Field Notice: FN72427 - Identity Services Engine: End of Support for UDID-Based Queries for Microsoft Intune MDM Integrations - Software Upgrade Recommended

Available Languages

Updated:December 6, 2023

Document ID:FN72427

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Products Affected

Affected Software Product	Affected Release	Affected Release Number	Comments
Identity Services Engine System Software	2	2.0, 2.0.1, 2.1.0, 2.2.0, 2.3.0, 2.4.0, 2.6.0, 2.7.0	For ISE versions 2.0, 2.1, 2.2, 2.3 , 2.4, 2.6, and 2.7 – all patch versions
Identity Services Engine System Software	3	3.0.0, 3.1.0, 3.2.0, 3.3.0	For ISE 3.0 – all patch versions For ISE 3.1 - Patch 7 and earlier For ISE 3.2 - Patch 3 and earlier For ISE 3.3 - unpatched version only

Defect Information

Defect ID	Headline
CSCwc36589	ISE Intune MDM integration may disrupt due to End of Support for MAC Address-Based APIs from Intune

Problem Description

Across all affected releases, Cisco Identity Services Engine (ISE) uses the Microsoft network access control (NAC) API for Microsoft Intune Mobile Device Management (MDM) / Unified Endpoint Management (UEM) integration. Microsoft will deprecate the NAC API on March 31, 2024 (deprecation date was postponed from December 31, 2023).

This will impact Cisco ISE customers using Microsoft Intune for MDM for wired, wireless, and VPN deployment scenarios in the following ways:

Cisco ISE releases 3.0 and earlier will no longer be able to obtain registration or compliance information from the Microsoft Intune MDM integration.
Cisco ISE releases 3.1 and later will no longer be able to obtain registration or compliance information from Microsoft Intune using Unique Device Identifier (UDID)-based queries used in VPN and in some Wi-Fi deployments.

For further information, refer to New Microsoft Intune service for NAC.

Background

Microsoft will deprecate the Intune NAC service API on March 31, 2024. This API supports the method for Cisco ISE to determine corporate asset ownership or registration and retrieve endpoint security compliance using MAC address and UDID-based queries. Once deprecated, all queries from Cisco ISE to Intune will need to utilize the Microsoft Compliance Retrieval API. Microsoft’s Compliance Retrieval API supports Global Unique Identifier (GUID) as the unique identifier and, as of July 31, 2023, also supports MAC address-based queries.

In Cisco ISE releases earlier than Release 3.1, the integration between Cisco ISE and Intune was done with the Cisco ISE MDM APIv2 using the Intune NAC service, which used the MAC address or UDID (in the case of VPN flows where the MAC address was not available) of the endpoint as the means of endpoint identification. Cisco ISE Release 3.1 introduced MDM APIv3, which also supports the use of a GUID for endpoint identification. Microsoft Intune supports MDM APIv3 with their Compliance Retrieval API.

Microsoft and Cisco strongly recommend the use of Cisco ISE Release 3.1 or later together with GUID embedded in the certificate. As some operating system vendors begin to limit the ability of applications to access MAC addresses due to privacy concerns, it becomes more of a challenge for MDM vendors to collect and rely on MAC addresses. As a result, although MAC address-based queries are supported by Microsoft’s Compliance Retrieval API, due to limitations imposed by the operating system vendors with later versions of operating systems, there will likely be more endpoints without MAC addresses known to the MDM. And, for wired and wireless-based endpoints, if the MAC address is not known to Intune, then no valid response will be received by Cisco ISE.

This limitation is also seen for VPN-based endpoints where the MAC address is discovered by the VPN client and not passed on to Cisco ISE. For these endpoints, it will not be possible to check their registration or compliance status with Intune after the deprecation of the NAC Service API.

Problem Symptom

Once Microsoft deprecates the NAC service API, Cisco ISE API queries to Intune will fail, and Intune-managed endpoints will appear as not-registered. Cisco ISE will also trigger an alarm indicating that the Intune API is unreachable.

Workaround/Solution

For Wi-Fi scenarios, complete the following steps to continue the use of the Microsoft Intune MDM integration:

Upgrade Cisco ISE to Release 3.1 or later.
Configure the use of MDM APIv3 Microsoft Intune integration. This includes the deployment of GUID-embedded certificates to all Intune-registered wired and wireless connected endpoints and confirmation that those certificates are used for network authentication. For more information, see the Integrate MDM and UEM Servers with Cisco ISE Configuration Guide.

For VPN scenarios or for Wi-Fi scenarios where authentication does not use GUID-embedded certificates, upgrade to any of the following Cisco ISE release patches:

ISE 3.2 P4
ISE 3.1 P8
ISE 3.3 P1 (estimated release date: first half of Dec 2023)

Microsoft’s Compliance Retrieval API does not currently support “Ethernet MAC” for MAC Address-based APIs. This will affect Cisco ISE customers using Microsoft Intune for MDM for wired infrastructure. This limitation will be addressed by Microsoft in January 2024. For wired infrastructure scenarios, it is strongly recommended to migrate to GUID-embedded certificates before upgrading to Cisco ISE 3.1 P8, 3.2 P4, or ISE 3.3 P1.

There is no plan to backport the fixes to Cisco ISE releases 3.0 and earlier.

Revision History

Version	Description	Section	Date
2.1	Updated the Workaround/Solution section.	Workaround/Solution	2023-DEC-06
2.0	Updated the Problem Description, Background, Problem Symptoms, and Workaround/Solution.	Problem Description, Background, Problem Symptoms, Workaround/Solution	2023-NOV-07
1.3	Updated Background and Workaround/Solution sections	—	2023-SEP-01
1.2	Updated the Title, Problem Description, Background, Problem Symptom, and Workaround/Solution Sections	—	2022-NOV-09
1.1	Updated the Background Section	—	2022-JUL-29
1.0	Initial Release	—	2022-JUL-13

For More Information

For further assistance or for more information about this field notice, contact the Cisco Technical Assistance Center (TAC) using one of the following methods:

Receive Email Notification About New Field Notices

To receive email updates about Field Notices (reliability and safety issues), Security Advisories (network security issues), and end-of-life announcements for specific Cisco products, set up a profile in My Notifications

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)

This Document Applies to These Products

Identity Services Engine Software