This section describes the MDM integration process:
1. The user associates a device to SSID.
2. (Optional) If the device is not registered, the user goes through the device on-boarding flow.
3. Cisco ISE makes an API call to the MDM server.
4. This API call returns a list of devices for this user and the posture status for the devices.
5. If the user's device is not in this list, it means the device is not registered. Cisco ISE sends an authorization request to the NAD to redirect to Cisco ISE. The user is presented the MDM server page.
6. Cisco ISE uses MDM to provision the device and presents an appropriate page for the user to register the device.
7. The user registers the device in the MDM server, and the MDM server redirects the request to Cisco ISE (through automatic redirection or manual browser refresh).
8. Cisco ISE queries the MDM server again for the posture status.
9. If the user's device is not compliant to the posture (compliance) policies configured on the MDM server, the user is notified that the device is out of compliance and must be compliant.
10. After the user's device becomes compliant, the MDM server updates the device state in its internal tables.
11. If the user refreshes the browser now, the control is transferred back to Cisco ISE.
12. Cisco ISE polls the MDM server once every four hours to get compliance information and issues Change of Authorization (CoA) appropriately.
Setting Up MDM Servers with Cisco ISE
To set up MDM servers with Cisco ISE, you must perform the following tasks: