

Maybe you are looking for

  • Calls, Messages, Facetime going to wrong Iphone?

    Me and my mum both have an Iphone 4. Recently she has been recieving my calls, messages and facetimes? Any Ideas? I have recently just downloaded IOS 7 but it seems to be working fine.

  • Why am I  being charged for a phone I owned outright?

    My fully paid for phone was stolen. I was advised that the Edge program was my best option for replacement & I  choose to go with that option. But why am I  charged $300.00 for my old phone in addition to the monthly charge for the new phone on the n

  • EPM Workspace error

    Hi All, While i'm trying logon to workspace it shows "NameSpace Commucation Error" and its taking much more time to open. pls tell me anyone whats the reason and solution for this. Thanks inadvance..

  • HT4208 Purchased

    I can not see item list in Purchased on Updates of the App Store, after updating ios6. The App Store is down when is click the Purchased, so please help me.

  • Powl in webdynpro abap

    hi, in My trip and expense on all my expense report tab depends upon status i need to add link othrewise disable the link powl class cl_fitv_powl_feeder class please help regards, kanchan