Security

Hello,

I have several endpoints in ClearPass without Intune attributes while the devices are in Intune registered and available.

I use the attribute "Intune AD Registered" to check if they are company managed devices.

After this I do a Post update during the Enforcement to set an new attribute "Compliance" to true or false.

But I have noticed that a number of devices don't have the Intune attributes available while they are present and correct registered in Intune.

At first, I thought it was due to my ClearPass services, because "authorization" was not enabled everywhere with "Microsoft Intune" as an additional authorization source. But Now I've added this on all services, wireless and wired (802.1x and macAuth)> But still I keep a lot of devices in the Endpoint db with no Intune attributes.

Also when I re-authenticate stations, the Intune attributes don't appear for those devices.

I don't have errors in my Intune connector/extension logs, and most systems do have the Intune attributes available.

Does anyone have similar issues?

Thanks,

Jan

What type of devices do you have? Intune doesn't report MAC addresses for some devices. This includes wired interfaces on Windows and some Android devices. For Android devices the MAC address is only included in the Intune information for, if I remember correct, company owned devices. Maybe something more must be assigned.

So if you have one of the mentioned device types, Intune doesn't report a MAC address and thus the information can't be added to the Endpoints repository. As the Endpoints repository is built around the MAC address as a key.

Hello,

I have several endpoints in ClearPass without Intune attributes while the devices are in Intune registered and available.

I use the attribute "Intune AD Registered" to check if they are company managed devices.

After this I do a Post update during the Enforcement to set an new attribute "Compliance" to true or false.

But I have noticed that a number of devices don't have the Intune attributes available while they are present and correct registered in Intune.

At first, I thought it was due to my ClearPass services, because "authorization" was not enabled everywhere with "Microsoft Intune" as an additional authorization source. But Now I've added this on all services, wireless and wired (802.1x and macAuth)> But still I keep a lot of devices in the Endpoint db with no Intune attributes.

Also when I re-authenticate stations, the Intune attributes don't appear for those devices.

I don't have errors in my Intune connector/extension logs, and most systems do have the Intune attributes available.

Does anyone have similar issues?

Thanks,

Jan

Hi Jonas,

The mentioned endpoints are all Windows11 stations and registered in Intune. When I check Intune, all details of the device are present including the mac-address which corresponds to the mac-address in the Endpoint db.  But these ClearPass Endpoint have no Intune attributes at all, and I don't know why.  I know that Mac-address in not the best reference for use with Intune, and in the end we will be using certificates with EAP-TEAP-authentication, but for now I still have some Clearpass services build on Mac-auth and I would like to use the fact that the Endpoints are registered in Intune and therefore Company managed.

Best Regards,

Jan Pultrum

What type of devices do you have? Intune doesn't report MAC addresses for some devices. This includes wired interfaces on Windows and some Android devices. For Android devices the MAC address is only included in the Intune information for, if I remember correct, company owned devices. Maybe something more must be assigned.

So if you have one of the mentioned device types, Intune doesn't report a MAC address and thus the information can't be added to the Endpoints repository. As the Endpoints repository is built around the MAC address as a key.

Hello,

I have several endpoints in ClearPass without Intune attributes while the devices are in Intune registered and available.

I use the attribute "Intune AD Registered" to check if they are company managed devices.

After this I do a Post update during the Enforcement to set an new attribute "Compliance" to true or false.

But I have noticed that a number of devices don't have the Intune attributes available while they are present and correct registered in Intune.

At first, I thought it was due to my ClearPass services, because "authorization" was not enabled everywhere with "Microsoft Intune" as an additional authorization source. But Now I've added this on all services, wireless and wired (802.1x and macAuth)> But still I keep a lot of devices in the Endpoint db with no Intune attributes.

Also when I re-authenticate stations, the Intune attributes don't appear for those devices.

I don't have errors in my Intune connector/extension logs, and most systems do have the Intune attributes available.

Does anyone have similar issues?

Thanks,

Jan

I think I found the problem...

The devices have a wired and a wireless mac-adress registered in Intune, and the Intune attributes are in the ClearPass db available on the Wifi NIC/Mac. This is probably the interface which was first used when profiling and authenticating on ClearPass.

I probably have to set an ClearPass attribute manually to differentiate between Company managed and unmanaged. 

Jan

Hi Jonas,

The mentioned endpoints are all Windows11 stations and registered in Intune. When I check Intune, all details of the device are present including the mac-address which corresponds to the mac-address in the Endpoint db.  But these ClearPass Endpoint have no Intune attributes at all, and I don't know why.  I know that Mac-address in not the best reference for use with Intune, and in the end we will be using certificates with EAP-TEAP-authentication, but for now I still have some Clearpass services build on Mac-auth and I would like to use the fact that the Endpoints are registered in Intune and therefore Company managed.

Best Regards,

Jan Pultrum

What type of devices do you have? Intune doesn't report MAC addresses for some devices. This includes wired interfaces on Windows and some Android devices. For Android devices the MAC address is only included in the Intune information for, if I remember correct, company owned devices. Maybe something more must be assigned.

So if you have one of the mentioned device types, Intune doesn't report a MAC address and thus the information can't be added to the Endpoints repository. As the Endpoints repository is built around the MAC address as a key.

Hello,

I have several endpoints in ClearPass without Intune attributes while the devices are in Intune registered and available.

I use the attribute "Intune AD Registered" to check if they are company managed devices.

After this I do a Post update during the Enforcement to set an new attribute "Compliance" to true or false.

But I have noticed that a number of devices don't have the Intune attributes available while they are present and correct registered in Intune.

At first, I thought it was due to my ClearPass services, because "authorization" was not enabled everywhere with "Microsoft Intune" as an additional authorization source. But Now I've added this on all services, wireless and wired (802.1x and macAuth)> But still I keep a lot of devices in the Endpoint db with no Intune attributes.

Also when I re-authenticate stations, the Intune attributes don't appear for those devices.

I don't have errors in my Intune connector/extension logs, and most systems do have the Intune attributes available.

Does anyone have similar issues?

Thanks,

Jan

For wireless you can utilize the MAC address of the wireless NIC to retrieve the Intune attributes from the Endpoints repository. As you have found the information is populated for the wireless NIC. But it's not possible with wired NIC. In the wired case you have to do certificate based authentication, and in the certificate have the Intune ID in the SAN field. As documented in the Intune integration documentation, https://support.hpe.com/hpesc/public/docDisplay?docId=a00112290en_us

If you have marked the device as company owned in Intune this information will be available with the Intune extension.

Keep in mind that the Intune extension have two distinct ways of working:

1. Cache method
   In this configuration the Intune extensions downloads the Intune information and stores it in the Endpoint repository, based on the MAC address. (But only if the MAC address is available from Intune as described earlier)
   In this setup you can read the attributes as any other attributes in the Endpoints repository. 
   With this method you only need to have the Intune extension installed on one server in the cluster
2. Online method
   In this case you create an external server connection, pointing to the Intune extension IP. This requires the extension to be installed with the same IP on each server in the cluster. Normally within the 172.17.0.0/16 subnet.
   This method must be utilized if a wired Windows client should be authorized by Intune information and the authentication must be certificate based (EAP-TLS or EAP-TEAP, with Intune ID in the SAN field)
   
   

I think I found the problem...

The devices have a wired and a wireless mac-adress registered in Intune, and the Intune attributes are in the ClearPass db available on the Wifi NIC/Mac. This is probably the interface which was first used when profiling and authenticating on ClearPass.

I probably have to set an ClearPass attribute manually to differentiate between Company managed and unmanaged. 

Jan

Hi Jonas,

The mentioned endpoints are all Windows11 stations and registered in Intune. When I check Intune, all details of the device are present including the mac-address which corresponds to the mac-address in the Endpoint db.  But these ClearPass Endpoint have no Intune attributes at all, and I don't know why.  I know that Mac-address in not the best reference for use with Intune, and in the end we will be using certificates with EAP-TEAP-authentication, but for now I still have some Clearpass services build on Mac-auth and I would like to use the fact that the Endpoints are registered in Intune and therefore Company managed.

Best Regards,

Jan Pultrum

What type of devices do you have? Intune doesn't report MAC addresses for some devices. This includes wired interfaces on Windows and some Android devices. For Android devices the MAC address is only included in the Intune information for, if I remember correct, company owned devices. Maybe something more must be assigned.

So if you have one of the mentioned device types, Intune doesn't report a MAC address and thus the information can't be added to the Endpoints repository. As the Endpoints repository is built around the MAC address as a key.

Hello,

I have several endpoints in ClearPass without Intune attributes while the devices are in Intune registered and available.

I use the attribute "Intune AD Registered" to check if they are company managed devices.

After this I do a Post update during the Enforcement to set an new attribute "Compliance" to true or false.

But I have noticed that a number of devices don't have the Intune attributes available while they are present and correct registered in Intune.

At first, I thought it was due to my ClearPass services, because "authorization" was not enabled everywhere with "Microsoft Intune" as an additional authorization source. But Now I've added this on all services, wireless and wired (802.1x and macAuth)> But still I keep a lot of devices in the Endpoint db with no Intune attributes.

Also when I re-authenticate stations, the Intune attributes don't appear for those devices.

I don't have errors in my Intune connector/extension logs, and most systems do have the Intune attributes available.

Does anyone have similar issues?

Thanks,

Jan

For wireless you can utilize the MAC address of the wireless NIC to retrieve the Intune attributes from the Endpoints repository. As you have found the information is populated for the wireless NIC. But it's not possible with wired NIC. In the wired case you have to do certificate based authentication, and in the certificate have the Intune ID in the SAN field. As documented in the Intune integration documentation, https://support.hpe.com/hpesc/public/docDisplay?docId=a00112290en_us

If you have marked the device as company owned in Intune this information will be available with the Intune extension.

Keep in mind that the Intune extension have two distinct ways of working:

1. Cache method
   In this configuration the Intune extensions downloads the Intune information and stores it in the Endpoint repository, based on the MAC address. (But only if the MAC address is available from Intune as described earlier)
   In this setup you can read the attributes as any other attributes in the Endpoints repository. 
   With this method you only need to have the Intune extension installed on one server in the cluster
2. Online method
   In this case you create an external server connection, pointing to the Intune extension IP. This requires the extension to be installed with the same IP on each server in the cluster. Normally within the 172.17.0.0/16 subnet.
   This method must be utilized if a wired Windows client should be authorized by Intune information and the authentication must be certificate based (EAP-TLS or EAP-TEAP, with Intune ID in the SAN field)
   
   

I think I found the problem...

The devices have a wired and a wireless mac-adress registered in Intune, and the Intune attributes are in the ClearPass db available on the Wifi NIC/Mac. This is probably the interface which was first used when profiling and authenticating on ClearPass.

I probably have to set an ClearPass attribute manually to differentiate between Company managed and unmanaged. 

Jan

Hi Jonas,

The mentioned endpoints are all Windows11 stations and registered in Intune. When I check Intune, all details of the device are present including the mac-address which corresponds to the mac-address in the Endpoint db.  But these ClearPass Endpoint have no Intune attributes at all, and I don't know why.  I know that Mac-address in not the best reference for use with Intune, and in the end we will be using certificates with EAP-TEAP-authentication, but for now I still have some Clearpass services build on Mac-auth and I would like to use the fact that the Endpoints are registered in Intune and therefore Company managed.

Best Regards,

Jan Pultrum

What type of devices do you have? Intune doesn't report MAC addresses for some devices. This includes wired interfaces on Windows and some Android devices. For Android devices the MAC address is only included in the Intune information for, if I remember correct, company owned devices. Maybe something more must be assigned.

So if you have one of the mentioned device types, Intune doesn't report a MAC address and thus the information can't be added to the Endpoints repository. As the Endpoints repository is built around the MAC address as a key.

Hello,

I have several endpoints in ClearPass without Intune attributes while the devices are in Intune registered and available.

I use the attribute "Intune AD Registered" to check if they are company managed devices.

After this I do a Post update during the Enforcement to set an new attribute "Compliance" to true or false.

But I have noticed that a number of devices don't have the Intune attributes available while they are present and correct registered in Intune.

At first, I thought it was due to my ClearPass services, because "authorization" was not enabled everywhere with "Microsoft Intune" as an additional authorization source. But Now I've added this on all services, wireless and wired (802.1x and macAuth)> But still I keep a lot of devices in the Endpoint db with no Intune attributes.

Also when I re-authenticate stations, the Intune attributes don't appear for those devices.

I don't have errors in my Intune connector/extension logs, and most systems do have the Intune attributes available.

Does anyone have similar issues?

Thanks,

Jan