Filter
Top Products
Integrating Fiberlink MaaS360 with Cisco Identity Services Engine
14
Figure 8 Configure the MDM API on ISE
The polling interval specifies how often ISE will query the MDM for changes to device posture. Polling
can be disabled by setting the value to 0 minutes. Polling can be used to periodically check the MDM
compliance posture of an end station. If the device is found to be out of MDM compliance and the device
is associated to the network, then ISE will issue a Change of Authorization (CoA), forcing the device to
re-authenticate. Likely the device will need to remediate with the MDM, although this will depend on
how the ISE policy is configured. Note that MDM compliance requirements are configured on the MDM
and are independent of the policy configured on ISE. It is possible, although not practical, to set the
polling interval even if the ISE policy does not consider the MDM_Compliant dictionary attribute.
The advantage of polling is that if a user takes the de
vice out of MDM compliance, they will be forced
to reauthorize that device. The shorter the window, the quicker ISE will discover the condition. There
are some considerations to be aware of before setting this value. The MDM compliance posture could
include a wide range of conditions not specific to network access. For example, the device administrator
may want to know when an employee on a corporate device has exceeded 80% of the data plan to avoid
any over usage charges. In this case, blocking network access based solely on this attribute would
aggravate the MDM compliance condition and run counter the device administrator’s intentions. In
addition, the CoA will interrupt the user Wi-Fi session, possibly terminating real-time applications such
as VoIP calls.
The polling interval is a global setting and ca
nnot be set for specific users or asset classes. The
recommendation is to leave the polling interval at 0 until a full understanding of the MDM’s
configuration is complete. If the polling interval is set, then it should match the device check-in period
defined on the MDM. For example, if the MDM is configured such that devices will report their status
every four hours, then ISE should be set to the same value and not less than half this value. Oversampling
the device posture will create unnecessary loads on the MDM server and reduced battery life on the
mobile devices. There are other considerations with respect to scan intervals. Changing MDM timers
should be done only after consulting with Fiberlink MaaS360 best practices.