I noticed that version 6.0.0 of the InTune extension has been released in May. The new v6 integration guide suggests to use the Filter Query
"%{Certificate:Subject-CN}" in the ClearPass auth source config and
Subject name format "CN={{DeviceId}}" as well as Subject alternativ name URI "IntuneDeviceId://{{DeviceId}}" within the machine certificates (see Appendix E of the guide).
Do you think that this is really needed? I didn't test this, yet, but my customer doesn't want to change the CN of the enrolled certificates. The customer plans to pull the DeviceID by using the Filter Query "%{Certificate:Subject-AltName-URI}".
Anyone here who can confirm that this should work with the new v6 InTune extension?
Thanks,
Andreas
Original Message:
Sent: May 09, 2022 02:06 PM
From: Nicholas Hickman
Subject: ClearPass Intune Integration
You are correct about using the {{DeviceID}} instead of {{AAD_Device_ID}}. The official plugin still fails with "undefined". We've written our own middleware to work around this until the plugin receives an update. The app is a simple python-flask application using Microsoft msal module.
Our solution in the end is:
- Set up the InTune certificate to insert {{DeivceId}} in to the AltName-URL property.
- We pull the {{DeviceID} from %{Certificate:Subject-AltName-URI} when devices connect.
- Send the request to http://<internal app server>/device/info/id/{{deviceId}}
- Lookup with GraphAPI to https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{{deviceId}}
- Return formatted json to Clearpass to match what we had configured for the plugin.
------------------------------
Nicholas Hickman
Original Message:
Sent: Apr 29, 2022 09:56 AM
From: Michael Holden
Subject: ClearPass Intune Integration
I don't think you can use the AAD ID, you have to use the Intune ID.
Pass the Intune Device ID with {{DeviceId}} in either the CN or the SANs.
You could also possibly use the L={{DeviceId}} and update the the look up to use the Location on the certificate if you were already using the SAN's fields, and needed AAD Device ID as the CN.
After talking with the folks at Atmosphere there should be some news in the near future, but in the mean time, changing to http://<IP>/device/info/id/ and using the Intune Device ID is the way, and not the AAD Device ID.
Original Message:
Sent: Apr 27, 2022 04:15 PM
From: Nicholas Hickman
Subject: ClearPass Intune Integration
I'm seeing the same issue on CPPM 6.9.7 and Intune 5.0.0.
We have HTTP Source pointing to http://172.17.0.2/device/info/id/ and passing the {{AAD_Device_ID}} via %{Certificate:Subject-CN}.
Intune extension fails to assign the parameter to :intuneId and shows "undefined".
So I set up a dummy http server to see what was being passed and it seems to be passing the ID correctly.
------------------------------
Nicholas Hickman
Original Message:
Sent: Feb 25, 2022 10:11 AM
From: James Whitehead
Subject: ClearPass Intune Integration
It's definitely the Intune ID. NOTE that this device doesn't sync to the Endpoint repo as it has no Wi-Fi MAC address in Intune.
------------------------------
James Whitehead
Original Message:
Sent: Feb 25, 2022 09:23 AM
From: Kestutis Virsilas
Subject: ClearPass Intune Integration
Try to double check does your Certificate CN is really "Intune ID" attribute.
According to Feature request description: "Subject name format: CN={{AAD_Device_ID}}", I think this will be "Azure AD Device ID" value.
Each Intune device has both these attributes "Intune ID" and "Intune Azure AD Device ID". Both attributes are in similar format:
For Intune Extension to work, you have to use "Intune ID" as the variable. It will not work with the "Intune Azure AD Device ID" attribute.
------------------------------
Kestutis Virsilas
Original Message:
Sent: Feb 25, 2022 08:59 AM
From: James Whitehead
Subject: ClearPass Intune Integration
Yeah I managed to work that out and I've got it setup so that the Intune HTTP Source base URL includes the additional /id/.
I'm trying to use the Certificate CN which, in my case, is the Intune ID but It doesn't work. The extension logs show the Intune ID as undefined.
[datetime] [INFO] Intune - [/device/info/id/:intuneId] request received from ::ffff:172.17.0.1.[datetime] [DEBUG] Intune - Request "GET '/endpoint'" took 90 ms.[datetime] [WARN] Intune - No endpoint with the Intune ID undefined was found in ClearPass.
------------------------------
James Whitehead
Original Message:
Sent: Feb 25, 2022 07:59 AM
From: Kestutis Virsilas
Subject: ClearPass Intune Integration
Hi,
If you want to use Intune Id instead of MAC in your Intune HTTP Authentication source, you have to edit "Base URL" to "http://{extension IP}/device/info/id/" and in the filter use appropriate variable, matching "Intune ID" value (Not Azure ID value).
Example:
------------------------------
Kestutis Virsilas
Original Message:
Sent: Feb 24, 2022 10:45 AM
From: James Whitehead
Subject: ClearPass Intune Integration
I thought that too and tried it out.
[2022-02-24T15:39:37.396] [WARN] Intune - No endpoint with the MAC Address bdb303f7-a377-4d1e-99c9-76517775aea3 was found in ClearPass.
Will upvote the feature request.
------------------------------
James Whitehead
Original Message:
Sent: Feb 24, 2022 09:08 AM
From: Michael Holden
Subject: ClearPass Intune Integration
It would be nice if we could send the DeviceID from the certificate CN rather than the MAC address.
The extension looks up the device by the AzureID anyway, but references by MAC address.
Not sure if changing the filter query would work.
Upvote the Feature request, I've got plenty of use cases for this too.
https://innovate.arubanetworks.com/ideas/SEC-I-1781
Original Message:
Sent: Feb 23, 2022 01:07 PM
From: James Whitehead
Subject: ClearPass Intune Integration
Unless I'm mistaken this appears to be due to Intune not, since October, storing Android Wi-Fi MAC address details. I'm only seeing the issue on Android devices.
Sauce: https://docs.microsoft.com/en-us/mem/intune/remote-actions/device-inventory
NOTE: As of October 2021, Intune doesn't display Wi-Fi MAC addresses for newly enrolled personally-owned work profile devices and devices managed with device administrator running Android 9 and above.
The ClearPass intune extension needs a MAC address of the intune device so it can store the devices' intune details in the endpoint repo.
------------------------------
James Whitehead
Original Message:
Sent: Feb 19, 2022 11:38 AM
From: Michael Holden
Subject: ClearPass Intune Integration
Make sure MAC Randomization is disabled.
Also, we've had issues when the device was loaded into Intune from a different network adapter such as a wired docking station.
Original Message:
Sent: Feb 18, 2022 05:43 AM
From: James Whitehead
Subject: ClearPass Intune Integration
Hi All,
We're getting lots of the following messages in the intune logs:
[WARN] Intune - The device "deviceName" (AzureDeviceID} does not have a MAC Address. Unable to process it.
The users device appears in the endpoint repo but with no Intune details.
This doesn't occur for every user. Any ideas?
------------------------------
James Whitehead
------------------------------