Jamf Pro 10.42.0 or later supports Cisco Identity Services Engine (ISE) 3.3, which introduced the ability to use GUIDs instead of MAC addresses for computer and mobile device identification in Cisco ISE. Using GUIDs eliminates undesirable behaviors, such as misidentification of Apple devices caused by the private address being turned on (iOS) or spoofing of the MAC address. A single GUID is used to identify an individual device, whereas multiple MAC addresses could identify an individual device.
You can use advanced searches in Jamf Pro to determine computer and mobile device compliance.
To integrate Jamf Pro with Cisco ISE 3.3 and leverage GUIDs, your network must use certificate-based authentication. In addition, one of the Subject Alternative Name URI fields for your network certificate must have the following specific value: ID:JAMF:GUID:$MANAGEMENTID. The $MANAGEMENTID variable will be replaced by the Jamf Pro-assigned management ID for the computer or mobile device when the certificate is issued via a configuration profile. Jamf Pro supports issuing the network certificate with the SAN URI field using either the SCEP payload or the Certificate payload within a configuration profile.
If you are using Jamf Pro's Certificate payload for API-issued certificates, the PKI provider must be Active Directory Certificate Services (AD CS).
Venafi PKI integrations with Jamf Pro, which use the Jamf PKI Proxy, do not support the use of GUIDs at this time. However, you can continue to use MAC addresses for device identification with Venafi PKI integrations.
Cisco ISE 2.x continues to be supported by Jamf Pro 10.42.0 or later.
For more information, see the Integrate ISE 3.3 with JAMF as MDM Server documentation from Cisco.
This article is not intended as a comprehensive guide for integrating Jamf Pro with Cisco ISE 3.3. The examples provided may differ from your environment.