We have the same simple need. No one at TAC seems to have a clue as to how to deal with mobile corporate assets. We have no intention of registering these through ISE either. Like you, we have a good MDM connection and restful queries all respond with devices attributes that we want to use.
But ISE won't query the MDM correctly because the design is broken for corporate assets. The focus within the Cisco ISE group has been solely upon BYOD.
This is a simple fix I am sure. We just need to get it in front of the right people.
Thanks for your reply, glad you found a workaround. So, if I understand correctly, you distribute your certs to the mobile devices from MobileIron and have an authorization rule that checks the cert with a result rule that allows Internet access. Are you able to use any of the MDM attributes yet?
MDM:DeviceRegisterStatus EQUALS Registered AND MDM:MDMServerReachable EQUALS Reachable
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...