We’re thrilled to announce the limited availability of Cisco Identity Services Engine (ISE) v3.1+ and Workspace ONE Unified Endpoint Management (UEM) integration with the Workspace ONE UEM 2402 release. This integration ensures that your end user’s devices can safely and securely connect and access network resources, even when their MAC addresses are randomized, or in scenarios where they are connected through multiple network interfaces, dongles, or docking stations.
A bit of history on Workspace ONE UEM and Cisco ISE integration
For a significant part of the past decade, Workspace ONE UEM (formerly AirWatch) and Cisco ISE have integrated to enhance network security for organizations. By combining Workspace ONE UEM’s robust unified endpoint management capabilities, which ensure data and device integrity, with Cisco ISE’s advanced network access control features, organizations can establish a cohesive security framework that ensures compliance and effectively mitigates security risks. By leveraging Workspace ONE UEM’s device management insights, Cisco ISE can dynamically enforce access policies based on information such as device compliance status. This strengthens the organization’s security posture and helps safeguard against unauthorized access attempts.
Prior to version 3.1, Cisco ISE software leveraged MAC addresses to uniquely identify devices within Workspace ONE UEM and query compliance information.
Depending on the compliance status, Cisco ISE can then either permit the device to access the network or prompt the user to register the device with Cisco ISE and enroll it in Workspace ONE UEM. Conversely, if a device violates an active compliance policy, access to the network is promptly restricted, and the end user is directed to remediate the compliance issues.
The challenge with the rise of MAC address randomization
For years now, major operating systems like iOS 8+ and Android 8+ have integrated some form of media access control (MAC) address randomization. This was aimed at strengthening user privacy by preventing attempts to track devices using their genuine MAC address. Initially, these operating systems only randomized MAC addresses during Wi-Fi network scans but maintained the use of a static, genuine MAC address when actually connecting to networks.
However, this shifted with the introduction of Android 10 by Google in late 2019. This update made MAC address randomization the default behavior even during network connections. Following suit, iOS devices with the release of iOS 14 not only began employing randomized MAC addresses by default for connecting to networks but also introduced a “Private MAC Address” feature. This feature rotates MAC addresses every 24 hours post network connection, further enhancing user privacy. Similarly, Windows 10 by Microsoft incorporated MAC address randomization, extending these privacy benefits to Windows users.
While MAC address randomization offered substantial privacy advantages, it posed challenges for integrations reliant on consistent MAC address for device identification. This is particularly evident in scenarios involving Cisco ISE and Workspace ONE UEM, where devices may present different MAC addresses based on the SSID used, the network connection type (wired, wireless, or VPN), or when connected through dongles or docking stations. Consequently, when Cisco ISE communicates with Workspace ONE UEM using MAC address, Workspace ONE UEM may fail to see the MAC address as belonging to any valid device. This can result in the device not being able to authenticate or gain access to network resources.
Introducing enhanced integration: Harnessing the power of GUIDs
To overcome the challenges posed by MAC address dependencies stated above, Cisco ISE and Workspace ONE UEM will now leverage globally unique identifiers (GUIDs) for unique device identification. Unlike MAC addresses, which can vary, GUIDs offer a stable and consistent means of device identification across various networks and SSIDs.
When a device enrolls in Workspace ONE UEM, an administrator can configure a certificate containing the device UUID, which serves as the Workspace ONE UEM-generated GUID value, to be delivered to the device. This certificate, with the GUID, when utilized by the device for authentication into the network, can be used by Cisco ISE to look up the device uniquely within Workspace ONE UEM. All communications between Cisco ISE and Workspace ONE UEM are seamlessly streamlined through the utilization of GUIDs.
Want to learn more?
To delve deeper into implementing this enhancement and unlocking the full potential of your network security infrastructure, refer to our detailed Tech Zone article “Integrating Workspace ONE UEM and Cisco ISE v3.1 and Beyond.”
Don’t let MAC address randomization disrupt your end user’s access to the network. Enhance your network security and management efficiency now with the advanced integration of Cisco ISE and Workspace ONE UEM. Get in touch with your account manager to enable this feature.