SM: Cisco ISE 3.1+ device tracking via EAP-TLS Wi-Fi certs & macOS 13+ System Preferences update

Relying on the device's Wi-Fi MAC address for device tracking has become difficult on modern mobile platforms, as devices may change their MACs exposed on the network via MAC randomization privacy.

The good news: administrators can now leverage Systems Manager to install certificates on enrolled devices which Cisco ISE identifies to accurately track devices during 802.1X EAP authentication. ISE can use this certificate to track the device and review its security policy posture within Systems Manager. 

 

To begin setting this up: in the Systems Manager > Configure > General page there is a new UI element to help administrators properly configure the EAP-TLS Wi-Fi profile+certificate with the subject names and subject alternative names for this EAP tracking via Cisco ISE. Cisco ISE then leverages the Meraki API to validate SM device posture in MDM via SM security policies to decide on Cisco ISE policy rules. To learn more and get setup with this powerful security integration please view the documentation here

 

ise-wifi.png

 

Also, bonus update for macOS! There's new support for macOS Ventura System Preferences, so administrators can enable only the System Preferences panes that they wish users to see. Find this profile payload called "macOS System Preferences" and use the "Enabled System Settings" to add/remove any panes inside System Preferences for your SM managed macOS devices. 

system-prefs.png