Security

The Intune extension can work in two way. The first way is the cache only way, where the extension replicates data from Intune to the Endpoints database. In that case all information must be connected to a MAC address, as the Endpoints database use the MAC address as the primary key.

The second way to utilize the Intune extension is to do online requests. With this method you configure a http source to be able to send a query to the extension. In this scenario the authentication must be certificate based and the certificate must contain the Intune ID in the SAN or common name of the certificate.

Find the Intune integration guide on this link, where both methods are described:

https://support.hpe.com/hpesc/public/docDisplay?docId=a00112290en_us

Hi Johnas,

thanks for your quick response but EAP-TLS is not an option at this point (too more complex to explain here).

But is there any way to check the local endpoints database using something other than the MAC address? 

Best regards

EF

You can write a custom query to search for any information in the Endpoints repository. But you will never get information from Intune with the Intune Extension to Endpoints repository if you don't have the MAC address of the device. You will see the same issue with the some Android devices, if they are registered in Intune as private owned the MAC address isn't available.

What type of authentication do you have on the wireless network?

Hi Johnas,

thanks for your quick response but EAP-TLS is not an option at this point (too more complex to explain here).

But is there any way to check the local endpoints database using something other than the MAC address? 

Best regards

EF

The Intune extension can work in two way. The first way is the cache only way, where the extension replicates data from Intune to the Endpoints database. In that case all information must be connected to a MAC address, as the Endpoints database use the MAC address as the primary key.

The second way to utilize the Intune extension is to do online requests. With this method you configure a http source to be able to send a query to the extension. In this scenario the authentication must be certificate based and the certificate must contain the Intune ID in the SAN or common name of the certificate.

Find the Intune integration guide on this link, where both methods are described:

https://support.hpe.com/hpesc/public/docDisplay?docId=a00112290en_us

Hi Jonas

The authentication method is EAP-PEAP (host credentials). I know this is not the best option today, but for the moment I cannot change it.

I would like to use the hostname of the machine to search in the local endpoints database (the database created by the Intune Extension) in order to check the "Intune Compliance State".

You mentioned a "custom query to search for any information in the Endpoints repository." Could you please share an example or any documentation that describes this?

Thanks in advance.

EF

You can write a custom query to search for any information in the Endpoints repository. But you will never get information from Intune with the Intune Extension to Endpoints repository if you don't have the MAC address of the device. You will see the same issue with the some Android devices, if they are registered in Intune as private owned the MAC address isn't available.

What type of authentication do you have on the wireless network?

Hi Johnas,

thanks for your quick response but EAP-TLS is not an option at this point (too more complex to explain here).

But is there any way to check the local endpoints database using something other than the MAC address? 

Best regards

EF

With EAP-PEAP you have a different identity than the needed Intune ID so you will not be able to do an online request through the Intune extension for the device.

As Intune doesn't send the MAC address of wired NIC's you will not get the information from Intune to the Endpoints repository as Endpoints repository require every attribute to be written to a MAC address. The function you are hoping for is not possible to implement due to the limitations in Intune itself.

As you are using EAP-PEAP you have an Active Directory and maybe one way forward would be to store the Intune ID as an attribute on the computer object in AD. Let ClearPass read this attribute and use it to query Intune with the online method.

Hi Jonas

The authentication method is EAP-PEAP (host credentials). I know this is not the best option today, but for the moment I cannot change it.

I would like to use the hostname of the machine to search in the local endpoints database (the database created by the Intune Extension) in order to check the "Intune Compliance State".

You mentioned a "custom query to search for any information in the Endpoints repository." Could you please share an example or any documentation that describes this?

Thanks in advance.

EF

You can write a custom query to search for any information in the Endpoints repository. But you will never get information from Intune with the Intune Extension to Endpoints repository if you don't have the MAC address of the device. You will see the same issue with the some Android devices, if they are registered in Intune as private owned the MAC address isn't available.

What type of authentication do you have on the wireless network?

Hi Johnas,

thanks for your quick response but EAP-TLS is not an option at this point (too more complex to explain here).

But is there any way to check the local endpoints database using something other than the MAC address? 

Best regards

EF

The Intune extension can work in two way. The first way is the cache only way, where the extension replicates data from Intune to the Endpoints database. In that case all information must be connected to a MAC address, as the Endpoints database use the MAC address as the primary key.

The second way to utilize the Intune extension is to do online requests. With this method you configure a http source to be able to send a query to the extension. In this scenario the authentication must be certificate based and the certificate must contain the Intune ID in the SAN or common name of the certificate.

Find the Intune integration guide on this link, where both methods are described:

https://support.hpe.com/hpesc/public/docDisplay?docId=a00112290en_us

Hi Jonas,

You mentioned that "Intune doesn't send the MAC address of wired NICs," so does that mean the issue is not that the Intune Extension fails to read the wired MAC address? Is this simply how Intune works?

On the other hand, I don't understand why, if I have a local database in CPPM with all the attributes, the only way to check this is using "Endpoint Compliance State", where "Endpoint:" implies a MAC address lookup.

EAP-PEAP sends the hostname, and I would like to use it to perform the lookup.

What doyou think about this?

Best Regards

EF

With EAP-PEAP you have a different identity than the needed Intune ID so you will not be able to do an online request through the Intune extension for the device.

As Intune doesn't send the MAC address of wired NIC's you will not get the information from Intune to the Endpoints repository as Endpoints repository require every attribute to be written to a MAC address. The function you are hoping for is not possible to implement due to the limitations in Intune itself.

As you are using EAP-PEAP you have an Active Directory and maybe one way forward would be to store the Intune ID as an attribute on the computer object in AD. Let ClearPass read this attribute and use it to query Intune with the online method.

Hi Jonas

The authentication method is EAP-PEAP (host credentials). I know this is not the best option today, but for the moment I cannot change it.

I would like to use the hostname of the machine to search in the local endpoints database (the database created by the Intune Extension) in order to check the "Intune Compliance State".

You mentioned a "custom query to search for any information in the Endpoints repository." Could you please share an example or any documentation that describes this?

Thanks in advance.

EF

You can write a custom query to search for any information in the Endpoints repository. But you will never get information from Intune with the Intune Extension to Endpoints repository if you don't have the MAC address of the device. You will see the same issue with the some Android devices, if they are registered in Intune as private owned the MAC address isn't available.

What type of authentication do you have on the wireless network?

Hi Johnas,

thanks for your quick response but EAP-TLS is not an option at this point (too more complex to explain here).

But is there any way to check the local endpoints database using something other than the MAC address? 

Best regards

EF

Yes, Intune doesn't send wired NIC MAC address. I think, if you check a computer in Intune you are not able to see the wired MAC address. It's by design.

You only have the Intune information in the Endpoints repository bound to the wireless MAC address, not the wired MAC address. Thus you can't search for the wired MAC address and find the Intune information.

If you would like to search for the hostname, I don't know how you should do this. So this is on deep water.
But if you create a copy of the default [Endpoint Repository] source and edit the hostname query you may be able to achieve your goal.

I have not seen anyone else try this and I don't know if it's possible to do.

The Intune integration is intended to be utilized with the Intune ID and a certificate based authentication. Thus there may be limitations.

Hi Jonas,

You mentioned that "Intune doesn't send the MAC address of wired NICs," so does that mean the issue is not that the Intune Extension fails to read the wired MAC address? Is this simply how Intune works?

On the other hand, I don't understand why, if I have a local database in CPPM with all the attributes, the only way to check this is using "Endpoint Compliance State", where "Endpoint:" implies a MAC address lookup.

EAP-PEAP sends the hostname, and I would like to use it to perform the lookup.

What doyou think about this?

Best Regards

EF

With EAP-PEAP you have a different identity than the needed Intune ID so you will not be able to do an online request through the Intune extension for the device.

As Intune doesn't send the MAC address of wired NIC's you will not get the information from Intune to the Endpoints repository as Endpoints repository require every attribute to be written to a MAC address. The function you are hoping for is not possible to implement due to the limitations in Intune itself.

As you are using EAP-PEAP you have an Active Directory and maybe one way forward would be to store the Intune ID as an attribute on the computer object in AD. Let ClearPass read this attribute and use it to query Intune with the online method.

Hi Jonas

The authentication method is EAP-PEAP (host credentials). I know this is not the best option today, but for the moment I cannot change it.

I would like to use the hostname of the machine to search in the local endpoints database (the database created by the Intune Extension) in order to check the "Intune Compliance State".

You mentioned a "custom query to search for any information in the Endpoints repository." Could you please share an example or any documentation that describes this?

Thanks in advance.

EF

You can write a custom query to search for any information in the Endpoints repository. But you will never get information from Intune with the Intune Extension to Endpoints repository if you don't have the MAC address of the device. You will see the same issue with the some Android devices, if they are registered in Intune as private owned the MAC address isn't available.

What type of authentication do you have on the wireless network?

Hi Johnas,

thanks for your quick response but EAP-TLS is not an option at this point (too more complex to explain here).

But is there any way to check the local endpoints database using something other than the MAC address? 

Best regards

EF

The Intune extension can work in two way. The first way is the cache only way, where the extension replicates data from Intune to the Endpoints database. In that case all information must be connected to a MAC address, as the Endpoints database use the MAC address as the primary key.

The second way to utilize the Intune extension is to do online requests. With this method you configure a http source to be able to send a query to the extension. In this scenario the authentication must be certificate based and the certificate must contain the Intune ID in the SAN or common name of the certificate.

Find the Intune integration guide on this link, where both methods are described:

https://support.hpe.com/hpesc/public/docDisplay?docId=a00112290en_us

The Intune extension can work in two way. The first way is the cache only way, where the extension replicates data from Intune to the Endpoints database. In that case all information must be connected to a MAC address, as the Endpoints database use the MAC address as the primary key.

The second way to utilize the Intune extension is to do online requests. With this method you configure a http source to be able to send a query to the extension. In this scenario the authentication must be certificate based and the certificate must contain the Intune ID in the SAN or common name of the certificate.

Find the Intune integration guide on this link, where both methods are described:

https://support.hpe.com/hpesc/public/docDisplay?docId=a00112290en_us

Hi Jonas, worth noting that link is three years old and a bit out-of-date. I wish HPE would manage their documentation online better

Should be this one:
https://arubanetworking.hpe.com/techdocs/NAC/clearpass/integrations/unified-endpoint-management/intune/