The Scenario in Brief
Three types of devices can exist on our wireless networks:
- AD joined, corporate owned (Windows PC/Laptop/Surface)
- Non-AD Joined, corporate owned (iPad/Chromebook and their flavors)
- Non-Corporate Owned, non-AD Joined (BYOD)
The third device (BYOD) will always exist only on a Guest network managed by PRIME and never talk with ISE other than to be denied.
The first device (Windows AD) will be domain joined and have Group Policy applying wi-fi configurations based on Device and user.
The second device are easy enough to manage with MDM solutions and Google's own For Work admin center.
My Question
We are deploying over 2000 units of the second type (ipad and chromebook) and have a hiccup in our deployment routine to date. We have been running an MDM export of the MAC and import into ISE, but this feels clunky and very manual. Our current setup has an Identity Endpoint group Static assignment for these devices. The process is attaching the device to a less-secure, internet only Access Point then waiting for the network support to export/import MACs slows the process down - especially when the export misses a few units (because why not in the networking world, right?)
I'm getting mixed information from some documentation and user experiences around Onboarding, BYOD, Identity Group assignments and policies, etc. I'm fine with "it can't be done, move along" and we are looking at Certificates but the VAR who set ISE up was never scoped for Certificate. We have the staff in house to set it up, just not the time. Is anything we can do temporarily (to get through this summer) to expedite getting these devices authorized in ISE via a Static Group Assignment automatically (or automagically).
Some of the ideas I was curious about is whether we can enable a policy that says devices connecting to SSID "xyz" with AD User "adm" get group assignment "devType2".
Any thoughts you may have are greatly appreciated.
